eb_destroy currently cleans up the refcounts for all the VMAs done at lookup. Currently eb_lookup_vmas cleans up all the *objects* we've looked up. There exists a period of time when we under severe memory pressure, the VMA creation will fail, and fall into our exit path. When the above event occurs, the object list, and eb->vma list are not equal, the latter being a subset of the former. As we attempt to clean up the refcounts on the error path we have the potential to decrement the refcount by one extra here. commit 27173f1f95db5e74ceb35fe9a2f2f348ea11bac9 Author: Ben Widawsky <ben@xxxxxxxxxxxx> Date: Wed Aug 14 11:38:36 2013 +0200 drm/i915: Convert execbuf code to use vmas NOTE: A patch purporting the same results exists from Chris written to address a quibble he had with something or other in this patch. I have not tested that patch, but if it does the same thing I don't care which is used. Cc: stable@xxxxxxxxxxxxxxx Cc: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> Signed-off-by: Ben Widawsky <ben@xxxxxxxxxxxx> --- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c index f0c590e..cdab6e4 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -157,6 +157,13 @@ eb_lookup_vmas(struct eb_vmas *eb, out: + /* eb_vmas are cleaned up by destroy. Others are not */ + if (ret) { + struct i915_vma *vma; + list_for_each_entry(vma, &eb->vmas, exec_list) + list_del(&vma->obj->obj_exec_link); + } + while (!list_empty(&objects)) { obj = list_first_entry(&objects, struct drm_i915_gem_object, -- 1.8.4.2 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html