Quoting Janusz Krzysztofik (2019-07-24 16:05:25)
> When using GuC submission, some execlists originated helper functions
> are reused. One of them, used inside guc_reset() and
> guc_cancel_requests() callbacks introduced by commit 292ad25c22d9
> ("drm/i915/guc: Implement reset locally"), unfortunately calls
> execlists_schedule_out() helper instead of its GuC specific equivalent.
> As execlists functions maintain context references for themselves, that
> helper releases a context associated with a request being processed as
> soon as the context inflight queue becomes empty. Since GuC submission
> doesn't keep extra context references, possibly still active contexts
> may be released prematurely, resulting in kernel panic.
Fwiw, that rq->context->inflight = NULL in schedule_out() is not
protected against a dangling dereference. Which, if you are not falling
into the execlists trap, you can remove entirely to avoid the potential
use-after-free.
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
