igt_ppgtt_pin_update() invokes i915_gem_context_get_vm_rcu(), which
returns a reference of the i915_address_space object to "vm" with
increased refcount.
When igt_ppgtt_pin_update() returns, "vm" becomes invalid, so the
refcount should be decreased to keep refcount balanced.
The reference counting issue happens in two exception handling paths of
igt_ppgtt_pin_update(). When i915_gem_object_create_internal() returns
IS_ERR, the refcnt increased by i915_gem_context_get_vm_rcu() is not
decreased, causing a refcnt leak.
Fix this issue by jumping to "out_vm" label when
i915_gem_object_create_internal() returns IS_ERR.
Fixes: 4049866f0913 ("drm/i915/selftests: huge page tests")
Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
drivers/gpu/drm/i915/gem/selftests/huge_pages.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gem/selftests/huge_pages.c b/drivers/gpu/drm/i915/gem/selftests/huge_pages.c
index 9311250d7d6f..7a7763be6b2e 100644
--- a/drivers/gpu/drm/i915/gem/selftests/huge_pages.c
+++ b/drivers/gpu/drm/i915/gem/selftests/huge_pages.c
@@ -1578,8 +1578,10 @@ static int igt_ppgtt_pin_update(void *arg)
unsigned int page_size = BIT(first);
obj = i915_gem_object_create_internal(dev_priv, page_size);
- if (IS_ERR(obj))
- return PTR_ERR(obj);
+ if (IS_ERR(obj)) {
+ err = PTR_ERR(obj);
+ goto out_vm;
+ }
vma = i915_vma_instance(obj, vm, NULL);
if (IS_ERR(vma)) {
@@ -1632,8 +1634,10 @@ static int igt_ppgtt_pin_update(void *arg)
}
obj = i915_gem_object_create_internal(dev_priv, PAGE_SIZE);
- if (IS_ERR(obj))
- return PTR_ERR(obj);
+ if (IS_ERR(obj)) {
+ err = PTR_ERR(obj);
+ goto out_vm;
+ }
vma = i915_vma_instance(obj, vm, NULL);
if (IS_ERR(vma)) {
--
2.7.4
Quoting Xiyu Yang (2020-04-20 06:41:54)
> igt_ppgtt_pin_update() invokes i915_gem_context_get_vm_rcu(), which
> returns a reference of the i915_address_space object to "vm" with
> increased refcount.
>
> When igt_ppgtt_pin_update() returns, "vm" becomes invalid, so the
> refcount should be decreased to keep refcount balanced.
>
> The reference counting issue happens in two exception handling paths of
> igt_ppgtt_pin_update(). When i915_gem_object_create_internal() returns
> IS_ERR, the refcnt increased by i915_gem_context_get_vm_rcu() is not
> decreased, causing a refcnt leak.
>
> Fix this issue by jumping to "out_vm" label when
> i915_gem_object_create_internal() returns IS_ERR.
>
> Fixes: 4049866f0913 ("drm/i915/selftests: huge page tests")
Actually,
Fixes: a4e7ccdac38e ("drm/i915: Move context management under GEM")
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
Other than that,
Reviewed-by: Chris Wilson <[email protected]>
-Chris