From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Tue, 25 Feb 2014 14:23:28 +0000 (+0000)
Subject: drm/i915: Reset vma->mm_list after unbinding
X-Git-Tag: firefly_0821_release~176^2~3773^2~63^2~283
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=64bf930379ac8097705db7d40602c2aa9ec0d2f4;p=firefly-linux-kernel-4.4.55.git

drm/i915: Reset vma->mm_list after unbinding

In place of true activity counting, we walk the list of vma associated
with an object managing each on the vm's active/inactive list everytime
we call move-to-inactive. This depends upon the vma->mm_list being
cleared after unbinding, or else we run into difficulty when tracking
the object in multiple vm's - we see a use-after free and corruption of
the mm_list.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ben Widawsky <ben@bwidawsk.net>
Reviewed-by: Ben Widawsky <ben@bwidawsk.net>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 0ec1080b1912..b41ead633963 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -2739,7 +2739,7 @@ int i915_vma_unbind(struct i915_vma *vma)
 
 	i915_gem_gtt_finish_object(obj);
 
-	list_del(&vma->mm_list);
+	list_del_init(&vma->mm_list);
 	/* Avoid an unnecessary call to unbind on rebind. */
 	if (i915_is_ggtt(vma->vm))
 		obj->map_and_fenceable = true;