---
- branch: MAIN
  date: Tue Feb 15 18:14:18 UTC 2022
  files:
  - new: '1.12'
    old: '1.11'
    path: src/sys/external/bsd/drm2/dist/drm/i915/i915_active.c
    pathrev: src/sys/external/bsd/drm2/dist/drm/i915/i915_active.c@1.12
    type: modified
  id: 20220215T181418Z.5d52504c0cc83f1359be1aae628c6f0ed2bbeaf8
  log: |
    Revert "i915: Defer final wakeup on active until after retirement."

    This reverts i915_active.c 1.11.  ref->retire might free the object,
    so touching it is not allowed -- that would use-after-free.  Linux
    uses the object only for its address with wake_up_var.

    The reason I made this change was that I guessed i915_active_wait has
    to wait until after ref->retire finishes -- after all, Linux seems to
    defer the wakeup until then.  However, even the Linux code doesn't
    guarantee this, because i915_active_wait could be called _during_
    ref->retire, and would witness ref->count == 0, and would not wait
    until it has completed in that case.  So maybe my guess was wrong,
    and it is OK for i915_active_wait to return while ref->retire is
    still in flight -- I don't see any logic that obviously requires it
    to wait for ref->retire, in any case.

    Or maybe something does rely on i915_active_wait to wait for
    ref->retire to finish, in which case we need a different mechanism
    for i915_active_release itself to wait until i915_active_retire has
    woken up, without dereferencing ref since it might be dead after
    ref->retire.
  module: src
  subject: 'CVS commit: src/sys/external/bsd/drm2/dist/drm/i915'
  unixtime: '1644948858'
  user: riastradh