1c8782dd31
If we allow the user to convert a GTT mmap address into a userptr, we may end up in recursion hell, where currently we hit a mutex deadlock but other possibilities include use-after-free during the unbind/cancel_userptr. [ 143.203989] gem_userptr_bli D 0 902 898 0x00000000 [ 143.204054] Call Trace: [ 143.204137] __schedule+0x511/0x1180 [ 143.204195] ? pci_mmcfg_check_reserved+0xc0/0xc0 [ 143.204274] schedule+0x57/0xe0 [ 143.204327] schedule_timeout+0x383/0x670 [ 143.204374] ? trace_hardirqs_on_caller+0x187/0x280 [ 143.204457] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 143.204507] ? usleep_range+0x110/0x110 [ 143.204657] ? irq_exit+0x89/0x100 [ 143.204710] ? retint_kernel+0x2d/0x2d [ 143.204794] ? trace_hardirqs_on_caller+0x187/0x280 [ 143.204857] ? _raw_spin_unlock_irq+0x33/0x60 [ 143.204944] wait_for_common+0x1f0/0x2f0 [ 143.205006] ? out_of_line_wait_on_atomic_t+0x170/0x170 [ 143.205103] ? wake_up_q+0xa0/0xa0 [ 143.205159] ? flush_workqueue_prep_pwqs+0x15a/0x2c0 [ 143.205237] wait_for_completion+0x1d/0x20 [ 143.205292] flush_workqueue+0x2e9/0xbb0 [ 143.205339] ? flush_workqueue+0x163/0xbb0 [ 143.205418] ? __schedule+0x533/0x1180 [ 143.205498] ? check_flush_dependency+0x1a0/0x1a0 [ 143.205681] i915_gem_userptr_mn_invalidate_range_start+0x1c7/0x270 [i915] [ 143.205865] ? i915_gem_userptr_dmabuf_export+0x40/0x40 [i915] [ 143.205955] __mmu_notifier_invalidate_range_start+0xc6/0x120 [ 143.206044] ? __mmu_notifier_invalidate_range_start+0x51/0x120 [ 143.206123] zap_page_range_single+0x1c7/0x1f0 [ 143.206171] ? unmap_single_vma+0x160/0x160 [ 143.206260] ? unmap_mapping_range+0xa9/0x1b0 [ 143.206308] ? vma_interval_tree_subtree_search+0x75/0xd0 [ 143.206397] unmap_mapping_range+0x18f/0x1b0 [ 143.206444] ? zap_vma_ptes+0x70/0x70 [ 143.206524] ? __pm_runtime_resume+0x67/0xa0 [ 143.206723] i915_gem_release_mmap+0x1ba/0x1c0 [i915] [ 143.206846] i915_vma_unbind+0x5c2/0x690 [i915] [ 143.206925] ? __lock_is_held+0x52/0x100 [ 143.207076] i915_gem_object_set_tiling+0x1db/0x650 [i915] [ 143.207236] i915_gem_set_tiling_ioctl+0x1d3/0x3b0 [i915] [ 143.207377] ? i915_gem_set_tiling_ioctl+0x5/0x3b0 [i915] [ 143.207457] drm_ioctl+0x36c/0x670 [ 143.207535] ? debug_lockdep_rcu_enabled.part.0+0x1a/0x30 [ 143.207730] ? i915_gem_object_set_tiling+0x650/0x650 [i915] [ 143.207793] ? drm_getunique+0x120/0x120 [ 143.207875] ? __handle_mm_fault+0x996/0x14a0 [ 143.207939] ? vm_insert_page+0x340/0x340 [ 143.208028] ? up_write+0x28/0x50 [ 143.208086] ? vm_mmap_pgoff+0x160/0x190 [ 143.208163] do_vfs_ioctl+0x12c/0xa60 [ 143.208218] ? debug_lockdep_rcu_enabled+0x35/0x40 [ 143.208267] ? ioctl_preallocate+0x150/0x150 [ 143.208353] ? __do_page_fault+0x36a/0x6e0 [ 143.208400] ? mark_held_locks+0x23/0xc0 [ 143.208479] ? up_read+0x1f/0x40 [ 143.208526] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 143.208669] ? __fget_light+0xa7/0xc0 [ 143.208747] SyS_ioctl+0x41/0x70 To prevent the possibility of a deadlock, we defer scheduling the worker until after we have proven that given the current mm, the userptr range does not overlap a GGTT mmaping. If another thread tries to remap the GGTT over the userptr before the worker is scheduled, it will be stopped by its invalidate-range flushing the current work, before the deadlock can occur. v2: Improve discussion of how we end up in the deadlock. v3: Don't forget to mark the userptr as active after a successful gup_fast. Rename overlaps_ggtt to noncontiguous_or_overlaps_ggtt. v4: Fix test ordering between invalid GTT mmaping and range completion (Tvrtko) Reported-by: Michał Winiarski <michal.winiarski@intel.com> Testcase: igt/gem_userptr_blits/map-fixed-invalidate-gup Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Michał Winiarski <michal.winiarski@intel.com> Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/20170308215903.24171-1-chris@chris-wilson.co.uk Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> |
||
---|---|---|
.. | ||
gvt | ||
selftests | ||
dvo_ch7xxx.c | ||
dvo_ch7017.c | ||
dvo_ivch.c | ||
dvo_ns2501.c | ||
dvo_sil164.c | ||
dvo_tfp410.c | ||
dvo.h | ||
i915_cmd_parser.c | ||
i915_debugfs.c | ||
i915_drv.c | ||
i915_drv.h | ||
i915_gem_batch_pool.c | ||
i915_gem_batch_pool.h | ||
i915_gem_clflush.c | ||
i915_gem_clflush.h | ||
i915_gem_context.c | ||
i915_gem_context.h | ||
i915_gem_dmabuf.c | ||
i915_gem_evict.c | ||
i915_gem_execbuffer.c | ||
i915_gem_fence_reg.c | ||
i915_gem_fence_reg.h | ||
i915_gem_gtt.c | ||
i915_gem_gtt.h | ||
i915_gem_internal.c | ||
i915_gem_object.h | ||
i915_gem_render_state.c | ||
i915_gem_render_state.h | ||
i915_gem_request.c | ||
i915_gem_request.h | ||
i915_gem_shrinker.c | ||
i915_gem_stolen.c | ||
i915_gem_tiling.c | ||
i915_gem_timeline.c | ||
i915_gem_timeline.h | ||
i915_gem_userptr.c | ||
i915_gem.c | ||
i915_gem.h | ||
i915_gpu_error.c | ||
i915_guc_reg.h | ||
i915_guc_submission.c | ||
i915_ioc32.c | ||
i915_irq.c | ||
i915_memcpy.c | ||
i915_mm.c | ||
i915_oa_hsw.c | ||
i915_oa_hsw.h | ||
i915_params.c | ||
i915_params.h | ||
i915_pci.c | ||
i915_perf.c | ||
i915_pvinfo.h | ||
i915_reg.h | ||
i915_selftest.h | ||
i915_suspend.c | ||
i915_sw_fence.c | ||
i915_sw_fence.h | ||
i915_sysfs.c | ||
i915_trace_points.c | ||
i915_trace.h | ||
i915_utils.h | ||
i915_vgpu.c | ||
i915_vgpu.h | ||
i915_vma.c | ||
i915_vma.h | ||
intel_acpi.c | ||
intel_atomic_plane.c | ||
intel_atomic.c | ||
intel_audio.c | ||
intel_bios.c | ||
intel_bios.h | ||
intel_breadcrumbs.c | ||
intel_cdclk.c | ||
intel_color.c | ||
intel_crt.c | ||
intel_csr.c | ||
intel_ddi.c | ||
intel_device_info.c | ||
intel_display.c | ||
intel_dp_aux_backlight.c | ||
intel_dp_link_training.c | ||
intel_dp_mst.c | ||
intel_dp.c | ||
intel_dpio_phy.c | ||
intel_dpll_mgr.c | ||
intel_dpll_mgr.h | ||
intel_drv.h | ||
intel_dsi_dcs_backlight.c | ||
intel_dsi_pll.c | ||
intel_dsi_vbt.c | ||
intel_dsi.c | ||
intel_dsi.h | ||
intel_dvo.c | ||
intel_engine_cs.c | ||
intel_fbc.c | ||
intel_fbdev.c | ||
intel_fifo_underrun.c | ||
intel_frontbuffer.c | ||
intel_frontbuffer.h | ||
intel_guc_fwif.h | ||
intel_guc_loader.c | ||
intel_guc_log.c | ||
intel_gvt.c | ||
intel_gvt.h | ||
intel_hangcheck.c | ||
intel_hdmi.c | ||
intel_hotplug.c | ||
intel_huc.c | ||
intel_i2c.c | ||
intel_lpe_audio.c | ||
intel_lrc.c | ||
intel_lrc.h | ||
intel_lspcon.c | ||
intel_lvds.c | ||
intel_mocs.c | ||
intel_mocs.h | ||
intel_modes.c | ||
intel_opregion.c | ||
intel_overlay.c | ||
intel_panel.c | ||
intel_pipe_crc.c | ||
intel_pm.c | ||
intel_psr.c | ||
intel_renderstate_gen6.c | ||
intel_renderstate_gen7.c | ||
intel_renderstate_gen8.c | ||
intel_renderstate_gen9.c | ||
intel_renderstate.h | ||
intel_ringbuffer.c | ||
intel_ringbuffer.h | ||
intel_runtime_pm.c | ||
intel_sdvo_regs.h | ||
intel_sdvo.c | ||
intel_sideband.c | ||
intel_sprite.c | ||
intel_tv.c | ||
intel_uc.c | ||
intel_uc.h | ||
intel_uncore.c | ||
intel_vbt_defs.h | ||
Kconfig | ||
Kconfig.debug | ||
Makefile |