leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cb399eabc4
linux/drivers/gpu/drm
History
Chris Wilson cb399eabc4 drm/i915: Avoid accessing request->timeline outside of its lifetime 
Whilst waiting on a request, we may do so without holding any locks or
any guards beyond a reference to the request. In order to avoid taking
locks within request deallocation, we drop references to its timeline
(via the context and ppgtt) upon retirement. We should avoid chasing
such pointers outside of their control, in particular we inspect the
request->timeline to see if we may restore the RPS waitboost for a
client. If we instead look at the engine->timeline, we will have similar
behaviour on both full-ppgtt and !full-ppgtt systems and reduce the
amount of reward we give towards stalling clients (i.e. only if the
client stalls and the GPU is uncontended does it reclaim its boost).
This restores behaviour back to pre-timelines, whilst fixing:

[  645.078485] BUG: KASAN: use-after-free in i915_gem_object_wait_fence+0x1ee/0x2e0 at addr ffff8802335643a0
[  645.078577] Read of size 4 by task gem_exec_schedu/28408
[  645.078638] CPU: 1 PID: 28408 Comm: gem_exec_schedu Not tainted 4.9.0-rc2+ #64
[  645.078724] Hardware name:                  /        , BIOS PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
[  645.078816]  ffff88022daef9a0 ffffffff8143d059 ffff880235402a80 ffff880233564200
[  645.078998]  ffff88022daef9c8 ffffffff81229c5c ffff88022daefa48 ffff880233564200
[  645.079172]  ffff880235402a80 ffff88022daefa38 ffffffff81229ef0 000000008110a796
[  645.079345] Call Trace:
[  645.079404]  [<ffffffff8143d059>] dump_stack+0x68/0x9f
[  645.079467]  [<ffffffff81229c5c>] kasan_object_err+0x1c/0x70
[  645.079534]  [<ffffffff81229ef0>] kasan_report_error+0x1f0/0x4b0
[  645.079601]  [<ffffffff8122a244>] kasan_report+0x34/0x40
[  645.079676]  [<ffffffff81634f5e>] ? i915_gem_object_wait_fence+0x1ee/0x2e0
[  645.079741]  [<ffffffff81229951>] __asan_load4+0x61/0x80
[  645.079807]  [<ffffffff81634f5e>] i915_gem_object_wait_fence+0x1ee/0x2e0
[  645.079876]  [<ffffffff816364bf>] i915_gem_object_wait+0x19f/0x590
[  645.079944]  [<ffffffff81636320>] ? i915_gem_object_wait_priority+0x500/0x500
[  645.080016]  [<ffffffff8110fb30>] ? debug_show_all_locks+0x1e0/0x1e0
[  645.080084]  [<ffffffff8110abdc>] ? check_chain_key+0x14c/0x210
[  645.080157]  [<ffffffff8110a796>] ? __lock_is_held+0x46/0xc0
[  645.080226]  [<ffffffff8163bc61>] ? i915_gem_set_domain_ioctl+0x141/0x690
[  645.080296]  [<ffffffff8163bcc2>] i915_gem_set_domain_ioctl+0x1a2/0x690
[  645.080366]  [<ffffffff811f8f85>] ? __might_fault+0x75/0xe0
[  645.080433]  [<ffffffff815a55f7>] drm_ioctl+0x327/0x640
[  645.080508]  [<ffffffff8163bb20>] ? i915_gem_obj_prepare_shmem_write+0x3a0/0x3a0
[  645.080603]  [<ffffffff815a52d0>] ? drm_ioctl_permit+0x120/0x120
[  645.080670]  [<ffffffff8110abdc>] ? check_chain_key+0x14c/0x210
[  645.080738]  [<ffffffff81275717>] do_vfs_ioctl+0x127/0xa20
[  645.080804]  [<ffffffff8120268c>] ? do_mmap+0x47c/0x580
[  645.080871]  [<ffffffff811da567>] ? vm_mmap_pgoff+0x117/0x140
[  645.080938]  [<ffffffff812755f0>] ? ioctl_preallocate+0x150/0x150
[  645.081011]  [<ffffffff81108c53>] ? up_write+0x23/0x50
[  645.081078]  [<ffffffff811da567>] ? vm_mmap_pgoff+0x117/0x140
[  645.081145]  [<ffffffff811da450>] ? vma_is_stack_for_current+0x90/0x90
[  645.081214]  [<ffffffff8110d853>] ? mark_held_locks+0x23/0xc0
[  645.082030]  [<ffffffff81288408>] ? __fget+0x168/0x250
[  645.082106]  [<ffffffff819ad517>] ? entry_SYSCALL_64_fastpath+0x5/0xb1
[  645.082176]  [<ffffffff81288592>] ? __fget_light+0xa2/0xc0
[  645.082242]  [<ffffffff8127604c>] SyS_ioctl+0x3c/0x70
[  645.082309]  [<ffffffff819ad52e>] entry_SYSCALL_64_fastpath+0x1c/0xb1
[  645.082374] Object at ffff880233564200, in cache kmalloc-8192 size: 8192
[  645.082431] Allocated:
[  645.082480] PID = 28408
[  645.082535]  [  645.082566] [<ffffffff8103ae66>] save_stack_trace+0x16/0x20
[  645.082623]  [  645.082656] [<ffffffff81228b06>] save_stack+0x46/0xd0
[  645.082716]  [  645.082756] [<ffffffff812292fd>] kasan_kmalloc+0xad/0xe0
[  645.082817]  [  645.082848] [<ffffffff81631752>] i915_ppgtt_create+0x52/0x220
[  645.082908]  [  645.082941] [<ffffffff8161db96>] i915_gem_create_context+0x396/0x560
[  645.083027]  [  645.083059] [<ffffffff8161f857>] i915_gem_context_create_ioctl+0x97/0xf0
[  645.083152]  [  645.083183] [<ffffffff815a55f7>] drm_ioctl+0x327/0x640
[  645.083243]  [  645.083274] [<ffffffff81275717>] do_vfs_ioctl+0x127/0xa20
[  645.083334]  [  645.083372] [<ffffffff8127604c>] SyS_ioctl+0x3c/0x70
[  645.083432]  [  645.083464] [<ffffffff819ad52e>] entry_SYSCALL_64_fastpath+0x1c/0xb1
[  645.083551] Freed:
[  645.083599] PID = 27629
[  645.083648]  [  645.083676] [<ffffffff8103ae66>] save_stack_trace+0x16/0x20
[  645.083738]  [  645.083770] [<ffffffff81228b06>] save_stack+0x46/0xd0
[  645.083830]  [  645.083862] [<ffffffff81229203>] kasan_slab_free+0x73/0xc0
[  645.083922]  [  645.083961] [<ffffffff812279c9>] kfree+0xa9/0x170
[  645.084021]  [  645.084053] [<ffffffff81629f60>] i915_ppgtt_release+0x100/0x180
[  645.084139]  [  645.084171] [<ffffffff8161d414>] i915_gem_context_free+0x1b4/0x230
[  645.084257]  [  645.084288] [<ffffffff816537b2>] intel_lr_context_unpin+0x192/0x230
[  645.084380]  [  645.084413] [<ffffffff81645250>] i915_gem_request_retire+0x620/0x630
[  645.084500]  [  645.085226] [<ffffffff816473d1>] i915_gem_retire_requests+0x181/0x280
[  645.085313]  [  645.085352] [<ffffffff816352ba>] i915_gem_retire_work_handler+0xca/0xe0
[  645.085440]  [  645.085471] [<ffffffff810c725b>] process_one_work+0x4fb/0x920
[  645.085532]  [  645.085562] [<ffffffff810c770d>] worker_thread+0x8d/0x840
[  645.085622]  [  645.085653] [<ffffffff810d21e5>] kthread+0x185/0x1b0
[  645.085718]  [  645.085750] [<ffffffff819ad7a7>] ret_from_fork+0x27/0x40
[  645.085811] Memory state around the buggy address:
[  645.085869]  ffff880233564280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  645.085956]  ffff880233564300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  645.086053] >ffff880233564380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  645.086138]                                ^
[  645.086193]  ffff880233564400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  645.086283]  ffff880233564480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

v2: Add a comment to document the hint like nature of
 intel_engine_last_submit()

Fixes: 73cb97010d ("drm/i915: Combine seqno + tracking into a global timeline struct")
Fixes: 80b204bce8 ("drm/i915: Enable multiple timelines")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161101100317.11129-1-chris@chris-wilson.co.uk
2016-11-01 10:48:40 +00:00
..
amd Merge tag 'topic/drm-misc-2016-10-27' of git://anongit.freedesktop.org/git/drm-intel into drm-next 2016-10-28 11:33:52 +10:00
arc drm: Don't swallow error codes in drm_dev_alloc() 2016-09-22 04:03:48 -07:00
arm drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
armada drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
ast drm/ttm: make eviction decision a driver callback v2 2016-10-25 14:44:04 -04:00
atmel-hlcdc drm/atmel-hlcdc: Use per-plane rotation property 2016-10-21 18:24:09 +02:00
bochs drm/ttm: make eviction decision a driver callback v2 2016-10-25 14:44:04 -04:00
bridge drm/bridge: fix platform_no_drv_owner.cocci warnings 2016-10-27 11:35:23 +05:30
cirrus drm/ttm: make eviction decision a driver callback v2 2016-10-25 14:44:04 -04:00
etnaviv drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
exynos Merge tag 'topic/drm-misc-2016-10-24' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-10-25 16:35:20 +10:00
fsl-dcu drm/fsl-dcu: enable pixel clock when enabling CRTC 2016-10-19 17:03:02 -07:00
gma500 drm: gma500: Replace drm_fb_get_bpp_depth() with drm_format_info() 2016-10-18 15:22:38 +05:30
hisilicon drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
i2c drm/i2c/tda998x: mark symbol static where possible 2016-10-24 16:27:16 +02:00
i810
i915 drm/i915: Avoid accessing request->timeline outside of its lifetime 2016-11-01 10:48:40 +00:00
imx Linux 4.8-rc8 2016-09-28 12:08:49 +10:00
mediatek drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
mga
mgag200 drm/ttm: make eviction decision a driver callback v2 2016-10-25 14:44:04 -04:00
msm drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
nouveau Merge branch 'linux-4.9' of git://github.com/skeggsb/linux into drm-next 2016-10-28 14:24:56 +10:00
omapdrm drm/omap: Use per-plane rotation property 2016-10-21 18:25:47 +02:00
panel drm/panel: Add JDI LT070ME05000 WUXGA DSI Panel 2016-09-16 17:32:48 +02:00
qxl Merge tag 'topic/drm-misc-2016-10-27' of git://anongit.freedesktop.org/git/drm-intel into drm-next 2016-10-28 11:33:52 +10:00
r128
radeon Merge tag 'topic/drm-misc-2016-10-27' of git://anongit.freedesktop.org/git/drm-intel into drm-next 2016-10-28 11:33:52 +10:00
rcar-du drm: Add reference counting to drm_atomic_state 2016-10-17 08:19:57 +02:00
rockchip drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
savage drm/savage: dereferencing an error pointer 2016-10-13 07:56:14 +02:00
shmobile
sis
sti drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
sun4i drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
tdfx
tegra gpu: Remove depends on RESET_CONTROLLER when not a provider 2016-10-19 09:26:15 +02:00
tilcdc drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
ttm Merge tag 'topic/drm-misc-2016-10-27' of git://anongit.freedesktop.org/git/drm-intel into drm-next 2016-10-28 11:33:52 +10:00
udl Merge tag 'drm-for-v4.9' of git://people.freedesktop.org/~airlied/linux 2016-10-11 18:12:22 -07:00
vc4 Merge tag 'topic/drm-misc-2016-10-24' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-10-25 16:35:20 +10:00
vgem dma-buf: Rename struct fence to dma_fence 2016-10-25 14:40:39 +02:00
via mm: replace get_user_pages() write/force parameters with gup_flags 2016-10-19 08:11:43 -07:00
virtio Merge tag 'topic/drm-misc-2016-10-27' of git://anongit.freedesktop.org/git/drm-intel into drm-next 2016-10-28 11:33:52 +10:00
vmwgfx Merge tag 'topic/drm-misc-2016-10-27' of git://anongit.freedesktop.org/git/drm-intel into drm-next 2016-10-28 11:33:52 +10:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic_helper.c dma-buf: Rename struct fence to dma_fence 2016-10-25 14:40:39 +02:00
drm_atomic.c dma-buf: Rename struct fence to dma_fence 2016-10-25 14:40:39 +02:00
drm_auth.c
drm_blend.c drm: RIP mode_config->rotation_property 2016-10-22 10:42:11 +02:00
drm_bridge.c drm: Extract drm_bridge.h 2016-09-19 15:04:15 +02:00
drm_bufs.c GPU-DRM: Replace a kzalloc() call by kcalloc() in drm_legacy_addbufs_sg() 2016-09-21 13:24:27 +02:00
drm_cache.c
drm_color_mgmt.c drm/doc: Document color space handling 2016-09-22 00:04:03 -07:00
drm_connector.c drm: Release resources with a safer function 2016-10-10 11:20:48 +02:00
drm_context.c
drm_crtc_helper_internal.h drm/fb-helper: Fix sparse warnings 2016-09-19 16:45:15 +02:00
drm_crtc_helper.c drm/kms-helpers: Extract drm_modeset_helper.[hc] 2016-08-16 16:10:19 +02:00
drm_crtc_internal.h drm: Extract drm_color_mgmt.[hc] 2016-09-22 00:04:02 -07:00
drm_crtc.c drm: Add drm_rotation_90_or_270() 2016-10-21 18:21:33 +02:00
drm_debugfs_crc.c drm: fix sparse warnings on undeclared symbols in crc debugfs 2016-10-19 14:10:29 +03:00
drm_debugfs.c Merge tag 'topic/drm-misc-2016-10-24' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-10-25 16:35:20 +10:00
drm_dma.c
drm_dp_aux_dev.c drm: Don't export dp-aux devnode functions 2016-08-16 18:49:26 +02:00
drm_dp_dual_mode_helper.c drm: Print some debug/error info during DP dual mode detect 2016-10-26 15:57:11 -04:00
drm_dp_helper.c Merge tag 'drm-for-v4.9' of git://people.freedesktop.org/~airlied/linux 2016-10-11 18:12:22 -07:00
drm_dp_mst_topology.c
drm_drv.c drm: Simplify drm_printk to reduce object size quite a bit 2016-10-04 08:23:14 +02:00
drm_edid_load.c
drm_edid.c drm/edid: Only print the bad edid when aborting 2016-10-25 08:32:16 +02:00
drm_encoder_slave.c
drm_encoder.c drm: Fix typo in encoder docs 2016-09-21 13:33:50 +02:00
drm_fb_cma_helper.c drm/fb_cma_helper: do not free fbdev if there is none 2016-10-20 09:05:34 +02:00
drm_fb_helper.c drm: RIP mode_config->rotation_property 2016-10-22 10:42:11 +02:00
drm_flip_work.c
drm_fops.c dma-buf: Rename struct fence to dma_fence 2016-10-25 14:40:39 +02:00
drm_fourcc.c drm: Don't export the drm_fb_get_bpp_depth() function 2016-10-18 15:24:08 +05:30
drm_framebuffer.c drm: WARN when calling drm_format_info() for an unsupported format 2016-10-18 15:21:38 +05:30
drm_gem_cma_helper.c
drm_gem.c drm: use drm_file to tag vm-bos 2016-09-19 11:22:08 +02:00
drm_global.c drm: modify drm_global_item_ref to avoid two times of writing ref->object 2016-09-14 15:10:29 -04:00
drm_hashtab.c drm: fix signed integer overflow 2016-09-06 13:56:41 -04:00
drm_info.c drm: Print device information again in debugfs 2016-10-17 16:20:53 +10:00
drm_internal.h drm: Add API for capturing frame CRCs 2016-10-17 16:44:34 +02:00
drm_ioc32.c drm: drop obsolete drm_core.h 2016-09-19 13:57:38 +02:00
drm_ioctl.c drm: drop obsolete drm_core.h 2016-09-19 13:57:38 +02:00
drm_irq.c drm: avoid uninitialized timestamp use in wait_vblank 2016-10-18 09:45:17 +02:00
drm_kms_helper_common.c drm: Don't export dp-aux devnode functions 2016-08-16 18:49:26 +02:00
drm_legacy.h
drm_lock.c
drm_memory.c
drm_mipi_dsi.c drm/dsi: Implement DCS set/get display brightness 2016-08-24 13:34:00 +02:00
drm_mm.c
drm_mode_object.c drm: Move property validation to a helper, v2. 2016-09-12 10:32:49 -04:00
drm_modes.c drm: Use u64 for intermediate dotclock calculations 2016-10-21 20:23:16 +02:00
drm_modeset_helper.c drm: Don't export the drm_fb_get_bpp_depth() function 2016-10-18 15:24:08 +05:30
drm_modeset_lock.c
drm_of.c drm: convert DT component matching to component_match_add_release() 2016-10-25 11:52:38 -04:00
drm_panel.c
drm_pci.c drm: Don't swallow error codes in drm_dev_alloc() 2016-09-22 04:03:48 -07:00
drm_plane_helper.c drm: Fix kerneldoc in drm_plane_helper.c 2016-08-16 18:50:04 +02:00
drm_plane.c drm: Undo damage to page_flip_ioctl 2016-10-04 12:53:12 +10:00
drm_platform.c drm: Don't swallow error codes in drm_dev_alloc() 2016-09-22 04:03:48 -07:00
drm_prime.c drm: Fix up kerneldoc for new drm_gem_dmabuf_export() 2016-10-10 11:19:42 +02:00
drm_probe_helper.c drm: drm_probe_helper: Fix output_poll_work scheduling 2016-08-31 13:23:30 +02:00
drm_property.c Revert "drm: Unify handling of blob and object properties" 2016-09-07 13:24:22 +03:00
drm_rect.c
drm_scatter.c
drm_simple_kms_helper.c drm: simple_kms_helper: Add prepare_fb and cleanup_fb hooks 2016-10-05 15:18:02 +02:00
drm_sysfs.c drm: drop obsolete drm_core.h 2016-09-19 13:57:38 +02:00
drm_trace_points.c
drm_trace.h
drm_vm.c
drm_vma_manager.c drm: use drm_file to tag vm-bos 2016-09-19 11:22:08 +02:00
Kconfig Revert "drm: make DRI1 drivers depend on BROKEN" 2016-09-01 06:16:12 +10:00
Makefile drm: Add API for capturing frame CRCs 2016-10-17 16:44:34 +02:00