From: Chris Wilson <chris@chris-wilson.co.uk>
To: intel-gfx@lists.freedesktop.org
Cc: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Subject: [PATCH 5/8] drm/i915: Prevent racy removal of request from client list
Date: Fri, 18 Mar 2011 08:02:07 +0000 [thread overview]
Message-ID: <1300435330-15934-6-git-send-email-chris@chris-wilson.co.uk> (raw)
In-Reply-To: <1300435330-15934-1-git-send-email-chris@chris-wilson.co.uk>
From: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
When i915_gem_retire_requests_ring calls i915_gem_request_remove_from_client,
the client_list for that request may already be removed in i915_gem_release.
So we may call twice list_del(&request->client_list), resulting in an
oops like this report:
[126167.230394] BUG: unable to handle kernel paging request at 00100104
[126167.230699] IP: [<f8c2ce44>] i915_gem_retire_requests_ring+0xd4/0x240 [i915]
[126167.231042] *pdpt = 00000000314c1001 *pde = 0000000000000000
[126167.231314] Oops: 0002 [#1] SMP
[126167.231471] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0C0A:00/power_supply/BAT1/current_now
[126167.231901] Modules linked in: snd_seq_dummy nls_utf8 isofs btrfs zlib_deflate libcrc32c ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat jfs xfs exportfs reiserfs cryptd aes_i586 aes_generic binfmt_misc vboxnetadp vboxnetflt vboxdrv parport_pc ppdev snd_hda_codec_hdmi snd_hda_codec_conexant snd_hda_intel snd_hda_codec snd_hwdep arc4 snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq uvcvideo videodev snd_timer snd_seq_device joydev iwlagn iwlcore mac80211 snd cfg80211 soundcore i915 drm_kms_helper snd_page_alloc psmouse drm serio_raw i2c_algo_bit video lp parport usbhid hid sky2 sdhci_pci ahci sdhci libahci
[126167.232018]
[126167.232018] Pid: 1101, comm: Xorg Not tainted 2.6.38-6-generic-pae #34-Ubuntu Gateway MC7833U /
[126167.232018] EIP: 0060:[<f8c2ce44>] EFLAGS: 00213246 CPU: 0
[126167.232018] EIP is at i915_gem_retire_requests_ring+0xd4/0x240 [i915]
[126167.232018] EAX: 00200200 EBX: f1ac25b0 ECX: 00000040 EDX: 00100100
[126167.232018] ESI: f1a2801c EDI: e87fc060 EBP: ef4d7dd8 ESP: ef4d7db0
[126167.232018] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[126167.232018] Process Xorg (pid: 1101, ti=ef4d6000 task=f1ba6500 task.ti=ef4d6000)
[126167.232018] Stack:
[126167.232018] f1a28000 f1a2809c f1a28094 0058bd97 f1aa2400 f1a2801c 0058bd7b 0058bd85
[126167.232018] f1a2801c f1a28000 ef4d7e38 f8c2e995 ef4d7e30 ef4d7e60 c14d1ebc f6b3a040
[126167.232018] f1522cc0 000000db 00000000 f1ba6500 ffffffa1 00000000 00000001 f1a29214
[126167.232018] Call Trace:
Unfortunately the call trace reported was cut, but looking at debug
symbols the crash is at __list_del, when probably list_del is called
twice on the same request->client_list, as the dereferenced value is
LIST_POISON1 + 4, and by looking more at the debug symbols before
list_del call it should have being called by
i915_gem_request_remove_from_client
And as I can see in the code, it seems we indeed have the possibility
to remove a request->client_list twice, which would cause the above,
because we do list_del(&request->client_list) on both
i915_gem_request_remove_from_client and i915_gem_release
As Chris Wilson pointed out, it's indeed the case:
"(...) I had thought that the actual insertion/deletion was serialised
under the struct mutex and the intention of the spinlock was to protect
the unlocked list traversal during throttling. However, I missed that
i915_gem_release() is also called without struct mutex and so we do need
the double check for i915_gem_request_remove_from_client()."
This change does the required check to avoid the duplicate remove of
request->client_list.
Bugzilla: http://bugs.launchpad.net/bugs/733780
Cc: stable@kernel.org # 2.6.38
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
drivers/gpu/drm/i915/i915_gem.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index c4c2855..d4bf061 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1796,8 +1796,10 @@ i915_gem_request_remove_from_client(struct drm_i915_gem_request *request)
return;
spin_lock(&file_priv->mm.lock);
- list_del(&request->client_list);
- request->file_priv = NULL;
+ if (request->file_priv) {
+ list_del(&request->client_list);
+ request->file_priv = NULL;
+ }
spin_unlock(&file_priv->mm.lock);
}
--
1.7.2.3
next prev parent reply other threads:[~2011-03-18 8:02 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-18 8:02 Patch queue for -fixes Chris Wilson
2011-03-18 8:02 ` [PATCH 1/8] drm/i915: Remove surplus POSTING_READs before wait_for_vblank Chris Wilson
2011-03-18 14:42 ` Keith Packard
2011-03-18 16:23 ` Jesse Barnes
2011-03-18 8:02 ` [PATCH 2/8] drm/i915: skip redundant operations whilst enabling pipes and planes Chris Wilson
2011-03-18 14:46 ` Keith Packard
2011-03-18 16:25 ` Jesse Barnes
2011-03-18 17:37 ` Chris Wilson
2011-03-18 17:41 ` Jesse Barnes
2011-03-18 8:02 ` [PATCH 3/8] drm/i915: Flush the plane enable using the DSPCNTR latch Chris Wilson
2011-03-18 15:09 ` Keith Packard
2011-03-18 16:26 ` Jesse Barnes
2011-03-18 17:42 ` Chris Wilson
2011-03-18 8:02 ` [PATCH 4/8] drm/i915: Only wait for vblank after pipe enabling on gen2 Chris Wilson
2011-03-18 15:10 ` Keith Packard
2011-03-18 16:27 ` Jesse Barnes
2011-03-18 8:02 ` Chris Wilson [this message]
2011-03-18 8:02 ` [PATCH 6/8] drm: Fix use-after-free in drm_gem_vm_close() Chris Wilson
2011-03-18 15:15 ` [Intel-gfx] " Keith Packard
2011-03-18 8:02 ` [PATCH 7/8] drm/i915: Re-enable self-refresh Chris Wilson
2011-03-18 15:22 ` Keith Packard
2011-03-18 17:48 ` Chris Wilson
2011-03-18 18:12 ` Eric Anholt
2011-03-18 19:08 ` Chris Wilson
2011-03-18 8:02 ` [PATCH 8/8] drm/i915: Fix tiling corruption from pipelined fencing Chris Wilson
2011-03-19 22:17 ` Daniel Vetter
2011-03-19 22:25 ` Chris Wilson
2011-03-19 23:12 ` Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300435330-15934-6-git-send-email-chris@chris-wilson.co.uk \
--to=chris@chris-wilson.co.uk \
--cc=herton.krzesinski@canonical.com \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.