From: Chris Wilson <chris@chris-wilson.co.uk>
To: intel-gfx@lists.freedesktop.org
Cc: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Subject: [PATCH 05/49] drm/i915: Fix race on unreferencing the wrong mmio-flip-request
Date: Fri, 27 Mar 2015 11:01:37 +0000 [thread overview]
Message-ID: <1427454141-4000-6-git-send-email-chris@chris-wilson.co.uk> (raw)
In-Reply-To: <1427454141-4000-1-git-send-email-chris@chris-wilson.co.uk>
As we perform the mmio-flip without any locking and then try to acquire
the struct_mutex prior to dereferencing the request, it is possible for
userspace to queue a new pageflip before the worker can finish clearing
the old state - and then it will clear the new flip request. The result
is that the new flip could be completed before the GPU has finished
rendering.
The bugs stems from removing the seqno checking in
commit 536f5b5e86b225dab94c7ff8061ae482b6077387
Author: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Date: Thu Nov 6 11:03:40 2014 +0200
drm/i915: Make mmio flip wait for seqno in the work function
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
---
drivers/gpu/drm/i915/i915_drv.h | 6 ++++--
drivers/gpu/drm/i915/intel_display.c | 39 ++++++++++++++++++------------------
drivers/gpu/drm/i915/intel_drv.h | 4 ++--
3 files changed, 25 insertions(+), 24 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
index fa91ca33d07c..18cefd8226c1 100644
--- a/drivers/gpu/drm/i915/i915_drv.h
+++ b/drivers/gpu/drm/i915/i915_drv.h
@@ -2136,10 +2136,12 @@ i915_gem_request_get_ring(struct drm_i915_gem_request *req)
return req ? req->ring : NULL;
}
-static inline void
+static inline struct drm_i915_gem_request *
i915_gem_request_reference(struct drm_i915_gem_request *req)
{
- kref_get(&req->ref);
+ if (req)
+ kref_get(&req->ref);
+ return req;
}
static inline void
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 2afa3acf5452..0d944afe5427 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -9984,22 +9984,18 @@ static void intel_do_mmio_flip(struct intel_crtc *intel_crtc)
static void intel_mmio_flip_work_func(struct work_struct *work)
{
- struct intel_crtc *crtc =
- container_of(work, struct intel_crtc, mmio_flip.work);
- struct intel_mmio_flip *mmio_flip;
+ struct intel_mmio_flip *mmio_flip =
+ container_of(work, struct intel_mmio_flip, work);
- mmio_flip = &crtc->mmio_flip;
- if (mmio_flip->req)
- WARN_ON(__i915_wait_request(mmio_flip->req,
- crtc->reset_counter,
- false, NULL, NULL) != 0);
+ if (mmio_flip->rq)
+ WARN_ON(__i915_wait_request(mmio_flip->rq,
+ mmio_flip->crtc->reset_counter,
+ false, NULL, NULL));
- intel_do_mmio_flip(crtc);
- if (mmio_flip->req) {
- mutex_lock(&crtc->base.dev->struct_mutex);
- i915_gem_request_assign(&mmio_flip->req, NULL);
- mutex_unlock(&crtc->base.dev->struct_mutex);
- }
+ intel_do_mmio_flip(mmio_flip->crtc);
+
+ i915_gem_request_unreference__unlocked(mmio_flip->rq);
+ kfree(mmio_flip);
}
static int intel_queue_mmio_flip(struct drm_device *dev,
@@ -10009,12 +10005,17 @@ static int intel_queue_mmio_flip(struct drm_device *dev,
struct intel_engine_cs *ring,
uint32_t flags)
{
- struct intel_crtc *intel_crtc = to_intel_crtc(crtc);
+ struct intel_mmio_flip *mmio_flip;
+
+ mmio_flip = kmalloc(sizeof(*mmio_flip), GFP_KERNEL);
+ if (mmio_flip == NULL)
+ return -ENOMEM;
- i915_gem_request_assign(&intel_crtc->mmio_flip.req,
- obj->last_write_req);
+ mmio_flip->rq = i915_gem_request_reference(obj->last_write_req);
+ mmio_flip->crtc = to_intel_crtc(crtc);
- schedule_work(&intel_crtc->mmio_flip.work);
+ INIT_WORK(&mmio_flip->work, intel_mmio_flip_work_func);
+ schedule_work(&mmio_flip->work);
return 0;
}
@@ -12912,8 +12913,6 @@ static void intel_crtc_init(struct drm_device *dev, int pipe)
dev_priv->plane_to_crtc_mapping[intel_crtc->plane] = &intel_crtc->base;
dev_priv->pipe_to_crtc_mapping[intel_crtc->pipe] = &intel_crtc->base;
- INIT_WORK(&intel_crtc->mmio_flip.work, intel_mmio_flip_work_func);
-
drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs);
WARN_ON(drm_crtc_index(&intel_crtc->base) != intel_crtc->pipe);
diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h
index 6036e3b73b7b..62dae400d600 100644
--- a/drivers/gpu/drm/i915/intel_drv.h
+++ b/drivers/gpu/drm/i915/intel_drv.h
@@ -403,8 +403,9 @@ struct intel_pipe_wm {
};
struct intel_mmio_flip {
- struct drm_i915_gem_request *req;
struct work_struct work;
+ struct drm_i915_gem_request *rq;
+ struct intel_crtc *crtc;
};
struct skl_pipe_wm {
@@ -490,7 +491,6 @@ struct intel_crtc {
} wm;
int scanline_offset;
- struct intel_mmio_flip mmio_flip;
struct intel_crtc_atomic_commit atomic;
};
--
2.1.4
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2015-03-27 11:02 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-27 11:01 A picking of low hanging fruit Chris Wilson
2015-03-27 11:01 ` [PATCH 01/49] drm/i915: Cache last obj->pages location for i915_gem_object_get_page() Chris Wilson
2015-03-27 11:01 ` [PATCH 02/49] drm/i915: Agressive downclocking on Baytrail Chris Wilson
2015-04-02 11:21 ` Deepak S
2015-03-27 11:01 ` [PATCH 03/49] drm/i915: Fix computation of last_adjustment for RPS autotuning Chris Wilson
2015-03-27 11:01 ` [PATCH 04/49] drm/i915: Add i915_gem_request_unreference__unlocked Chris Wilson
2015-03-27 16:42 ` Tvrtko Ursulin
2015-03-27 11:01 ` Chris Wilson [this message]
2015-03-27 11:01 ` [PATCH 06/49] drm/i915: Boost GPU frequency if we detect outstanding pageflips Chris Wilson
2015-03-27 11:01 ` [PATCH 07/49] drm/i915: Deminish contribution of wait-boosting from clients Chris Wilson
2015-03-27 11:01 ` [PATCH 08/49] drm/i915: Re-enable RPS wait-boosting for all engines Chris Wilson
2015-04-02 11:09 ` Deepak S
2015-04-02 11:39 ` Chris Wilson
2015-03-27 11:01 ` [PATCH 09/49] drm/i915: Split i915_gem_batch_pool into its own header Chris Wilson
2015-03-27 11:01 ` [PATCH 10/49] drm/i915: Tidy batch pool logic Chris Wilson
2015-03-27 11:59 ` Tvrtko Ursulin
2015-03-27 11:01 ` [PATCH 11/49] drm/i915: Split the batch pool by engine Chris Wilson
2015-03-27 11:01 ` [PATCH 12/49] drm/i915: Free batch pool when idle Chris Wilson
2015-03-27 11:01 ` [PATCH 13/49] drm/i915: Split batch pool into size buckets Chris Wilson
2015-03-27 11:01 ` [PATCH 14/49] drm/i915: Include active flag when describing objects in debugfs Chris Wilson
2015-03-27 11:01 ` [PATCH 15/49] drm/i915: Suppress empty lines from debugfs/i915_gem_objects Chris Wilson
2015-03-27 11:01 ` [PATCH 16/49] drm/i915: Optimistically spin for the request completion Chris Wilson
2015-03-27 11:42 ` Tvrtko Ursulin
2015-03-27 11:01 ` [PATCH 17/49] drm/i915: Implement inter-engine read-read optimisations Chris Wilson
2015-03-30 13:52 ` Tvrtko Ursulin
2015-03-30 14:09 ` Chris Wilson
2015-03-30 14:45 ` Tvrtko Ursulin
2015-03-30 15:07 ` Chris Wilson
2015-03-27 11:01 ` [PATCH 18/49] drm/i915: Reduce frequency of unspecific HSW reg debugging Chris Wilson
2015-03-27 15:34 ` Paulo Zanoni
2015-03-27 16:12 ` Chris Wilson
2015-03-30 19:15 ` Paulo Zanoni
2015-03-27 11:01 ` [PATCH 19/49] drm/i915: Record ring->start address in error state Chris Wilson
2015-03-27 11:01 ` [PATCH 20/49] drm/i915: Use simpler form of spin_lock_irq(execlist_lock) Chris Wilson
2015-03-27 11:01 ` [PATCH 21/49] drm/i915: Use the global runtime-pm wakelock for a busy GPU for execlists Chris Wilson
2015-03-27 14:19 ` Daniel Vetter
2015-03-27 14:25 ` Chris Wilson
2015-03-27 11:01 ` [PATCH 22/49] drm/i915: Map the execlists context regs once during pinning Chris Wilson
2015-03-27 11:01 ` [PATCH 23/49] drm/i915: Remove vestigal DRI1 ring quiescing code Chris Wilson
2015-03-27 11:01 ` [PATCH 24/49] drm/i915: Tidy execlist submission Chris Wilson
2015-03-27 11:01 ` [PATCH 25/49] drm/i915: Move the execlists retirement to the right spot Chris Wilson
2015-03-27 11:01 ` [PATCH 26/49] drm/i915: Map the ringbuffer using WB on LLC machines Chris Wilson
2015-03-27 11:01 ` [PATCH 27/49] drm/i915: Use a separate slab for requests Chris Wilson
2015-03-27 14:20 ` Daniel Vetter
2015-03-27 14:27 ` Chris Wilson
2015-03-27 11:02 ` [PATCH 28/49] drm/i915: Use the new rq->i915 field where appropriate Chris Wilson
2015-03-27 11:02 ` [PATCH 29/49] drm/i915: Reduce the pointer dance of i915_is_ggtt() Chris Wilson
2015-03-27 14:26 ` Daniel Vetter
2015-03-27 11:02 ` [PATCH 30/49] drm/i915: Squash more pointer indirection for i915_is_gtt Chris Wilson
2015-03-27 11:02 ` [PATCH 31/49] drm/i915: Reduce locking in execlist command submission Chris Wilson
2015-03-27 11:40 ` Tvrtko Ursulin
2015-03-27 11:47 ` Chris Wilson
2015-03-27 11:54 ` Tvrtko Ursulin
2015-03-27 14:15 ` Daniel Vetter
2015-03-27 11:02 ` [PATCH 32/49] drm/i915: Reduce more " Chris Wilson
2015-03-27 11:02 ` [PATCH 33/49] drm/i915: Reduce locking in gen8 IRQ handler Chris Wilson
2015-03-27 14:13 ` Daniel Vetter
2015-03-27 14:14 ` Chris Wilson
2015-03-27 11:02 ` [PATCH 34/49] drm/i915: Tidy " Chris Wilson
2015-03-27 11:02 ` [PATCH 35/49] drm/i915: Remove request retirement before each batch Chris Wilson
2015-03-27 11:02 ` [PATCH 36/49] drm/i915: Cache the GGTT offset for the execlists context Chris Wilson
2015-03-27 11:02 ` [PATCH 37/49] drm/i915: Prefer to check for idleness in worker rather than sync-flush Chris Wilson
2015-03-27 11:02 ` [PATCH 38/49] drm/i915: Skip allocating shadow batch for 0-length batches Chris Wilson
2015-03-27 14:28 ` Daniel Vetter
2015-03-30 12:02 ` Chris Wilson
2015-03-30 14:59 ` Daniel Vetter
2015-03-27 11:02 ` [PATCH 39/49] drm/i915: Remove request->uniq Chris Wilson
2015-03-27 11:02 ` [PATCH 40/49] drm/i915: Cache the reset_counter for the request Chris Wilson
2015-03-27 11:02 ` [PATCH 41/49] drm/i915: Allocate context objects from stolen Chris Wilson
2015-03-27 11:02 ` [PATCH 42/49] drm/i915: Introduce an internal allocator for disposable private objects Chris Wilson
2015-03-27 11:02 ` [PATCH 43/49] drm/i915: Do not zero initialise page tables Chris Wilson
2015-04-07 14:46 ` Mika Kuoppala
2015-04-07 15:00 ` Chris Wilson
2015-03-27 11:02 ` [PATCH 44/49] drm/i915: The argument for postfix is redundant Chris Wilson
2015-03-27 11:02 ` [PATCH 45/49] drm/i915: Record the position of the start of the request Chris Wilson
2015-03-27 11:02 ` [PATCH 46/49] drm/i915: Cache the execlist ctx descriptor Chris Wilson
2015-03-27 11:02 ` [PATCH 47/49] drm/i915: Treat ringbuffer writes as write to normal memory Chris Wilson
2015-03-27 11:02 ` [PATCH 48/49] drm/i915: Eliminate vmap overhead for cmd parser Chris Wilson
2015-03-27 11:02 ` [PATCH 49/49] drm/i915: Cache last cmd descriptor when parsing Chris Wilson
2015-03-28 6:21 ` shuang.he
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1427454141-4000-6-git-send-email-chris@chris-wilson.co.uk \
--to=chris@chris-wilson.co.uk \
--cc=ander.conselvan.de.oliveira@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.