* [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
@ 2019-12-06 11:56 Chuansheng Liu
2019-12-06 12:04 ` Chris Wilson
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Chuansheng Liu @ 2019-12-06 11:56 UTC (permalink / raw)
To: intel-gfx
We easily hit drm/i915 panic on TGL when running glmark2, and finally
caught the race condition of use-after-free with enabling KASAN.
The call stack is below:
===
[ 534.472675] BUG: KASAN: use-after-free in __i915_active_fence_set+0x26d/0x3d0 [i915]
[ 534.472679] Write of size 8 at addr ffff8883f0372388 by task glmark2/3199
[ 534.472684] CPU: 3 PID: 3199 Comm: glmark2 Tainted: G U E 5.4.0-rc8 #8
[ 534.472687] Call Trace:
[ 534.472693] dump_stack+0x95/0xd5
[ 534.472722] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
[ 534.472727] print_address_description.constprop.5+0x20/0x320
[ 534.472751] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
[ 534.472792] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
[ 534.472794] __kasan_report+0x149/0x18c
[ 534.472798] ? _raw_spin_lock+0x1/0xd0
[ 534.472820] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
[ 534.472822] kasan_report+0x12/0x20
[ 534.472825] __asan_report_store8_noabort+0x17/0x20
[ 534.472847] __i915_active_fence_set+0x26d/0x3d0 [i915]
[ 534.472870] i915_active_ref+0x2c8/0x530 [i915]
[ 534.472874] ? dma_resv_add_shared_fence+0x291/0x460
[ 534.472902] __i915_vma_move_to_active+0x56/0x70 [i915]
[ 534.472927] i915_vma_move_to_active+0x54/0x420 [i915]
[ 534.472931] ? mutex_unlock+0x22/0x40
[ 534.472957] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
[ 534.472959] ? __kmalloc_node+0x12c/0x350
[ 534.472983] ? eb_relocate_slow+0xb40/0xb40 [i915]
[ 534.472985] ? _raw_write_trylock+0x110/0x110
[ 534.472987] ? get_partial_node.isra.72+0x51/0x260
[ 534.472991] ? unix_stream_read_generic+0x583/0x1a80
[ 534.472994] ? ___slab_alloc+0x1d8/0x550
[ 534.472998] ? kvmalloc_node+0x31/0x80
[ 534.473000] ? kasan_unpoison_shadow+0x35/0x50
[ 534.473002] ? _raw_spin_lock+0x7b/0xd0
[ 534.473004] ? radix_tree_lookup+0xd/0x10
[ 534.473006] ? idr_find+0x3b/0x60
[ 534.473029] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
[ 534.473052] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
[ 534.473054] ? unix_stream_recvmsg+0x97/0xd0
[ 534.473056] ? unix_stream_splice_read+0x1c0/0x1c0
[ 534.473058] ? __unix_insert_socket+0x180/0x180
[ 534.473081] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
[ 534.473094] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
[ 534.473103] ? drm_setversion+0x8c0/0x8c0 [drm]
[ 534.473106] ? __kasan_check_write+0x14/0x20
[ 534.473115] drm_ioctl+0x68b/0xaa0 [drm]
...
[ 534.473239] Allocated by task 3199:
[ 534.473241] save_stack+0x21/0x90
[ 534.473243] __kasan_kmalloc.constprop.8+0xa7/0xd0
[ 534.473245] kasan_slab_alloc+0x11/0x20
[ 534.473246] kmem_cache_alloc+0xce/0x240
[ 534.473273] i915_active_ref+0xc2/0x530 [i915]
[ 534.473302] __i915_vma_move_to_active+0x56/0x70 [i915]
[ 534.473328] i915_vma_move_to_active+0x54/0x420 [i915]
[ 534.473355] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
[ 534.473381] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
[ 534.473392] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
[ 534.473402] drm_ioctl+0x68b/0xaa0 [drm]
[ 534.473404] do_vfs_ioctl+0x19a/0xf10
[ 534.473405] ksys_ioctl+0x75/0x80
[ 534.473407] __x64_sys_ioctl+0x73/0xb0
[ 534.473408] do_syscall_64+0x9f/0x3a0
[ 534.473410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 534.473412] Freed by task 0:
[ 534.473414] save_stack+0x21/0x90
[ 534.473415] __kasan_slab_free+0x137/0x190
[ 534.473417] kasan_slab_free+0xe/0x10
[ 534.473418] kmem_cache_free+0xeb/0x2c0
[ 534.473444] __active_retire+0x1f2/0x240 [i915]
[ 534.473471] active_retire+0x13b/0x1b0 [i915]
[ 534.473496] node_retire+0x54/0x80 [i915]
[ 534.473523] intel_engine_breadcrumbs_irq+0x5f0/0xd10 [i915]
[ 534.473549] cs_irq_handler+0x66/0xb0 [i915]
[ 534.473575] gen11_gt_irq_handler+0x26c/0x400 [i915]
[ 534.473600] gen11_irq_handler+0xc3/0x250 [i915]
[ 534.473603] __handle_irq_event_percpu+0xe0/0x4c0
[ 534.473605] handle_irq_event_percpu+0x71/0x140
[ 534.473606] handle_irq_event+0xad/0x140
[ 534.473608] handle_edge_irq+0x1f6/0x780
[ 534.473610] do_IRQ+0x9f/0x1f0
[ 534.473612] The buggy address belongs to the object at ffff8883f0372380
which belongs to the cache active_node of size 72
[ 534.473615] The buggy address is located 8 bytes inside of
===
The race scenerio is like:
Initially ref->count is 1, interrupt handler is trying to free the
node.
===
CPUA in interrupt context CPUB in i915_gem_execbuffer2_ioctl
__active_retire -->
spin_lock(&ref->tree_lock)
decrease ref->count to 0
i915_active_ref -->
increase ref->count to 1
(i915_active_acquire)
get the dirty ref->cache
(READ_ONCE(ref->cache))
return the dirty node
set ref->cache to NULL
spin_unlock(&ref->tree_lock)
free the node
hit use-after-free in
__i915_active_fence_set()
===
Here we need to use spinlock ref->tree_lock to protect the access
of READ_ONCE(ref->cache), then the race scenerio can be resolved.
with this patch, it passed our stress test for a very long time.
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
---
drivers/gpu/drm/i915/i915_active.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/i915/i915_active.c b/drivers/gpu/drm/i915/i915_active.c
index dca15ace88f6..3d68b910e949 100644
--- a/drivers/gpu/drm/i915/i915_active.c
+++ b/drivers/gpu/drm/i915/i915_active.c
@@ -214,7 +214,10 @@ active_instance(struct i915_active *ref, struct intel_timeline *tl)
* after the previous activity has been retired, or if it matches the
* current timeline.
*/
+ spin_lock_irq(&ref->tree_lock);
node = READ_ONCE(ref->cache);
+ spin_unlock_irq(&ref->tree_lock);
+
if (node && node->timeline == idx)
return &node->base;
--
2.17.1
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
2019-12-06 11:56 [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire Chuansheng Liu
@ 2019-12-06 12:04 ` Chris Wilson
2019-12-06 12:10 ` Liu, Chuansheng
2019-12-06 14:17 ` [Intel-gfx] ✓ Fi.CI.BAT: success for " Patchwork
2019-12-07 4:02 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
2 siblings, 1 reply; 7+ messages in thread
From: Chris Wilson @ 2019-12-06 12:04 UTC (permalink / raw)
To: Chuansheng Liu, intel-gfx
Quoting Chuansheng Liu (2019-12-06 11:56:35)
> We easily hit drm/i915 panic on TGL when running glmark2, and finally
> caught the race condition of use-after-free with enabling KASAN.
>
> The call stack is below:
> ===
> [ 534.472675] BUG: KASAN: use-after-free in __i915_active_fence_set+0x26d/0x3d0 [i915]
> [ 534.472679] Write of size 8 at addr ffff8883f0372388 by task glmark2/3199
>
> [ 534.472684] CPU: 3 PID: 3199 Comm: glmark2 Tainted: G U E 5.4.0-rc8 #8
> [ 534.472687] Call Trace:
> [ 534.472693] dump_stack+0x95/0xd5
> [ 534.472722] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> [ 534.472727] print_address_description.constprop.5+0x20/0x320
> [ 534.472751] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> [ 534.472792] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> [ 534.472794] __kasan_report+0x149/0x18c
> [ 534.472798] ? _raw_spin_lock+0x1/0xd0
> [ 534.472820] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> [ 534.472822] kasan_report+0x12/0x20
> [ 534.472825] __asan_report_store8_noabort+0x17/0x20
> [ 534.472847] __i915_active_fence_set+0x26d/0x3d0 [i915]
> [ 534.472870] i915_active_ref+0x2c8/0x530 [i915]
> [ 534.472874] ? dma_resv_add_shared_fence+0x291/0x460
> [ 534.472902] __i915_vma_move_to_active+0x56/0x70 [i915]
> [ 534.472927] i915_vma_move_to_active+0x54/0x420 [i915]
> [ 534.472931] ? mutex_unlock+0x22/0x40
> [ 534.472957] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
> [ 534.472959] ? __kmalloc_node+0x12c/0x350
> [ 534.472983] ? eb_relocate_slow+0xb40/0xb40 [i915]
> [ 534.472985] ? _raw_write_trylock+0x110/0x110
> [ 534.472987] ? get_partial_node.isra.72+0x51/0x260
> [ 534.472991] ? unix_stream_read_generic+0x583/0x1a80
> [ 534.472994] ? ___slab_alloc+0x1d8/0x550
> [ 534.472998] ? kvmalloc_node+0x31/0x80
> [ 534.473000] ? kasan_unpoison_shadow+0x35/0x50
> [ 534.473002] ? _raw_spin_lock+0x7b/0xd0
> [ 534.473004] ? radix_tree_lookup+0xd/0x10
> [ 534.473006] ? idr_find+0x3b/0x60
> [ 534.473029] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
> [ 534.473052] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
> [ 534.473054] ? unix_stream_recvmsg+0x97/0xd0
> [ 534.473056] ? unix_stream_splice_read+0x1c0/0x1c0
> [ 534.473058] ? __unix_insert_socket+0x180/0x180
> [ 534.473081] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
> [ 534.473094] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
> [ 534.473103] ? drm_setversion+0x8c0/0x8c0 [drm]
> [ 534.473106] ? __kasan_check_write+0x14/0x20
> [ 534.473115] drm_ioctl+0x68b/0xaa0 [drm]
> ...
>
> [ 534.473239] Allocated by task 3199:
> [ 534.473241] save_stack+0x21/0x90
> [ 534.473243] __kasan_kmalloc.constprop.8+0xa7/0xd0
> [ 534.473245] kasan_slab_alloc+0x11/0x20
> [ 534.473246] kmem_cache_alloc+0xce/0x240
> [ 534.473273] i915_active_ref+0xc2/0x530 [i915]
> [ 534.473302] __i915_vma_move_to_active+0x56/0x70 [i915]
> [ 534.473328] i915_vma_move_to_active+0x54/0x420 [i915]
> [ 534.473355] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
> [ 534.473381] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
> [ 534.473392] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
> [ 534.473402] drm_ioctl+0x68b/0xaa0 [drm]
> [ 534.473404] do_vfs_ioctl+0x19a/0xf10
> [ 534.473405] ksys_ioctl+0x75/0x80
> [ 534.473407] __x64_sys_ioctl+0x73/0xb0
> [ 534.473408] do_syscall_64+0x9f/0x3a0
> [ 534.473410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> [ 534.473412] Freed by task 0:
> [ 534.473414] save_stack+0x21/0x90
> [ 534.473415] __kasan_slab_free+0x137/0x190
> [ 534.473417] kasan_slab_free+0xe/0x10
> [ 534.473418] kmem_cache_free+0xeb/0x2c0
> [ 534.473444] __active_retire+0x1f2/0x240 [i915]
> [ 534.473471] active_retire+0x13b/0x1b0 [i915]
> [ 534.473496] node_retire+0x54/0x80 [i915]
> [ 534.473523] intel_engine_breadcrumbs_irq+0x5f0/0xd10 [i915]
> [ 534.473549] cs_irq_handler+0x66/0xb0 [i915]
> [ 534.473575] gen11_gt_irq_handler+0x26c/0x400 [i915]
> [ 534.473600] gen11_irq_handler+0xc3/0x250 [i915]
> [ 534.473603] __handle_irq_event_percpu+0xe0/0x4c0
> [ 534.473605] handle_irq_event_percpu+0x71/0x140
> [ 534.473606] handle_irq_event+0xad/0x140
> [ 534.473608] handle_edge_irq+0x1f6/0x780
> [ 534.473610] do_IRQ+0x9f/0x1f0
>
> [ 534.473612] The buggy address belongs to the object at ffff8883f0372380
> which belongs to the cache active_node of size 72
> [ 534.473615] The buggy address is located 8 bytes inside of
>
> ===
>
> The race scenerio is like:
> Initially ref->count is 1, interrupt handler is trying to free the
> node.
>
> ===
> CPUA in interrupt context CPUB in i915_gem_execbuffer2_ioctl
> __active_retire -->
> spin_lock(&ref->tree_lock)
> decrease ref->count to 0
> i915_active_ref -->
> increase ref->count to 1
> (i915_active_acquire)
>
> get the dirty ref->cache
> (READ_ONCE(ref->cache))
>
> return the dirty node
>
> set ref->cache to NULL
> spin_unlock(&ref->tree_lock)
> free the node
>
> hit use-after-free in
> __i915_active_fence_set()
>
> ===
>
> Here we need to use spinlock ref->tree_lock to protect the access
> of READ_ONCE(ref->cache), then the race scenerio can be resolved.
>
> with this patch, it passed our stress test for a very long time.
>
> Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
> ---
> drivers/gpu/drm/i915/i915_active.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/i915_active.c b/drivers/gpu/drm/i915/i915_active.c
> index dca15ace88f6..3d68b910e949 100644
> --- a/drivers/gpu/drm/i915/i915_active.c
> +++ b/drivers/gpu/drm/i915/i915_active.c
> @@ -214,7 +214,10 @@ active_instance(struct i915_active *ref, struct intel_timeline *tl)
> * after the previous activity has been retired, or if it matches the
> * current timeline.
> */
> + spin_lock_irq(&ref->tree_lock);
> node = READ_ONCE(ref->cache);
> + spin_unlock_irq(&ref->tree_lock);
Incorrect. The serialisation with __active_retire is required at
i915_active_acquire. The problem is that serialisation was provided by
ODEBUG for our CI so it went under the radar.
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
2019-12-06 12:04 ` Chris Wilson
@ 2019-12-06 12:10 ` Liu, Chuansheng
2019-12-06 12:15 ` Chris Wilson
0 siblings, 1 reply; 7+ messages in thread
From: Liu, Chuansheng @ 2019-12-06 12:10 UTC (permalink / raw)
To: Chris Wilson, intel-gfx
Chris,
Thanks for reviewing, please see below comments.
> -----Original Message-----
> From: Chris Wilson <chris@chris-wilson.co.uk>
> Sent: Friday, December 6, 2019 8:04 PM
> To: Liu, Chuansheng <chuansheng.liu@intel.com>; intel-
> gfx@lists.freedesktop.org
> Subject: Re: [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between
> i915_active_ref and __active_retire
>
> Quoting Chuansheng Liu (2019-12-06 11:56:35)
> > We easily hit drm/i915 panic on TGL when running glmark2, and finally
> > caught the race condition of use-after-free with enabling KASAN.
> >
> > The call stack is below:
> > ===
> > [ 534.472675] BUG: KASAN: use-after-free in
> __i915_active_fence_set+0x26d/0x3d0 [i915]
> > [ 534.472679] Write of size 8 at addr ffff8883f0372388 by task glmark2/3199
> >
> > [ 534.472684] CPU: 3 PID: 3199 Comm: glmark2 Tainted: G U E 5.4.0-
> rc8 #8
> > [ 534.472687] Call Trace:
> > [ 534.472693] dump_stack+0x95/0xd5
> > [ 534.472722] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > [ 534.472727] print_address_description.constprop.5+0x20/0x320
> > [ 534.472751] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > [ 534.472792] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > [ 534.472794] __kasan_report+0x149/0x18c
> > [ 534.472798] ? _raw_spin_lock+0x1/0xd0
> > [ 534.472820] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > [ 534.472822] kasan_report+0x12/0x20
> > [ 534.472825] __asan_report_store8_noabort+0x17/0x20
> > [ 534.472847] __i915_active_fence_set+0x26d/0x3d0 [i915]
> > [ 534.472870] i915_active_ref+0x2c8/0x530 [i915]
> > [ 534.472874] ? dma_resv_add_shared_fence+0x291/0x460
> > [ 534.472902] __i915_vma_move_to_active+0x56/0x70 [i915]
> > [ 534.472927] i915_vma_move_to_active+0x54/0x420 [i915]
> > [ 534.472931] ? mutex_unlock+0x22/0x40
> > [ 534.472957] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
> > [ 534.472959] ? __kmalloc_node+0x12c/0x350
> > [ 534.472983] ? eb_relocate_slow+0xb40/0xb40 [i915]
> > [ 534.472985] ? _raw_write_trylock+0x110/0x110
> > [ 534.472987] ? get_partial_node.isra.72+0x51/0x260
> > [ 534.472991] ? unix_stream_read_generic+0x583/0x1a80
> > [ 534.472994] ? ___slab_alloc+0x1d8/0x550
> > [ 534.472998] ? kvmalloc_node+0x31/0x80
> > [ 534.473000] ? kasan_unpoison_shadow+0x35/0x50
> > [ 534.473002] ? _raw_spin_lock+0x7b/0xd0
> > [ 534.473004] ? radix_tree_lookup+0xd/0x10
> > [ 534.473006] ? idr_find+0x3b/0x60
> > [ 534.473029] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
> > [ 534.473052] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
> > [ 534.473054] ? unix_stream_recvmsg+0x97/0xd0
> > [ 534.473056] ? unix_stream_splice_read+0x1c0/0x1c0
> > [ 534.473058] ? __unix_insert_socket+0x180/0x180
> > [ 534.473081] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
> > [ 534.473094] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
> > [ 534.473103] ? drm_setversion+0x8c0/0x8c0 [drm]
> > [ 534.473106] ? __kasan_check_write+0x14/0x20
> > [ 534.473115] drm_ioctl+0x68b/0xaa0 [drm]
> > ...
> >
> > [ 534.473239] Allocated by task 3199:
> > [ 534.473241] save_stack+0x21/0x90
> > [ 534.473243] __kasan_kmalloc.constprop.8+0xa7/0xd0
> > [ 534.473245] kasan_slab_alloc+0x11/0x20
> > [ 534.473246] kmem_cache_alloc+0xce/0x240
> > [ 534.473273] i915_active_ref+0xc2/0x530 [i915]
> > [ 534.473302] __i915_vma_move_to_active+0x56/0x70 [i915]
> > [ 534.473328] i915_vma_move_to_active+0x54/0x420 [i915]
> > [ 534.473355] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
> > [ 534.473381] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
> > [ 534.473392] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
> > [ 534.473402] drm_ioctl+0x68b/0xaa0 [drm]
> > [ 534.473404] do_vfs_ioctl+0x19a/0xf10
> > [ 534.473405] ksys_ioctl+0x75/0x80
> > [ 534.473407] __x64_sys_ioctl+0x73/0xb0
> > [ 534.473408] do_syscall_64+0x9f/0x3a0
> > [ 534.473410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >
> > [ 534.473412] Freed by task 0:
> > [ 534.473414] save_stack+0x21/0x90
> > [ 534.473415] __kasan_slab_free+0x137/0x190
> > [ 534.473417] kasan_slab_free+0xe/0x10
> > [ 534.473418] kmem_cache_free+0xeb/0x2c0
> > [ 534.473444] __active_retire+0x1f2/0x240 [i915]
> > [ 534.473471] active_retire+0x13b/0x1b0 [i915]
> > [ 534.473496] node_retire+0x54/0x80 [i915]
> > [ 534.473523] intel_engine_breadcrumbs_irq+0x5f0/0xd10 [i915]
> > [ 534.473549] cs_irq_handler+0x66/0xb0 [i915]
> > [ 534.473575] gen11_gt_irq_handler+0x26c/0x400 [i915]
> > [ 534.473600] gen11_irq_handler+0xc3/0x250 [i915]
> > [ 534.473603] __handle_irq_event_percpu+0xe0/0x4c0
> > [ 534.473605] handle_irq_event_percpu+0x71/0x140
> > [ 534.473606] handle_irq_event+0xad/0x140
> > [ 534.473608] handle_edge_irq+0x1f6/0x780
> > [ 534.473610] do_IRQ+0x9f/0x1f0
> >
> > [ 534.473612] The buggy address belongs to the object at ffff8883f0372380
> > which belongs to the cache active_node of size 72
> > [ 534.473615] The buggy address is located 8 bytes inside of
> >
> > ===
> >
> > The race scenerio is like:
> > Initially ref->count is 1, interrupt handler is trying to free the
> > node.
> >
> > ===
> > CPUA in interrupt context CPUB in i915_gem_execbuffer2_ioctl
> > __active_retire -->
> > spin_lock(&ref->tree_lock)
> > decrease ref->count to 0
> > i915_active_ref -->
> > increase ref->count to 1
> > (i915_active_acquire)
> >
> > get the dirty ref->cache
> > (READ_ONCE(ref->cache))
> >
> > return the dirty node
> >
> > set ref->cache to NULL
> > spin_unlock(&ref->tree_lock)
> > free the node
> >
> > hit use-after-free in
> > __i915_active_fence_set()
> >
> > ===
> >
> > Here we need to use spinlock ref->tree_lock to protect the access
> > of READ_ONCE(ref->cache), then the race scenerio can be resolved.
> >
> > with this patch, it passed our stress test for a very long time.
> >
> > Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
> > ---
> > drivers/gpu/drm/i915/i915_active.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/i915/i915_active.c
> b/drivers/gpu/drm/i915/i915_active.c
> > index dca15ace88f6..3d68b910e949 100644
> > --- a/drivers/gpu/drm/i915/i915_active.c
> > +++ b/drivers/gpu/drm/i915/i915_active.c
> > @@ -214,7 +214,10 @@ active_instance(struct i915_active *ref, struct
> intel_timeline *tl)
> > * after the previous activity has been retired, or if it matches the
> > * current timeline.
> > */
> > + spin_lock_irq(&ref->tree_lock);
> > node = READ_ONCE(ref->cache);
> > + spin_unlock_irq(&ref->tree_lock);
>
> Incorrect. The serialisation with __active_retire is required at
> i915_active_acquire.
You suggest the change can be made in i915_active_acquire()?
So that we can play ref->count closely together with tree_lock
and ODEBUG stuff.
If so, I can make a new patch😊
The problem is that serialisation was provided by
> ODEBUG for our CI so it went under the radar.
> -Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
2019-12-06 12:10 ` Liu, Chuansheng
@ 2019-12-06 12:15 ` Chris Wilson
2019-12-07 1:50 ` Liu, Chuansheng
0 siblings, 1 reply; 7+ messages in thread
From: Chris Wilson @ 2019-12-06 12:15 UTC (permalink / raw)
To: Liu, Chuansheng, intel-gfx
Quoting Liu, Chuansheng (2019-12-06 12:10:25)
> Chris,
>
> Thanks for reviewing, please see below comments.
>
> > -----Original Message-----
> > From: Chris Wilson <chris@chris-wilson.co.uk>
> > Sent: Friday, December 6, 2019 8:04 PM
> > To: Liu, Chuansheng <chuansheng.liu@intel.com>; intel-
> > gfx@lists.freedesktop.org
> > Subject: Re: [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between
> > i915_active_ref and __active_retire
> >
> > Quoting Chuansheng Liu (2019-12-06 11:56:35)
> > > We easily hit drm/i915 panic on TGL when running glmark2, and finally
> > > caught the race condition of use-after-free with enabling KASAN.
> > >
> > > The call stack is below:
> > > ===
> > > [ 534.472675] BUG: KASAN: use-after-free in
> > __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > [ 534.472679] Write of size 8 at addr ffff8883f0372388 by task glmark2/3199
> > >
> > > [ 534.472684] CPU: 3 PID: 3199 Comm: glmark2 Tainted: G U E 5.4.0-
> > rc8 #8
> > > [ 534.472687] Call Trace:
> > > [ 534.472693] dump_stack+0x95/0xd5
> > > [ 534.472722] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > [ 534.472727] print_address_description.constprop.5+0x20/0x320
> > > [ 534.472751] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > [ 534.472792] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > [ 534.472794] __kasan_report+0x149/0x18c
> > > [ 534.472798] ? _raw_spin_lock+0x1/0xd0
> > > [ 534.472820] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > [ 534.472822] kasan_report+0x12/0x20
> > > [ 534.472825] __asan_report_store8_noabort+0x17/0x20
> > > [ 534.472847] __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > [ 534.472870] i915_active_ref+0x2c8/0x530 [i915]
> > > [ 534.472874] ? dma_resv_add_shared_fence+0x291/0x460
> > > [ 534.472902] __i915_vma_move_to_active+0x56/0x70 [i915]
> > > [ 534.472927] i915_vma_move_to_active+0x54/0x420 [i915]
> > > [ 534.472931] ? mutex_unlock+0x22/0x40
> > > [ 534.472957] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
> > > [ 534.472959] ? __kmalloc_node+0x12c/0x350
> > > [ 534.472983] ? eb_relocate_slow+0xb40/0xb40 [i915]
> > > [ 534.472985] ? _raw_write_trylock+0x110/0x110
> > > [ 534.472987] ? get_partial_node.isra.72+0x51/0x260
> > > [ 534.472991] ? unix_stream_read_generic+0x583/0x1a80
> > > [ 534.472994] ? ___slab_alloc+0x1d8/0x550
> > > [ 534.472998] ? kvmalloc_node+0x31/0x80
> > > [ 534.473000] ? kasan_unpoison_shadow+0x35/0x50
> > > [ 534.473002] ? _raw_spin_lock+0x7b/0xd0
> > > [ 534.473004] ? radix_tree_lookup+0xd/0x10
> > > [ 534.473006] ? idr_find+0x3b/0x60
> > > [ 534.473029] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
> > > [ 534.473052] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
> > > [ 534.473054] ? unix_stream_recvmsg+0x97/0xd0
> > > [ 534.473056] ? unix_stream_splice_read+0x1c0/0x1c0
> > > [ 534.473058] ? __unix_insert_socket+0x180/0x180
> > > [ 534.473081] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
> > > [ 534.473094] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
> > > [ 534.473103] ? drm_setversion+0x8c0/0x8c0 [drm]
> > > [ 534.473106] ? __kasan_check_write+0x14/0x20
> > > [ 534.473115] drm_ioctl+0x68b/0xaa0 [drm]
> > > ...
> > >
> > > [ 534.473239] Allocated by task 3199:
> > > [ 534.473241] save_stack+0x21/0x90
> > > [ 534.473243] __kasan_kmalloc.constprop.8+0xa7/0xd0
> > > [ 534.473245] kasan_slab_alloc+0x11/0x20
> > > [ 534.473246] kmem_cache_alloc+0xce/0x240
> > > [ 534.473273] i915_active_ref+0xc2/0x530 [i915]
> > > [ 534.473302] __i915_vma_move_to_active+0x56/0x70 [i915]
> > > [ 534.473328] i915_vma_move_to_active+0x54/0x420 [i915]
> > > [ 534.473355] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
> > > [ 534.473381] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
> > > [ 534.473392] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
> > > [ 534.473402] drm_ioctl+0x68b/0xaa0 [drm]
> > > [ 534.473404] do_vfs_ioctl+0x19a/0xf10
> > > [ 534.473405] ksys_ioctl+0x75/0x80
> > > [ 534.473407] __x64_sys_ioctl+0x73/0xb0
> > > [ 534.473408] do_syscall_64+0x9f/0x3a0
> > > [ 534.473410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > >
> > > [ 534.473412] Freed by task 0:
> > > [ 534.473414] save_stack+0x21/0x90
> > > [ 534.473415] __kasan_slab_free+0x137/0x190
> > > [ 534.473417] kasan_slab_free+0xe/0x10
> > > [ 534.473418] kmem_cache_free+0xeb/0x2c0
> > > [ 534.473444] __active_retire+0x1f2/0x240 [i915]
> > > [ 534.473471] active_retire+0x13b/0x1b0 [i915]
> > > [ 534.473496] node_retire+0x54/0x80 [i915]
> > > [ 534.473523] intel_engine_breadcrumbs_irq+0x5f0/0xd10 [i915]
> > > [ 534.473549] cs_irq_handler+0x66/0xb0 [i915]
> > > [ 534.473575] gen11_gt_irq_handler+0x26c/0x400 [i915]
> > > [ 534.473600] gen11_irq_handler+0xc3/0x250 [i915]
> > > [ 534.473603] __handle_irq_event_percpu+0xe0/0x4c0
> > > [ 534.473605] handle_irq_event_percpu+0x71/0x140
> > > [ 534.473606] handle_irq_event+0xad/0x140
> > > [ 534.473608] handle_edge_irq+0x1f6/0x780
> > > [ 534.473610] do_IRQ+0x9f/0x1f0
> > >
> > > [ 534.473612] The buggy address belongs to the object at ffff8883f0372380
> > > which belongs to the cache active_node of size 72
> > > [ 534.473615] The buggy address is located 8 bytes inside of
> > >
> > > ===
> > >
> > > The race scenerio is like:
> > > Initially ref->count is 1, interrupt handler is trying to free the
> > > node.
> > >
> > > ===
> > > CPUA in interrupt context CPUB in i915_gem_execbuffer2_ioctl
> > > __active_retire -->
> > > spin_lock(&ref->tree_lock)
> > > decrease ref->count to 0
> > > i915_active_ref -->
> > > increase ref->count to 1
> > > (i915_active_acquire)
> > >
> > > get the dirty ref->cache
> > > (READ_ONCE(ref->cache))
> > >
> > > return the dirty node
> > >
> > > set ref->cache to NULL
> > > spin_unlock(&ref->tree_lock)
> > > free the node
> > >
> > > hit use-after-free in
> > > __i915_active_fence_set()
> > >
> > > ===
> > >
> > > Here we need to use spinlock ref->tree_lock to protect the access
> > > of READ_ONCE(ref->cache), then the race scenerio can be resolved.
> > >
> > > with this patch, it passed our stress test for a very long time.
> > >
> > > Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
> > > ---
> > > drivers/gpu/drm/i915/i915_active.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/gpu/drm/i915/i915_active.c
> > b/drivers/gpu/drm/i915/i915_active.c
> > > index dca15ace88f6..3d68b910e949 100644
> > > --- a/drivers/gpu/drm/i915/i915_active.c
> > > +++ b/drivers/gpu/drm/i915/i915_active.c
> > > @@ -214,7 +214,10 @@ active_instance(struct i915_active *ref, struct
> > intel_timeline *tl)
> > > * after the previous activity has been retired, or if it matches the
> > > * current timeline.
> > > */
> > > + spin_lock_irq(&ref->tree_lock);
> > > node = READ_ONCE(ref->cache);
> > > + spin_unlock_irq(&ref->tree_lock);
> >
> > Incorrect. The serialisation with __active_retire is required at
> > i915_active_acquire.
> You suggest the change can be made in i915_active_acquire()?
> So that we can play ref->count closely together with tree_lock
> and ODEBUG stuff.
>
> If so, I can make a new patch😊
See bbca083de291, the same race was reported last night.
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Intel-gfx] ✓ Fi.CI.BAT: success for drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
2019-12-06 11:56 [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire Chuansheng Liu
2019-12-06 12:04 ` Chris Wilson
@ 2019-12-06 14:17 ` Patchwork
2019-12-07 4:02 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
2 siblings, 0 replies; 7+ messages in thread
From: Patchwork @ 2019-12-06 14:17 UTC (permalink / raw)
To: Liu, Chuansheng; +Cc: intel-gfx
== Series Details ==
Series: drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
URL : https://patchwork.freedesktop.org/series/70563/
State : success
== Summary ==
CI Bug Log - changes from CI_DRM_7499 -> Patchwork_15629
====================================================
Summary
-------
**SUCCESS**
No regressions found.
External URL: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/index.html
Known issues
------------
Here are the changes found in Patchwork_15629 that come from known issues:
### IGT changes ###
#### Issues hit ####
* igt@gem_wait@basic-wait-all:
- fi-icl-dsi: [PASS][1] -> [DMESG-WARN][2] ([i915#109])
[1]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/fi-icl-dsi/igt@gem_wait@basic-wait-all.html
[2]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/fi-icl-dsi/igt@gem_wait@basic-wait-all.html
#### Possible fixes ####
* igt@gem_exec_suspend@basic-s3:
- fi-skl-6700k2: [INCOMPLETE][3] ([i915#146] / [i915#69]) -> [PASS][4]
[3]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/fi-skl-6700k2/igt@gem_exec_suspend@basic-s3.html
[4]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/fi-skl-6700k2/igt@gem_exec_suspend@basic-s3.html
* igt@i915_selftest@live_blt:
- fi-byt-j1900: [DMESG-FAIL][5] ([i915#725]) -> [PASS][6]
[5]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/fi-byt-j1900/igt@i915_selftest@live_blt.html
[6]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/fi-byt-j1900/igt@i915_selftest@live_blt.html
* igt@i915_selftest@live_gem_contexts:
- fi-ivb-3770: [DMESG-FAIL][7] -> [PASS][8]
[7]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/fi-ivb-3770/igt@i915_selftest@live_gem_contexts.html
[8]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/fi-ivb-3770/igt@i915_selftest@live_gem_contexts.html
* igt@kms_chamelium@hdmi-hpd-fast:
- fi-icl-u2: [FAIL][9] ([i915#217]) -> [PASS][10] +1 similar issue
[9]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/fi-icl-u2/igt@kms_chamelium@hdmi-hpd-fast.html
[10]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/fi-icl-u2/igt@kms_chamelium@hdmi-hpd-fast.html
* igt@kms_flip@basic-flip-vs-modeset:
- fi-icl-dsi: [DMESG-WARN][11] ([i915#109]) -> [PASS][12]
[11]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/fi-icl-dsi/igt@kms_flip@basic-flip-vs-modeset.html
[12]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/fi-icl-dsi/igt@kms_flip@basic-flip-vs-modeset.html
#### Warnings ####
* igt@i915_selftest@live_blt:
- fi-hsw-4770r: [DMESG-FAIL][13] ([i915#553] / [i915#725]) -> [DMESG-FAIL][14] ([i915#725])
[13]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/fi-hsw-4770r/igt@i915_selftest@live_blt.html
[14]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/fi-hsw-4770r/igt@i915_selftest@live_blt.html
- fi-ivb-3770: [DMESG-FAIL][15] ([i915#683]) -> [DMESG-FAIL][16] ([i915#725])
[15]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/fi-ivb-3770/igt@i915_selftest@live_blt.html
[16]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/fi-ivb-3770/igt@i915_selftest@live_blt.html
{name}: This element is suppressed. This means it is ignored when computing
the status of the difference (SUCCESS, WARNING, or FAILURE).
[fdo#111735]: https://bugs.freedesktop.org/show_bug.cgi?id=111735
[i915#109]: https://gitlab.freedesktop.org/drm/intel/issues/109
[i915#146]: https://gitlab.freedesktop.org/drm/intel/issues/146
[i915#217]: https://gitlab.freedesktop.org/drm/intel/issues/217
[i915#553]: https://gitlab.freedesktop.org/drm/intel/issues/553
[i915#683]: https://gitlab.freedesktop.org/drm/intel/issues/683
[i915#69]: https://gitlab.freedesktop.org/drm/intel/issues/69
[i915#710]: https://gitlab.freedesktop.org/drm/intel/issues/710
[i915#725]: https://gitlab.freedesktop.org/drm/intel/issues/725
[i915#726]: https://gitlab.freedesktop.org/drm/intel/issues/726
[i915#92]: https://gitlab.freedesktop.org/drm/intel/issues/92
Participating hosts (41 -> 35)
------------------------------
Missing (6): fi-ilk-m540 fi-hsw-4200u fi-byt-squawks fi-bsw-cyan fi-ctg-p8600 fi-byt-clapper
Build changes
-------------
* CI: CI-20190529 -> None
* Linux: CI_DRM_7499 -> Patchwork_15629
CI-20190529: 20190529
CI_DRM_7499: c109ee04ba214d1af4bab093a2964c2b60b26b99 @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_5334: 343aae776a58a67fa153825385e6fe90e3185c5b @ git://anongit.freedesktop.org/xorg/app/intel-gpu-tools
Patchwork_15629: b49cb2953c8374ba21a70ea9815c88b512b1a642 @ git://anongit.freedesktop.org/gfx-ci/linux
== Linux commits ==
b49cb2953c83 drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/index.html
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
2019-12-06 12:15 ` Chris Wilson
@ 2019-12-07 1:50 ` Liu, Chuansheng
0 siblings, 0 replies; 7+ messages in thread
From: Liu, Chuansheng @ 2019-12-07 1:50 UTC (permalink / raw)
To: Chris Wilson, intel-gfx
> -----Original Message-----
> From: Chris Wilson <chris@chris-wilson.co.uk>
> Sent: Friday, December 6, 2019 8:15 PM
> To: Liu, Chuansheng <chuansheng.liu@intel.com>; intel-
> gfx@lists.freedesktop.org
> Subject: RE: [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between
> i915_active_ref and __active_retire
>
> Quoting Liu, Chuansheng (2019-12-06 12:10:25)
> > Chris,
> >
> > Thanks for reviewing, please see below comments.
> >
> > > -----Original Message-----
> > > From: Chris Wilson <chris@chris-wilson.co.uk>
> > > Sent: Friday, December 6, 2019 8:04 PM
> > > To: Liu, Chuansheng <chuansheng.liu@intel.com>; intel-
> > > gfx@lists.freedesktop.org
> > > Subject: Re: [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between
> > > i915_active_ref and __active_retire
> > >
> > > Quoting Chuansheng Liu (2019-12-06 11:56:35)
> > > > We easily hit drm/i915 panic on TGL when running glmark2, and finally
> > > > caught the race condition of use-after-free with enabling KASAN.
> > > >
> > > > The call stack is below:
> > > > ===
> > > > [ 534.472675] BUG: KASAN: use-after-free in
> > > __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > > [ 534.472679] Write of size 8 at addr ffff8883f0372388 by task
> glmark2/3199
> > > >
> > > > [ 534.472684] CPU: 3 PID: 3199 Comm: glmark2 Tainted: G U E
> 5.4.0-
> > > rc8 #8
> > > > [ 534.472687] Call Trace:
> > > > [ 534.472693] dump_stack+0x95/0xd5
> > > > [ 534.472722] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > > [ 534.472727] print_address_description.constprop.5+0x20/0x320
> > > > [ 534.472751] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > > [ 534.472792] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > > [ 534.472794] __kasan_report+0x149/0x18c
> > > > [ 534.472798] ? _raw_spin_lock+0x1/0xd0
> > > > [ 534.472820] ? __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > > [ 534.472822] kasan_report+0x12/0x20
> > > > [ 534.472825] __asan_report_store8_noabort+0x17/0x20
> > > > [ 534.472847] __i915_active_fence_set+0x26d/0x3d0 [i915]
> > > > [ 534.472870] i915_active_ref+0x2c8/0x530 [i915]
> > > > [ 534.472874] ? dma_resv_add_shared_fence+0x291/0x460
> > > > [ 534.472902] __i915_vma_move_to_active+0x56/0x70 [i915]
> > > > [ 534.472927] i915_vma_move_to_active+0x54/0x420 [i915]
> > > > [ 534.472931] ? mutex_unlock+0x22/0x40
> > > > [ 534.472957] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
> > > > [ 534.472959] ? __kmalloc_node+0x12c/0x350
> > > > [ 534.472983] ? eb_relocate_slow+0xb40/0xb40 [i915]
> > > > [ 534.472985] ? _raw_write_trylock+0x110/0x110
> > > > [ 534.472987] ? get_partial_node.isra.72+0x51/0x260
> > > > [ 534.472991] ? unix_stream_read_generic+0x583/0x1a80
> > > > [ 534.472994] ? ___slab_alloc+0x1d8/0x550
> > > > [ 534.472998] ? kvmalloc_node+0x31/0x80
> > > > [ 534.473000] ? kasan_unpoison_shadow+0x35/0x50
> > > > [ 534.473002] ? _raw_spin_lock+0x7b/0xd0
> > > > [ 534.473004] ? radix_tree_lookup+0xd/0x10
> > > > [ 534.473006] ? idr_find+0x3b/0x60
> > > > [ 534.473029] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
> > > > [ 534.473052] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
> > > > [ 534.473054] ? unix_stream_recvmsg+0x97/0xd0
> > > > [ 534.473056] ? unix_stream_splice_read+0x1c0/0x1c0
> > > > [ 534.473058] ? __unix_insert_socket+0x180/0x180
> > > > [ 534.473081] ? i915_gem_execbuffer_ioctl+0xd50/0xd50 [i915]
> > > > [ 534.473094] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
> > > > [ 534.473103] ? drm_setversion+0x8c0/0x8c0 [drm]
> > > > [ 534.473106] ? __kasan_check_write+0x14/0x20
> > > > [ 534.473115] drm_ioctl+0x68b/0xaa0 [drm]
> > > > ...
> > > >
> > > > [ 534.473239] Allocated by task 3199:
> > > > [ 534.473241] save_stack+0x21/0x90
> > > > [ 534.473243] __kasan_kmalloc.constprop.8+0xa7/0xd0
> > > > [ 534.473245] kasan_slab_alloc+0x11/0x20
> > > > [ 534.473246] kmem_cache_alloc+0xce/0x240
> > > > [ 534.473273] i915_active_ref+0xc2/0x530 [i915]
> > > > [ 534.473302] __i915_vma_move_to_active+0x56/0x70 [i915]
> > > > [ 534.473328] i915_vma_move_to_active+0x54/0x420 [i915]
> > > > [ 534.473355] i915_gem_do_execbuffer+0x1d45/0x3e20 [i915]
> > > > [ 534.473381] i915_gem_execbuffer2_ioctl+0x634/0x8a0 [i915]
> > > > [ 534.473392] drm_ioctl_kernel+0x1ed/0x2b0 [drm]
> > > > [ 534.473402] drm_ioctl+0x68b/0xaa0 [drm]
> > > > [ 534.473404] do_vfs_ioctl+0x19a/0xf10
> > > > [ 534.473405] ksys_ioctl+0x75/0x80
> > > > [ 534.473407] __x64_sys_ioctl+0x73/0xb0
> > > > [ 534.473408] do_syscall_64+0x9f/0x3a0
> > > > [ 534.473410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > >
> > > > [ 534.473412] Freed by task 0:
> > > > [ 534.473414] save_stack+0x21/0x90
> > > > [ 534.473415] __kasan_slab_free+0x137/0x190
> > > > [ 534.473417] kasan_slab_free+0xe/0x10
> > > > [ 534.473418] kmem_cache_free+0xeb/0x2c0
> > > > [ 534.473444] __active_retire+0x1f2/0x240 [i915]
> > > > [ 534.473471] active_retire+0x13b/0x1b0 [i915]
> > > > [ 534.473496] node_retire+0x54/0x80 [i915]
> > > > [ 534.473523] intel_engine_breadcrumbs_irq+0x5f0/0xd10 [i915]
> > > > [ 534.473549] cs_irq_handler+0x66/0xb0 [i915]
> > > > [ 534.473575] gen11_gt_irq_handler+0x26c/0x400 [i915]
> > > > [ 534.473600] gen11_irq_handler+0xc3/0x250 [i915]
> > > > [ 534.473603] __handle_irq_event_percpu+0xe0/0x4c0
> > > > [ 534.473605] handle_irq_event_percpu+0x71/0x140
> > > > [ 534.473606] handle_irq_event+0xad/0x140
> > > > [ 534.473608] handle_edge_irq+0x1f6/0x780
> > > > [ 534.473610] do_IRQ+0x9f/0x1f0
> > > >
> > > > [ 534.473612] The buggy address belongs to the object at
> ffff8883f0372380
> > > > which belongs to the cache active_node of size 72
> > > > [ 534.473615] The buggy address is located 8 bytes inside of
> > > >
> > > > ===
> > > >
> > > > The race scenerio is like:
> > > > Initially ref->count is 1, interrupt handler is trying to free the
> > > > node.
> > > >
> > > > ===
> > > > CPUA in interrupt context CPUB in i915_gem_execbuffer2_ioctl
> > > > __active_retire -->
> > > > spin_lock(&ref->tree_lock)
> > > > decrease ref->count to 0
> > > > i915_active_ref -->
> > > > increase ref->count to 1
> > > > (i915_active_acquire)
> > > >
> > > > get the dirty ref->cache
> > > > (READ_ONCE(ref->cache))
> > > >
> > > > return the dirty node
> > > >
> > > > set ref->cache to NULL
> > > > spin_unlock(&ref->tree_lock)
> > > > free the node
> > > >
> > > > hit use-after-free in
> > > > __i915_active_fence_set()
> > > >
> > > > ===
> > > >
> > > > Here we need to use spinlock ref->tree_lock to protect the access
> > > > of READ_ONCE(ref->cache), then the race scenerio can be resolved.
> > > >
> > > > with this patch, it passed our stress test for a very long time.
> > > >
> > > > Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
> > > > ---
> > > > drivers/gpu/drm/i915/i915_active.c | 3 +++
> > > > 1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/drivers/gpu/drm/i915/i915_active.c
> > > b/drivers/gpu/drm/i915/i915_active.c
> > > > index dca15ace88f6..3d68b910e949 100644
> > > > --- a/drivers/gpu/drm/i915/i915_active.c
> > > > +++ b/drivers/gpu/drm/i915/i915_active.c
> > > > @@ -214,7 +214,10 @@ active_instance(struct i915_active *ref, struct
> > > intel_timeline *tl)
> > > > * after the previous activity has been retired, or if it matches the
> > > > * current timeline.
> > > > */
> > > > + spin_lock_irq(&ref->tree_lock);
> > > > node = READ_ONCE(ref->cache);
> > > > + spin_unlock_irq(&ref->tree_lock);
> > >
> > > Incorrect. The serialisation with __active_retire is required at
> > > i915_active_acquire.
> > You suggest the change can be made in i915_active_acquire()?
> > So that we can play ref->count closely together with tree_lock
> > and ODEBUG stuff.
> >
> > If so, I can make a new patch😊
>
> See bbca083de291, the same race was reported last night.
Thanks for your patch bbca083de291, we will try it on our platforms.
Looking into the code in i915_active_acquire(), I think the overhead
of spinlock may be introduced in case of multi callers of i915_active_acquire()
at the same time, to avoid such overhead, I suggest below change, does
it make sense? Thanks.
- if (!atomic_read(&ref->count) && ref->active)
- err = ref->active(ref);
- if (!err) {
- spin_lock_irq(&ref->tree_lock); /* vs __active_retire() */
- debug_active_activate(ref);
- atomic_inc(&ref->count);
- spin_unlock_irq(&ref->tree_lock);
+ if (!atomic_add_unless(&ref->count, 1, 0)) {
+ if (ref->active)
+ err = ref->active(ref);
+ if (!err) {
+ /* vs __active_retire() */
+ spin_lock_irq(&ref->tree_lock);
+ debug_active_activate(ref);
+ atomic_inc(&ref->count);
+ spin_unlock_irq(&ref->tree_lock);
+ }
}
mutex_unlock(&ref->mutex);
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Intel-gfx] ✗ Fi.CI.IGT: failure for drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
2019-12-06 11:56 [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire Chuansheng Liu
2019-12-06 12:04 ` Chris Wilson
2019-12-06 14:17 ` [Intel-gfx] ✓ Fi.CI.BAT: success for " Patchwork
@ 2019-12-07 4:02 ` Patchwork
2 siblings, 0 replies; 7+ messages in thread
From: Patchwork @ 2019-12-07 4:02 UTC (permalink / raw)
To: Liu, Chuansheng; +Cc: intel-gfx
== Series Details ==
Series: drm/i915: Fix the use-after-free between i915_active_ref and __active_retire
URL : https://patchwork.freedesktop.org/series/70563/
State : failure
== Summary ==
CI Bug Log - changes from CI_DRM_7499_full -> Patchwork_15629_full
====================================================
Summary
-------
**FAILURE**
Serious unknown changes coming with Patchwork_15629_full absolutely need to be
verified manually.
If you think the reported changes have nothing to do with the changes
introduced in Patchwork_15629_full, please notify your bug team to allow them
to document this new failure mode, which will reduce false positives in CI.
Possible new issues
-------------------
Here are the unknown changes that may have been introduced in Patchwork_15629_full:
### IGT changes ###
#### Possible regressions ####
* igt@gem_ctx_isolation@vcs0-nonpriv:
- shard-kbl: [PASS][1] -> [FAIL][2] +1 similar issue
[1]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-kbl3/igt@gem_ctx_isolation@vcs0-nonpriv.html
[2]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-kbl4/igt@gem_ctx_isolation@vcs0-nonpriv.html
* igt@gem_ctx_isolation@vcs1-s3:
- shard-kbl: NOTRUN -> [FAIL][3]
[3]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-kbl4/igt@gem_ctx_isolation@vcs1-s3.html
* igt@gem_exec_parallel@vecs0-fds:
- shard-hsw: [PASS][4] -> [DMESG-WARN][5]
[4]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-hsw2/igt@gem_exec_parallel@vecs0-fds.html
[5]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-hsw7/igt@gem_exec_parallel@vecs0-fds.html
Known issues
------------
Here are the changes found in Patchwork_15629_full that come from known issues:
### IGT changes ###
#### Issues hit ####
* igt@gem_eio@suspend:
- shard-tglb: [PASS][6] -> [INCOMPLETE][7] ([i915#460]) +1 similar issue
[6]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb5/igt@gem_eio@suspend.html
[7]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb8/igt@gem_eio@suspend.html
* igt@gem_exec_async@concurrent-writes-bsd:
- shard-iclb: [PASS][8] -> [SKIP][9] ([fdo#112146]) +4 similar issues
[8]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb6/igt@gem_exec_async@concurrent-writes-bsd.html
[9]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb1/igt@gem_exec_async@concurrent-writes-bsd.html
* igt@gem_exec_parallel@vcs1-fds:
- shard-iclb: [PASS][10] -> [SKIP][11] ([fdo#112080]) +4 similar issues
[10]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb1/igt@gem_exec_parallel@vcs1-fds.html
[11]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb5/igt@gem_exec_parallel@vcs1-fds.html
* igt@gem_exec_schedule@independent-bsd2:
- shard-iclb: [PASS][12] -> [SKIP][13] ([fdo#109276]) +5 similar issues
[12]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb1/igt@gem_exec_schedule@independent-bsd2.html
[13]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb5/igt@gem_exec_schedule@independent-bsd2.html
* igt@gem_exec_schedule@preempt-queue-contexts-vebox:
- shard-tglb: [PASS][14] -> [INCOMPLETE][15] ([fdo#111677])
[14]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb8/igt@gem_exec_schedule@preempt-queue-contexts-vebox.html
[15]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb6/igt@gem_exec_schedule@preempt-queue-contexts-vebox.html
* igt@gem_exec_suspend@basic-s3:
- shard-kbl: [PASS][16] -> [DMESG-WARN][17] ([i915#180]) +3 similar issues
[16]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-kbl7/igt@gem_exec_suspend@basic-s3.html
[17]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-kbl2/igt@gem_exec_suspend@basic-s3.html
* igt@gem_persistent_relocs@forked-interruptible-thrashing:
- shard-tglb: [PASS][18] -> [TIMEOUT][19] ([fdo#112126] / [i915#530])
[18]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb7/igt@gem_persistent_relocs@forked-interruptible-thrashing.html
[19]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb3/igt@gem_persistent_relocs@forked-interruptible-thrashing.html
- shard-hsw: [PASS][20] -> [FAIL][21] ([i915#520])
[20]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-hsw5/igt@gem_persistent_relocs@forked-interruptible-thrashing.html
[21]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-hsw1/igt@gem_persistent_relocs@forked-interruptible-thrashing.html
* igt@gem_pipe_control_store_loop@reused-buffer:
- shard-skl: [PASS][22] -> [INCOMPLETE][23] ([i915#198])
[22]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl1/igt@gem_pipe_control_store_loop@reused-buffer.html
[23]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl6/igt@gem_pipe_control_store_loop@reused-buffer.html
* igt@gem_userptr_blits@map-fixed-invalidate-busy:
- shard-snb: [PASS][24] -> [DMESG-WARN][25] ([fdo#111870])
[24]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-snb1/igt@gem_userptr_blits@map-fixed-invalidate-busy.html
[25]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-snb1/igt@gem_userptr_blits@map-fixed-invalidate-busy.html
* igt@gem_userptr_blits@sync-unmap-cycles:
- shard-snb: [PASS][26] -> [DMESG-WARN][27] ([fdo#110789] / [fdo#111870])
[26]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-snb6/igt@gem_userptr_blits@sync-unmap-cycles.html
[27]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-snb7/igt@gem_userptr_blits@sync-unmap-cycles.html
* igt@kms_ccs@pipe-a-crc-primary-basic:
- shard-kbl: [PASS][28] -> [INCOMPLETE][29] ([fdo#103665]) +1 similar issue
[28]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-kbl7/igt@kms_ccs@pipe-a-crc-primary-basic.html
[29]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-kbl4/igt@kms_ccs@pipe-a-crc-primary-basic.html
* igt@kms_cursor_crc@pipe-a-cursor-64x64-onscreen:
- shard-hsw: [PASS][30] -> [DMESG-WARN][31] ([IGT#6])
[30]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-hsw1/igt@kms_cursor_crc@pipe-a-cursor-64x64-onscreen.html
[31]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-hsw6/igt@kms_cursor_crc@pipe-a-cursor-64x64-onscreen.html
* igt@kms_cursor_crc@pipe-c-cursor-256x256-sliding:
- shard-skl: [PASS][32] -> [FAIL][33] ([i915#54]) +1 similar issue
[32]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl2/igt@kms_cursor_crc@pipe-c-cursor-256x256-sliding.html
[33]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl10/igt@kms_cursor_crc@pipe-c-cursor-256x256-sliding.html
* igt@kms_draw_crc@draw-method-xrgb2101010-render-xtiled:
- shard-kbl: [PASS][34] -> [DMESG-WARN][35] ([i915#728]) +1 similar issue
[34]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-kbl6/igt@kms_draw_crc@draw-method-xrgb2101010-render-xtiled.html
[35]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-kbl2/igt@kms_draw_crc@draw-method-xrgb2101010-render-xtiled.html
* igt@kms_flip@2x-flip-vs-expired-vblank:
- shard-glk: [PASS][36] -> [FAIL][37] ([i915#79])
[36]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-glk5/igt@kms_flip@2x-flip-vs-expired-vblank.html
[37]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-glk9/igt@kms_flip@2x-flip-vs-expired-vblank.html
* igt@kms_flip@flip-vs-expired-vblank-interruptible:
- shard-skl: [PASS][38] -> [FAIL][39] ([i915#79])
[38]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl5/igt@kms_flip@flip-vs-expired-vblank-interruptible.html
[39]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl6/igt@kms_flip@flip-vs-expired-vblank-interruptible.html
* igt@kms_flip@flip-vs-suspend:
- shard-apl: [PASS][40] -> [DMESG-WARN][41] ([i915#180])
[40]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-apl7/igt@kms_flip@flip-vs-suspend.html
[41]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-apl2/igt@kms_flip@flip-vs-suspend.html
* igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-onoff:
- shard-tglb: [PASS][42] -> [INCOMPLETE][43] ([i915#435] / [i915#474])
[42]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb3/igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-onoff.html
[43]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb3/igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-onoff.html
* igt@kms_frontbuffer_tracking@fbc-1p-primscrn-spr-indfb-draw-render:
- shard-iclb: [PASS][44] -> [FAIL][45] ([i915#49]) +3 similar issues
[44]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb6/igt@kms_frontbuffer_tracking@fbc-1p-primscrn-spr-indfb-draw-render.html
[45]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb4/igt@kms_frontbuffer_tracking@fbc-1p-primscrn-spr-indfb-draw-render.html
* igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-cur-indfb-draw-mmap-gtt:
- shard-tglb: [PASS][46] -> [DMESG-WARN][47] ([i915#728]) +2 similar issues
[46]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb6/igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-cur-indfb-draw-mmap-gtt.html
[47]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb4/igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-cur-indfb-draw-mmap-gtt.html
* igt@kms_frontbuffer_tracking@psr-1p-primscrn-indfb-plflip-blt:
- shard-skl: [PASS][48] -> [DMESG-WARN][49] ([i915#728]) +2 similar issues
[48]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl10/igt@kms_frontbuffer_tracking@psr-1p-primscrn-indfb-plflip-blt.html
[49]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl3/igt@kms_frontbuffer_tracking@psr-1p-primscrn-indfb-plflip-blt.html
* igt@kms_frontbuffer_tracking@psr-1p-primscrn-shrfb-pgflip-blt:
- shard-skl: [PASS][50] -> [INCOMPLETE][51] ([i915#123])
[50]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl6/igt@kms_frontbuffer_tracking@psr-1p-primscrn-shrfb-pgflip-blt.html
[51]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl7/igt@kms_frontbuffer_tracking@psr-1p-primscrn-shrfb-pgflip-blt.html
* igt@kms_psr@suspend:
- shard-tglb: [PASS][52] -> [INCOMPLETE][53] ([i915#456] / [i915#460]) +1 similar issue
[52]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb3/igt@kms_psr@suspend.html
[53]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb3/igt@kms_psr@suspend.html
* igt@kms_vblank@pipe-b-ts-continuation-suspend:
- shard-skl: [PASS][54] -> [INCOMPLETE][55] ([i915#146] / [i915#69])
[54]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl8/igt@kms_vblank@pipe-b-ts-continuation-suspend.html
[55]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl8/igt@kms_vblank@pipe-b-ts-continuation-suspend.html
* igt@kms_vblank@pipe-c-ts-continuation-suspend:
- shard-skl: [PASS][56] -> [INCOMPLETE][57] ([i915#69]) +1 similar issue
[56]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl8/igt@kms_vblank@pipe-c-ts-continuation-suspend.html
[57]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl6/igt@kms_vblank@pipe-c-ts-continuation-suspend.html
* igt@perf_pmu@idle-no-semaphores-vcs0:
- shard-iclb: [PASS][58] -> [DMESG-WARN][59] ([i915#728]) +2 similar issues
[58]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb6/igt@perf_pmu@idle-no-semaphores-vcs0.html
[59]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb5/igt@perf_pmu@idle-no-semaphores-vcs0.html
#### Possible fixes ####
* igt@gem_ctx_isolation@vcs0-nonpriv:
- shard-tglb: [FAIL][60] -> [PASS][61]
[60]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb2/igt@gem_ctx_isolation@vcs0-nonpriv.html
[61]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb7/igt@gem_ctx_isolation@vcs0-nonpriv.html
* igt@gem_ctx_shared@exec-single-timeline-bsd:
- shard-iclb: [SKIP][62] ([fdo#110841]) -> [PASS][63]
[62]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb1/igt@gem_ctx_shared@exec-single-timeline-bsd.html
[63]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb5/igt@gem_ctx_shared@exec-single-timeline-bsd.html
* igt@gem_ctx_shared@q-smoketest-vebox:
- shard-tglb: [INCOMPLETE][64] ([fdo#111735]) -> [PASS][65]
[64]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb3/igt@gem_ctx_shared@q-smoketest-vebox.html
[65]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb2/igt@gem_ctx_shared@q-smoketest-vebox.html
* igt@gem_exec_await@wide-contexts:
- shard-tglb: [INCOMPLETE][66] ([fdo#111736]) -> [PASS][67]
[66]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb6/igt@gem_exec_await@wide-contexts.html
[67]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb6/igt@gem_exec_await@wide-contexts.html
* igt@gem_exec_parallel@rcs0-contexts:
- shard-hsw: [FAIL][68] -> [PASS][69]
[68]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-hsw7/igt@gem_exec_parallel@rcs0-contexts.html
[69]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-hsw5/igt@gem_exec_parallel@rcs0-contexts.html
* igt@gem_exec_parallel@rcs0-fds:
- shard-hsw: [DMESG-WARN][70] -> [PASS][71]
[70]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-hsw6/igt@gem_exec_parallel@rcs0-fds.html
[71]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-hsw5/igt@gem_exec_parallel@rcs0-fds.html
* igt@gem_exec_parse_blt@allowed-single:
- shard-skl: [DMESG-WARN][72] -> [PASS][73]
[72]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl8/igt@gem_exec_parse_blt@allowed-single.html
[73]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl2/igt@gem_exec_parse_blt@allowed-single.html
* igt@gem_exec_reloc@basic-cpu-active:
- shard-skl: [DMESG-WARN][74] ([i915#109]) -> [PASS][75]
[74]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl5/igt@gem_exec_reloc@basic-cpu-active.html
[75]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl9/igt@gem_exec_reloc@basic-cpu-active.html
* {igt@gem_exec_schedule@pi-distinct-iova-bsd}:
- shard-iclb: [SKIP][76] ([i915#677]) -> [PASS][77] +1 similar issue
[76]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb1/igt@gem_exec_schedule@pi-distinct-iova-bsd.html
[77]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb5/igt@gem_exec_schedule@pi-distinct-iova-bsd.html
* igt@gem_exec_schedule@preempt-bsd:
- shard-iclb: [SKIP][78] ([fdo#112146]) -> [PASS][79] +2 similar issues
[78]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb1/igt@gem_exec_schedule@preempt-bsd.html
[79]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb5/igt@gem_exec_schedule@preempt-bsd.html
* igt@gem_exec_schedule@preempt-other-bsd2:
- shard-iclb: [SKIP][80] ([fdo#109276]) -> [PASS][81] +2 similar issues
[80]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb8/igt@gem_exec_schedule@preempt-other-bsd2.html
[81]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb1/igt@gem_exec_schedule@preempt-other-bsd2.html
* igt@gem_exec_schedule@preempt-queue-chain-render:
- shard-tglb: [INCOMPLETE][82] ([fdo#111606] / [fdo#111677]) -> [PASS][83]
[82]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb6/igt@gem_exec_schedule@preempt-queue-chain-render.html
[83]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb4/igt@gem_exec_schedule@preempt-queue-chain-render.html
* igt@gem_ppgtt@flink-and-close-vma-leak:
- shard-skl: [FAIL][84] ([i915#644]) -> [PASS][85]
[84]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl1/igt@gem_ppgtt@flink-and-close-vma-leak.html
[85]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl6/igt@gem_ppgtt@flink-and-close-vma-leak.html
* igt@kms_cursor_crc@pipe-b-cursor-128x42-sliding:
- shard-skl: [FAIL][86] ([i915#54]) -> [PASS][87] +4 similar issues
[86]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl1/igt@kms_cursor_crc@pipe-b-cursor-128x42-sliding.html
[87]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl2/igt@kms_cursor_crc@pipe-b-cursor-128x42-sliding.html
* igt@kms_draw_crc@draw-method-rgb565-blt-untiled:
- shard-tglb: [DMESG-WARN][88] ([i915#728]) -> [PASS][89] +4 similar issues
[88]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb1/igt@kms_draw_crc@draw-method-rgb565-blt-untiled.html
[89]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb1/igt@kms_draw_crc@draw-method-rgb565-blt-untiled.html
* igt@kms_fbcon_fbt@psr-suspend:
- shard-tglb: [INCOMPLETE][90] ([i915#456] / [i915#460]) -> [PASS][91]
[90]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb8/igt@kms_fbcon_fbt@psr-suspend.html
[91]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb6/igt@kms_fbcon_fbt@psr-suspend.html
* igt@kms_flip@flip-vs-suspend-interruptible:
- shard-snb: [INCOMPLETE][92] ([i915#82]) -> [PASS][93]
[92]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-snb1/igt@kms_flip@flip-vs-suspend-interruptible.html
[93]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-snb6/igt@kms_flip@flip-vs-suspend-interruptible.html
* igt@kms_frontbuffer_tracking@fbc-1p-offscren-pri-shrfb-draw-blt:
- shard-kbl: [DMESG-WARN][94] ([i915#728]) -> [PASS][95] +2 similar issues
[94]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-kbl6/igt@kms_frontbuffer_tracking@fbc-1p-offscren-pri-shrfb-draw-blt.html
[95]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-kbl6/igt@kms_frontbuffer_tracking@fbc-1p-offscren-pri-shrfb-draw-blt.html
* igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-move:
- shard-tglb: [FAIL][96] ([i915#49]) -> [PASS][97] +2 similar issues
[96]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb7/igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-move.html
[97]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb5/igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-move.html
* igt@kms_frontbuffer_tracking@fbc-suspend:
- shard-kbl: [DMESG-WARN][98] ([i915#180]) -> [PASS][99] +8 similar issues
[98]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-kbl7/igt@kms_frontbuffer_tracking@fbc-suspend.html
[99]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-kbl6/igt@kms_frontbuffer_tracking@fbc-suspend.html
* igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-cur-indfb-draw-mmap-gtt:
- shard-iclb: [DMESG-WARN][100] ([i915#728]) -> [PASS][101] +2 similar issues
[100]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb5/igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-cur-indfb-draw-mmap-gtt.html
[101]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb8/igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-cur-indfb-draw-mmap-gtt.html
* igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-pri-shrfb-draw-pwrite:
- shard-iclb: [FAIL][102] ([i915#49]) -> [PASS][103] +2 similar issues
[102]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb8/igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-pri-shrfb-draw-pwrite.html
[103]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb6/igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-pri-shrfb-draw-pwrite.html
* igt@kms_frontbuffer_tracking@psr-1p-primscrn-cur-indfb-draw-pwrite:
- shard-skl: [DMESG-WARN][104] ([i915#728]) -> [PASS][105] +3 similar issues
[104]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl4/igt@kms_frontbuffer_tracking@psr-1p-primscrn-cur-indfb-draw-pwrite.html
[105]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl10/igt@kms_frontbuffer_tracking@psr-1p-primscrn-cur-indfb-draw-pwrite.html
* igt@kms_plane@plane-panning-bottom-right-suspend-pipe-a-planes:
- shard-apl: [DMESG-WARN][106] ([i915#180]) -> [PASS][107]
[106]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-apl6/igt@kms_plane@plane-panning-bottom-right-suspend-pipe-a-planes.html
[107]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-apl4/igt@kms_plane@plane-panning-bottom-right-suspend-pipe-a-planes.html
* igt@kms_vblank@pipe-a-ts-continuation-dpms-suspend:
- shard-tglb: [INCOMPLETE][108] ([i915#460]) -> [PASS][109]
[108]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb2/igt@kms_vblank@pipe-a-ts-continuation-dpms-suspend.html
[109]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb7/igt@kms_vblank@pipe-a-ts-continuation-dpms-suspend.html
* igt@perf_pmu@busy-no-semaphores-vcs1:
- shard-iclb: [SKIP][110] ([fdo#112080]) -> [PASS][111] +4 similar issues
[110]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-iclb8/igt@perf_pmu@busy-no-semaphores-vcs1.html
[111]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-iclb4/igt@perf_pmu@busy-no-semaphores-vcs1.html
#### Warnings ####
* igt@i915_selftest@live_blt:
- shard-hsw: [DMESG-FAIL][112] ([i915#683]) -> [DMESG-FAIL][113] ([i915#553] / [i915#725])
[112]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-hsw1/igt@i915_selftest@live_blt.html
[113]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-hsw5/igt@i915_selftest@live_blt.html
* igt@kms_flip@flip-vs-suspend:
- shard-kbl: [DMESG-WARN][114] ([i915#180] / [i915#391]) -> [DMESG-WARN][115] ([i915#180])
[114]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-kbl7/igt@kms_flip@flip-vs-suspend.html
[115]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-kbl4/igt@kms_flip@flip-vs-suspend.html
* igt@kms_frontbuffer_tracking@psr-1p-primscrn-cur-indfb-draw-render:
- shard-skl: [DMESG-WARN][116] -> [DMESG-WARN][117] ([i915#728])
[116]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl5/igt@kms_frontbuffer_tracking@psr-1p-primscrn-cur-indfb-draw-render.html
[117]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl4/igt@kms_frontbuffer_tracking@psr-1p-primscrn-cur-indfb-draw-render.html
* igt@kms_plane@pixel-format-pipe-b-planes:
- shard-skl: [INCOMPLETE][118] ([i915#648]) -> [INCOMPLETE][119] ([fdo#112391] / [i915#648])
[118]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-skl1/igt@kms_plane@pixel-format-pipe-b-planes.html
[119]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-skl2/igt@kms_plane@pixel-format-pipe-b-planes.html
* igt@kms_psr@psr2_suspend:
- shard-tglb: [DMESG-WARN][120] ([i915#402]) -> [INCOMPLETE][121] ([i915#456] / [i915#460])
[120]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7499/shard-tglb8/igt@kms_psr@psr2_suspend.html
[121]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/shard-tglb8/igt@kms_psr@psr2_suspend.html
{name}: This element is suppressed. This means it is ignored when computing
the status of the difference (SUCCESS, WARNING, or FAILURE).
[IGT#6]: https://gitlab.freedesktop.org/drm/igt-gpu-tools/issues/6
[fdo#103665]: https://bugs.freedesktop.org/show_bug.cgi?id=103665
[fdo#109276]: https://bugs.freedesktop.org/show_bug.cgi?id=109276
[fdo#110789]: https://bugs.freedesktop.org/show_bug.cgi?id=110789
[fdo#110841]: https://bugs.freedesktop.org/show_bug.cgi?id=110841
[fdo#111606]: https://bugs.freedesktop.org/show_bug.cgi?id=111606
[fdo#111677]: https://bugs.freedesktop.org/show_bug.cgi?id=111677
[fdo#111735]: https://bugs.freedesktop.org/show_bug.cgi?id=111735
[fdo#111736]: https://bugs.freedesktop.org/show_bug.cgi?id=111736
[fdo#111870]: https://bugs.freedesktop.org/show_bug.cgi?id=111870
[fdo#112080]: https://bugs.freedesktop.org/show_bug.cgi?id=112080
[fdo#112126]: https://bugs.freedesktop.org/show_bug.cgi?id=112126
[fdo#112146]: https://bugs.freedesktop.org/show_bug.cgi?id=112146
[fdo#112391]: https://bugs.freedesktop.org/show_bug.cgi?id=112391
[i915#109]: https://gitlab.freedesktop.org/drm/intel/issues/109
[i915#123]: https://gitlab.freedesktop.org/drm/intel/issues/123
[i915#146]: https://gitlab.freedesktop.org/drm/intel/issues/146
[i915#180]: https://gitlab.freedesktop.org/drm/intel/issues/180
[i915#198]: https://gitlab.freedesktop.org/drm/intel/issues/198
[i915#391]: https://gitlab.freedesktop.org/drm/intel/issues/391
[i915#402]: https://gitlab.freedesktop.org/drm/intel/issues/402
[i915#435]: https://gitlab.freedesktop.org/drm/intel/issues/435
[i915#456]: https://gitlab.freedesktop.org/drm/intel/issues/456
[i915#460]: https://gitlab.freedesktop.org/drm/intel/issues/460
[i915#474]: https://gitlab.freedesktop.org/drm/intel/issues/474
[i915#49]: https://gitlab.freedesktop.org/drm/intel/issues/49
[i915#520]: https://gitlab.freedesktop.org/drm/intel/issues/520
[i915#530]: https://gitlab.freedesktop.org/drm/intel/issues/530
[i915#54]: https://gitlab.freedesktop.org/drm/intel/issues/54
[i915#553]: https://gitlab.freedesktop.org/drm/intel/issues/553
[i915#644]: https://gitlab.freedesktop.org/drm/intel/issues/644
[i915#648]: https://gitlab.freedesktop.org/drm/intel/issues/648
[i915#669]: https://gitlab.freedesktop.org/drm/intel/issues/669
[i915#677]: https://gitlab.freedesktop.org/drm/intel/issues/677
[i915#683]: https://gitlab.freedesktop.org/drm/intel/issues/683
[i915#69]: https://gitlab.freedesktop.org/drm/intel/issues/69
[i915#725]: https://gitlab.freedesktop.org/drm/intel/issues/725
[i915#728]: https://gitlab.freedesktop.org/drm/intel/issues/728
[i915#79]: https://gitlab.freedesktop.org/drm/intel/issues/79
[i915#82]: https://gitlab.freedesktop.org/drm/intel/issues/82
Participating hosts (11 -> 11)
------------------------------
No changes in participating hosts
Build changes
-------------
* CI: CI-20190529 -> None
* Linux: CI_DRM_7499 -> Patchwork_15629
CI-20190529: 20190529
CI_DRM_7499: c109ee04ba214d1af4bab093a2964c2b60b26b99 @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_5334: 343aae776a58a67fa153825385e6fe90e3185c5b @ git://anongit.freedesktop.org/xorg/app/intel-gpu-tools
Patchwork_15629: b49cb2953c8374ba21a70ea9815c88b512b1a642 @ git://anongit.freedesktop.org/gfx-ci/linux
piglit_4509: fdc5a4ca11124ab8413c7988896eec4c97336694 @ git://anongit.freedesktop.org/piglit
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_15629/index.html
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-12-07 4:02 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-06 11:56 [Intel-gfx] [PATCH] drm/i915: Fix the use-after-free between i915_active_ref and __active_retire Chuansheng Liu
2019-12-06 12:04 ` Chris Wilson
2019-12-06 12:10 ` Liu, Chuansheng
2019-12-06 12:15 ` Chris Wilson
2019-12-07 1:50 ` Liu, Chuansheng
2019-12-06 14:17 ` [Intel-gfx] ✓ Fi.CI.BAT: success for " Patchwork
2019-12-07 4:02 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.