* [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging
@ 2022-01-05 14:58 Matthew Auld
2022-01-05 14:58 ` [PATCH 2/4] drm/i915/ttm: only fault WILLNEED objects Matthew Auld
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Matthew Auld @ 2022-01-05 14:58 UTC (permalink / raw)
To: intel-gfx; +Cc: Thomas Hellström, dri-devel
The TTM backend is in theory the only user here(also purge should only
be called once we have dropped the pages), where it is setup at object
creation and is only removed once the object is destroyed. Also
resetting the node here might be iffy since the ttm fault handler
uses the stored fake offset to determine the page offset within the pages
array.
This also blows up in the dontneed-before-mmap test, since the
expectation is that the vma_node will live on, until the object is
destroyed:
<2> [749.062902] kernel BUG at drivers/gpu/drm/i915/gem/i915_gem_ttm.c:943!
<4> [749.062923] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4> [749.062928] CPU: 0 PID: 1643 Comm: gem_madvise Tainted: G U W 5.16.0-rc8-CI-CI_DRM_11046+ #1
<4> [749.062933] Hardware name: Gigabyte Technology Co., Ltd. GB-Z390 Garuda/GB-Z390 Garuda-CF, BIOS IG1c 11/19/2019
<4> [749.062937] RIP: 0010:i915_ttm_mmap_offset.cold.35+0x5b/0x5d [i915]
<4> [749.063044] Code: 00 48 c7 c2 a0 23 4e a0 48 c7 c7 26 df 4a a0 e8 95 1d d0 e0 bf 01 00 00 00 e8 8b ec cf e0 31 f6 bf 09 00 00 00 e8 5f 30 c0 e0 <0f> 0b 48 c7 c1 24 4b 56 a0 ba 5b 03 00 00 48 c7 c6 c0 23 4e a0 48
<4> [749.063052] RSP: 0018:ffffc90002ab7d38 EFLAGS: 00010246
<4> [749.063056] RAX: 0000000000000240 RBX: ffff88811f2e61c0 RCX: 0000000000000006
<4> [749.063060] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000009
<4> [749.063063] RBP: ffffc90002ab7e58 R08: 0000000000000001 R09: 0000000000000001
<4> [749.063067] R10: 000000000123d0f8 R11: ffffc90002ab7b20 R12: ffff888112a1a000
<4> [749.063071] R13: 0000000000000004 R14: ffff88811f2e61c0 R15: ffff888112a1a000
<4> [749.063074] FS: 00007f6e5fcad500(0000) GS:ffff8884ad600000(0000) knlGS:0000000000000000
<4> [749.063078] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4> [749.063081] CR2: 00007efd264e39f0 CR3: 0000000115fd6005 CR4: 00000000003706f0
<4> [749.063085] Call Trace:
<4> [749.063087] <TASK>
<4> [749.063089] __assign_mmap_offset+0x41/0x300 [i915]
<4> [749.063171] __assign_mmap_offset_handle+0x159/0x270 [i915]
<4> [749.063248] ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
<4> [749.063325] drm_ioctl_kernel+0xae/0x140
<4> [749.063330] drm_ioctl+0x201/0x3d0
<4> [749.063333] ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
<4> [749.063409] ? do_user_addr_fault+0x200/0x670
<4> [749.063415] __x64_sys_ioctl+0x6d/0xa0
<4> [749.063419] do_syscall_64+0x3a/0xb0
<4> [749.063423] entry_SYSCALL_64_after_hwframe+0x44/0xae
<4> [749.063428] RIP: 0033:0x7f6e5f100317
Testcase: igt@gem_madvise@dontneed-before-mmap
Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm bo's.")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
---
drivers/gpu/drm/i915/gem/i915_gem_pages.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_pages.c b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
index 89b70f5cde7a..9f429ed6e78a 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_pages.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
@@ -161,7 +161,6 @@ int i915_gem_object_pin_pages_unlocked(struct drm_i915_gem_object *obj)
/* Immediately discard the backing storage */
int i915_gem_object_truncate(struct drm_i915_gem_object *obj)
{
- drm_gem_free_mmap_offset(&obj->base);
if (obj->ops->truncate)
return obj->ops->truncate(obj);
--
2.31.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/4] drm/i915/ttm: only fault WILLNEED objects
2022-01-05 14:58 [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Matthew Auld
@ 2022-01-05 14:58 ` Matthew Auld
2022-01-05 15:09 ` Thomas Hellström
2022-01-05 14:58 ` [PATCH 3/4] drm/i915/ttm: ensure we unmap when purging Matthew Auld
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Matthew Auld @ 2022-01-05 14:58 UTC (permalink / raw)
To: intel-gfx; +Cc: Thomas Hellström, dri-devel
Don't attempt to fault and re-populate purged objects. By some fluke
this passes the dontneed-after-mmap IGT, but for the wrong reasons.
Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm bo's.")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
---
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
index 923cc7ad8d70..8d61d4538a64 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -883,6 +883,11 @@ static vm_fault_t vm_fault_ttm(struct vm_fault *vmf)
if (ret)
return ret;
+ if (obj->mm.madv != I915_MADV_WILLNEED) {
+ dma_resv_unlock(bo->base.resv);
+ return VM_FAULT_SIGBUS;
+ }
+
if (drm_dev_enter(dev, &idx)) {
ret = ttm_bo_vm_fault_reserved(vmf, vmf->vma->vm_page_prot,
TTM_BO_VM_NUM_PREFAULT);
--
2.31.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 3/4] drm/i915/ttm: ensure we unmap when purging
2022-01-05 14:58 [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Matthew Auld
2022-01-05 14:58 ` [PATCH 2/4] drm/i915/ttm: only fault WILLNEED objects Matthew Auld
@ 2022-01-05 14:58 ` Matthew Auld
2022-01-05 15:28 ` Thomas Hellström
2022-01-05 14:58 ` [PATCH 4/4] drm/i915/ttm: ensure we unmap when shrinking Matthew Auld
2022-01-05 15:46 ` [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Thomas Hellström
3 siblings, 1 reply; 9+ messages in thread
From: Matthew Auld @ 2022-01-05 14:58 UTC (permalink / raw)
To: intel-gfx; +Cc: Thomas Hellström, dri-devel
Purging can happen during swapping out, or directly invoked with the
madvise ioctl. In such cases this doesn't involve a ttm move, which
skips umapping the object.
Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm bo's.")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
---
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
index 8d61d4538a64..f148e7e48f86 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -399,6 +399,8 @@ int i915_ttm_purge(struct drm_i915_gem_object *obj)
if (obj->mm.madv == __I915_MADV_PURGED)
return 0;
+ ttm_bo_unmap_virtual(bo);
+
ret = ttm_bo_validate(bo, &place, &ctx);
if (ret)
return ret;
--
2.31.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 4/4] drm/i915/ttm: ensure we unmap when shrinking
2022-01-05 14:58 [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Matthew Auld
2022-01-05 14:58 ` [PATCH 2/4] drm/i915/ttm: only fault WILLNEED objects Matthew Auld
2022-01-05 14:58 ` [PATCH 3/4] drm/i915/ttm: ensure we unmap when purging Matthew Auld
@ 2022-01-05 14:58 ` Matthew Auld
2022-01-05 15:46 ` [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Thomas Hellström
3 siblings, 0 replies; 9+ messages in thread
From: Matthew Auld @ 2022-01-05 14:58 UTC (permalink / raw)
To: intel-gfx; +Cc: Thomas Hellström, dri-devel
Assuming we don't purge the pages, but instead swap them out then we
need to ensure we also unmap the object.
Fixes: 7ae034590cea ("drm/i915/ttm: add tt shmem backend")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
---
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
index f148e7e48f86..adbbd57bb9bf 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -462,6 +462,8 @@ static int i915_ttm_shrinker_release_pages(struct drm_i915_gem_object *obj,
if (bo->ttm->page_flags & TTM_TT_FLAG_SWAPPED)
return 0;
+ ttm_bo_unmap_virtual(bo);
+
bo->ttm->page_flags |= TTM_TT_FLAG_SWAPPED;
ret = ttm_bo_validate(bo, &place, &ctx);
if (ret) {
--
2.31.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 2/4] drm/i915/ttm: only fault WILLNEED objects
2022-01-05 14:58 ` [PATCH 2/4] drm/i915/ttm: only fault WILLNEED objects Matthew Auld
@ 2022-01-05 15:09 ` Thomas Hellström
0 siblings, 0 replies; 9+ messages in thread
From: Thomas Hellström @ 2022-01-05 15:09 UTC (permalink / raw)
To: Matthew Auld, intel-gfx; +Cc: dri-devel
On Wed, 2022-01-05 at 14:58 +0000, Matthew Auld wrote:
> Don't attempt to fault and re-populate purged objects. By some fluke
> this passes the dontneed-after-mmap IGT, but for the wrong reasons.
>
> Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm bo's.")
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> ---
> drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> index 923cc7ad8d70..8d61d4538a64 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> @@ -883,6 +883,11 @@ static vm_fault_t vm_fault_ttm(struct vm_fault
> *vmf)
> if (ret)
> return ret;
>
> + if (obj->mm.madv != I915_MADV_WILLNEED) {
> + dma_resv_unlock(bo->base.resv);
> + return VM_FAULT_SIGBUS;
> + }
> +
> if (drm_dev_enter(dev, &idx)) {
> ret = ttm_bo_vm_fault_reserved(vmf, vmf->vma-
> >vm_page_prot,
>
> TTM_BO_VM_NUM_PREFAULT);
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 3/4] drm/i915/ttm: ensure we unmap when purging
2022-01-05 14:58 ` [PATCH 3/4] drm/i915/ttm: ensure we unmap when purging Matthew Auld
@ 2022-01-05 15:28 ` Thomas Hellström
0 siblings, 0 replies; 9+ messages in thread
From: Thomas Hellström @ 2022-01-05 15:28 UTC (permalink / raw)
To: Matthew Auld, intel-gfx; +Cc: dri-devel
On Wed, 2022-01-05 at 14:58 +0000, Matthew Auld wrote:
> Purging can happen during swapping out, or directly invoked with the
> madvise ioctl. In such cases this doesn't involve a ttm move, which
> skips umapping the object.
>
> Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm bo's.")
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> ---
> drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> index 8d61d4538a64..f148e7e48f86 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> @@ -399,6 +399,8 @@ int i915_ttm_purge(struct drm_i915_gem_object
> *obj)
> if (obj->mm.madv == __I915_MADV_PURGED)
> return 0;
>
> + ttm_bo_unmap_virtual(bo);
> +
> ret = ttm_bo_validate(bo, &place, &ctx);
> if (ret)
> return ret;
The swap notifier and the move code both call i915_ttm_move_notify() to
achieve this before calling i915_ttm_purge. This ensures both cpu- and
gpu ptes are torn down, and also when we extend to dynamic dma-buf
exporting, makes sure dma-buf importers unbind.
So I suggest we make a i915_ttm_truncate wrapper function that calls
i915_ttm_move_notify() and then ttm_bo_purge(), and use that as the
truncate callback as well as from those places we call i915_ttm_purge
without a prior call to i915_ttm_move_notify(), which seems to be the
ones you've identified in patch 3 and 4,
/Thomas
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging
2022-01-05 14:58 [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Matthew Auld
` (2 preceding siblings ...)
2022-01-05 14:58 ` [PATCH 4/4] drm/i915/ttm: ensure we unmap when shrinking Matthew Auld
@ 2022-01-05 15:46 ` Thomas Hellström
2022-01-05 16:03 ` Matthew Auld
3 siblings, 1 reply; 9+ messages in thread
From: Thomas Hellström @ 2022-01-05 15:46 UTC (permalink / raw)
To: Matthew Auld, intel-gfx; +Cc: dri-devel
On Wed, 2022-01-05 at 14:58 +0000, Matthew Auld wrote:
> The TTM backend is in theory the only user here(also purge should
> only
> be called once we have dropped the pages), where it is setup at
> object
> creation and is only removed once the object is destroyed. Also
> resetting the node here might be iffy since the ttm fault handler
> uses the stored fake offset to determine the page offset within the
> pages
> array.
>
> This also blows up in the dontneed-before-mmap test, since the
> expectation is that the vma_node will live on, until the object is
> destroyed:
>
> <2> [749.062902] kernel BUG at
> drivers/gpu/drm/i915/gem/i915_gem_ttm.c:943!
> <4> [749.062923] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> <4> [749.062928] CPU: 0 PID: 1643 Comm: gem_madvise Tainted: G U
> W 5.16.0-rc8-CI-CI_DRM_11046+ #1
> <4> [749.062933] Hardware name: Gigabyte Technology Co., Ltd. GB-Z390
> Garuda/GB-Z390 Garuda-CF, BIOS IG1c 11/19/2019
> <4> [749.062937] RIP: 0010:i915_ttm_mmap_offset.cold.35+0x5b/0x5d
> [i915]
> <4> [749.063044] Code: 00 48 c7 c2 a0 23 4e a0 48 c7 c7 26 df 4a a0
> e8 95 1d d0 e0 bf 01 00 00 00 e8 8b ec cf e0 31 f6 bf 09 00 00 00 e8
> 5f 30 c0 e0 <0f> 0b 48 c7 c1 24 4b 56 a0 ba 5b 03 00 00 48 c7 c6 c0
> 23 4e a0 48
> <4> [749.063052] RSP: 0018:ffffc90002ab7d38 EFLAGS: 00010246
> <4> [749.063056] RAX: 0000000000000240 RBX: ffff88811f2e61c0 RCX:
> 0000000000000006
> <4> [749.063060] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
> 0000000000000009
> <4> [749.063063] RBP: ffffc90002ab7e58 R08: 0000000000000001 R09:
> 0000000000000001
> <4> [749.063067] R10: 000000000123d0f8 R11: ffffc90002ab7b20 R12:
> ffff888112a1a000
> <4> [749.063071] R13: 0000000000000004 R14: ffff88811f2e61c0 R15:
> ffff888112a1a000
> <4> [749.063074] FS: 00007f6e5fcad500(0000)
> GS:ffff8884ad600000(0000) knlGS:0000000000000000
> <4> [749.063078] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> <4> [749.063081] CR2: 00007efd264e39f0 CR3: 0000000115fd6005 CR4:
> 00000000003706f0
> <4> [749.063085] Call Trace:
> <4> [749.063087] <TASK>
> <4> [749.063089] __assign_mmap_offset+0x41/0x300 [i915]
> <4> [749.063171] __assign_mmap_offset_handle+0x159/0x270 [i915]
> <4> [749.063248] ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
> <4> [749.063325] drm_ioctl_kernel+0xae/0x140
> <4> [749.063330] drm_ioctl+0x201/0x3d0
> <4> [749.063333] ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
> <4> [749.063409] ? do_user_addr_fault+0x200/0x670
> <4> [749.063415] __x64_sys_ioctl+0x6d/0xa0
> <4> [749.063419] do_syscall_64+0x3a/0xb0
> <4> [749.063423] entry_SYSCALL_64_after_hwframe+0x44/0xae
> <4> [749.063428] RIP: 0033:0x7f6e5f100317
>
> Testcase: igt@gem_madvise@dontneed-before-mmap
> Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm bo's.")
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> ---
> drivers/gpu/drm/i915/gem/i915_gem_pages.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_pages.c
> b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
> index 89b70f5cde7a..9f429ed6e78a 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_pages.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
> @@ -161,7 +161,6 @@ int i915_gem_object_pin_pages_unlocked(struct
> drm_i915_gem_object *obj)
> /* Immediately discard the backing storage */
> int i915_gem_object_truncate(struct drm_i915_gem_object *obj)
> {
> - drm_gem_free_mmap_offset(&obj->base);
What happens if a non-ttm shmem system object gets truncated from the
shrinker and then tries to use the above mmap offset?
/Thomas
> if (obj->ops->truncate)
> return obj->ops->truncate(obj);
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging
2022-01-05 15:46 ` [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Thomas Hellström
@ 2022-01-05 16:03 ` Matthew Auld
2022-01-05 16:06 ` Thomas Hellström
0 siblings, 1 reply; 9+ messages in thread
From: Matthew Auld @ 2022-01-05 16:03 UTC (permalink / raw)
To: Thomas Hellström, intel-gfx; +Cc: dri-devel
On 05/01/2022 15:46, Thomas Hellström wrote:
> On Wed, 2022-01-05 at 14:58 +0000, Matthew Auld wrote:
>> The TTM backend is in theory the only user here(also purge should
>> only
>> be called once we have dropped the pages), where it is setup at
>> object
>> creation and is only removed once the object is destroyed. Also
>> resetting the node here might be iffy since the ttm fault handler
>> uses the stored fake offset to determine the page offset within the
>> pages
>> array.
>>
>> This also blows up in the dontneed-before-mmap test, since the
>> expectation is that the vma_node will live on, until the object is
>> destroyed:
>>
>> <2> [749.062902] kernel BUG at
>> drivers/gpu/drm/i915/gem/i915_gem_ttm.c:943!
>> <4> [749.062923] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
>> <4> [749.062928] CPU: 0 PID: 1643 Comm: gem_madvise Tainted: G U
>> W 5.16.0-rc8-CI-CI_DRM_11046+ #1
>> <4> [749.062933] Hardware name: Gigabyte Technology Co., Ltd. GB-Z390
>> Garuda/GB-Z390 Garuda-CF, BIOS IG1c 11/19/2019
>> <4> [749.062937] RIP: 0010:i915_ttm_mmap_offset.cold.35+0x5b/0x5d
>> [i915]
>> <4> [749.063044] Code: 00 48 c7 c2 a0 23 4e a0 48 c7 c7 26 df 4a a0
>> e8 95 1d d0 e0 bf 01 00 00 00 e8 8b ec cf e0 31 f6 bf 09 00 00 00 e8
>> 5f 30 c0 e0 <0f> 0b 48 c7 c1 24 4b 56 a0 ba 5b 03 00 00 48 c7 c6 c0
>> 23 4e a0 48
>> <4> [749.063052] RSP: 0018:ffffc90002ab7d38 EFLAGS: 00010246
>> <4> [749.063056] RAX: 0000000000000240 RBX: ffff88811f2e61c0 RCX:
>> 0000000000000006
>> <4> [749.063060] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
>> 0000000000000009
>> <4> [749.063063] RBP: ffffc90002ab7e58 R08: 0000000000000001 R09:
>> 0000000000000001
>> <4> [749.063067] R10: 000000000123d0f8 R11: ffffc90002ab7b20 R12:
>> ffff888112a1a000
>> <4> [749.063071] R13: 0000000000000004 R14: ffff88811f2e61c0 R15:
>> ffff888112a1a000
>> <4> [749.063074] FS: 00007f6e5fcad500(0000)
>> GS:ffff8884ad600000(0000) knlGS:0000000000000000
>> <4> [749.063078] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> <4> [749.063081] CR2: 00007efd264e39f0 CR3: 0000000115fd6005 CR4:
>> 00000000003706f0
>> <4> [749.063085] Call Trace:
>> <4> [749.063087] <TASK>
>> <4> [749.063089] __assign_mmap_offset+0x41/0x300 [i915]
>> <4> [749.063171] __assign_mmap_offset_handle+0x159/0x270 [i915]
>> <4> [749.063248] ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
>> <4> [749.063325] drm_ioctl_kernel+0xae/0x140
>> <4> [749.063330] drm_ioctl+0x201/0x3d0
>> <4> [749.063333] ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
>> <4> [749.063409] ? do_user_addr_fault+0x200/0x670
>> <4> [749.063415] __x64_sys_ioctl+0x6d/0xa0
>> <4> [749.063419] do_syscall_64+0x3a/0xb0
>> <4> [749.063423] entry_SYSCALL_64_after_hwframe+0x44/0xae
>> <4> [749.063428] RIP: 0033:0x7f6e5f100317
>>
>> Testcase: igt@gem_madvise@dontneed-before-mmap
>> Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm bo's.")
>> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
>> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
>> ---
>> drivers/gpu/drm/i915/gem/i915_gem_pages.c | 1 -
>> 1 file changed, 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_pages.c
>> b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
>> index 89b70f5cde7a..9f429ed6e78a 100644
>> --- a/drivers/gpu/drm/i915/gem/i915_gem_pages.c
>> +++ b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
>> @@ -161,7 +161,6 @@ int i915_gem_object_pin_pages_unlocked(struct
>> drm_i915_gem_object *obj)
>> /* Immediately discard the backing storage */
>> int i915_gem_object_truncate(struct drm_i915_gem_object *obj)
>> {
>> - drm_gem_free_mmap_offset(&obj->base);
>
> What happens if a non-ttm shmem system object gets truncated from the
> shrinker and then tries to use the above mmap offset?
AFAIK nothing on integrated is really using this. The mmap_offset ioctl
stuff is managing multiple vma nodes itself, per object(one for each
cache type/mapping or something), and so doesn't use this. And the shmem
mmap ioctl doesn't use the any fake offset stuff, AFAIK.
>
> /Thomas
>
>
>
>> if (obj->ops->truncate)
>> return obj->ops->truncate(obj);
>>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging
2022-01-05 16:03 ` Matthew Auld
@ 2022-01-05 16:06 ` Thomas Hellström
0 siblings, 0 replies; 9+ messages in thread
From: Thomas Hellström @ 2022-01-05 16:06 UTC (permalink / raw)
To: Matthew Auld, intel-gfx; +Cc: dri-devel
On Wed, 2022-01-05 at 16:03 +0000, Matthew Auld wrote:
> On 05/01/2022 15:46, Thomas Hellström wrote:
> > On Wed, 2022-01-05 at 14:58 +0000, Matthew Auld wrote:
> > > The TTM backend is in theory the only user here(also purge should
> > > only
> > > be called once we have dropped the pages), where it is setup at
> > > object
> > > creation and is only removed once the object is destroyed. Also
> > > resetting the node here might be iffy since the ttm fault handler
> > > uses the stored fake offset to determine the page offset within
> > > the
> > > pages
> > > array.
> > >
> > > This also blows up in the dontneed-before-mmap test, since the
> > > expectation is that the vma_node will live on, until the object
> > > is
> > > destroyed:
> > >
> > > <2> [749.062902] kernel BUG at
> > > drivers/gpu/drm/i915/gem/i915_gem_ttm.c:943!
> > > <4> [749.062923] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> > > <4> [749.062928] CPU: 0 PID: 1643 Comm: gem_madvise Tainted:
> > > G U
> > > W 5.16.0-rc8-CI-CI_DRM_11046+ #1
> > > <4> [749.062933] Hardware name: Gigabyte Technology Co., Ltd. GB-
> > > Z390
> > > Garuda/GB-Z390 Garuda-CF, BIOS IG1c 11/19/2019
> > > <4> [749.062937] RIP: 0010:i915_ttm_mmap_offset.cold.35+0x5b/0x5d
> > > [i915]
> > > <4> [749.063044] Code: 00 48 c7 c2 a0 23 4e a0 48 c7 c7 26 df 4a
> > > a0
> > > e8 95 1d d0 e0 bf 01 00 00 00 e8 8b ec cf e0 31 f6 bf 09 00 00 00
> > > e8
> > > 5f 30 c0 e0 <0f> 0b 48 c7 c1 24 4b 56 a0 ba 5b 03 00 00 48 c7 c6
> > > c0
> > > 23 4e a0 48
> > > <4> [749.063052] RSP: 0018:ffffc90002ab7d38 EFLAGS: 00010246
> > > <4> [749.063056] RAX: 0000000000000240 RBX: ffff88811f2e61c0 RCX:
> > > 0000000000000006
> > > <4> [749.063060] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
> > > 0000000000000009
> > > <4> [749.063063] RBP: ffffc90002ab7e58 R08: 0000000000000001 R09:
> > > 0000000000000001
> > > <4> [749.063067] R10: 000000000123d0f8 R11: ffffc90002ab7b20 R12:
> > > ffff888112a1a000
> > > <4> [749.063071] R13: 0000000000000004 R14: ffff88811f2e61c0 R15:
> > > ffff888112a1a000
> > > <4> [749.063074] FS: 00007f6e5fcad500(0000)
> > > GS:ffff8884ad600000(0000) knlGS:0000000000000000
> > > <4> [749.063078] CS: 0010 DS: 0000 ES: 0000 CR0:
> > > 0000000080050033
> > > <4> [749.063081] CR2: 00007efd264e39f0 CR3: 0000000115fd6005 CR4:
> > > 00000000003706f0
> > > <4> [749.063085] Call Trace:
> > > <4> [749.063087] <TASK>
> > > <4> [749.063089] __assign_mmap_offset+0x41/0x300 [i915]
> > > <4> [749.063171] __assign_mmap_offset_handle+0x159/0x270 [i915]
> > > <4> [749.063248] ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
> > > <4> [749.063325] drm_ioctl_kernel+0xae/0x140
> > > <4> [749.063330] drm_ioctl+0x201/0x3d0
> > > <4> [749.063333] ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
> > > <4> [749.063409] ? do_user_addr_fault+0x200/0x670
> > > <4> [749.063415] __x64_sys_ioctl+0x6d/0xa0
> > > <4> [749.063419] do_syscall_64+0x3a/0xb0
> > > <4> [749.063423] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > <4> [749.063428] RIP: 0033:0x7f6e5f100317
> > >
> > > Testcase: igt@gem_madvise@dontneed-before-mmap
> > > Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm
> > > bo's.")
> > > Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> > > Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> > > ---
> > > drivers/gpu/drm/i915/gem/i915_gem_pages.c | 1 -
> > > 1 file changed, 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_pages.c
> > > b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
> > > index 89b70f5cde7a..9f429ed6e78a 100644
> > > --- a/drivers/gpu/drm/i915/gem/i915_gem_pages.c
> > > +++ b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
> > > @@ -161,7 +161,6 @@ int i915_gem_object_pin_pages_unlocked(struct
> > > drm_i915_gem_object *obj)
> > > /* Immediately discard the backing storage */
> > > int i915_gem_object_truncate(struct drm_i915_gem_object *obj)
> > > {
> > > - drm_gem_free_mmap_offset(&obj->base);
> >
> > What happens if a non-ttm shmem system object gets truncated from
> > the
> > shrinker and then tries to use the above mmap offset?
>
> AFAIK nothing on integrated is really using this. The mmap_offset
> ioctl
> stuff is managing multiple vma nodes itself, per object(one for each
> cache type/mapping or something), and so doesn't use this. And the
> shmem
> mmap ioctl doesn't use the any fake offset stuff, AFAIK.
OK, then
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
>
> >
> > /Thomas
> >
> >
> >
> > > if (obj->ops->truncate)
> > > return obj->ops->truncate(obj);
> > >
> >
> >
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-01-05 16:06 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-05 14:58 [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Matthew Auld
2022-01-05 14:58 ` [PATCH 2/4] drm/i915/ttm: only fault WILLNEED objects Matthew Auld
2022-01-05 15:09 ` Thomas Hellström
2022-01-05 14:58 ` [PATCH 3/4] drm/i915/ttm: ensure we unmap when purging Matthew Auld
2022-01-05 15:28 ` Thomas Hellström
2022-01-05 14:58 ` [PATCH 4/4] drm/i915/ttm: ensure we unmap when shrinking Matthew Auld
2022-01-05 15:46 ` [PATCH 1/4] drm/i915: don't call free_mmap_offset when purging Thomas Hellström
2022-01-05 16:03 ` Matthew Auld
2022-01-05 16:06 ` Thomas Hellström
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).