From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC00DC433DF for ; Thu, 21 May 2020 09:27:24 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 45C092072C for ; Thu, 21 May 2020 09:27:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 45C092072C Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=chris-wilson.co.uk Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id D819C6E042; Thu, 21 May 2020 09:27:23 +0000 (UTC) Received: from fireflyinternet.com (mail.fireflyinternet.com [109.228.58.192]) by gabe.freedesktop.org (Postfix) with ESMTPS id A8AFB6E042 for ; Thu, 21 May 2020 09:27:20 +0000 (UTC) X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138; Received: from localhost (unverified [78.156.65.138]) by fireflyinternet.com (Firefly Internet (M1)) with ESMTP (TLS) id 21245091-1500050 for multiple; Thu, 21 May 2020 10:27:16 +0100 MIME-Version: 1.0 In-Reply-To: <55150b9c-37f4-7d80-3282-80d18d21d719@linux.intel.com> References: <20200521085320.906-1-chris@chris-wilson.co.uk> <20200521085320.906-2-chris@chris-wilson.co.uk> <55150b9c-37f4-7d80-3282-80d18d21d719@linux.intel.com> To: Tvrtko Ursulin , intel-gfx@lists.freedesktop.org From: Chris Wilson Message-ID: <159005323613.32320.14516950460163840293@build.alporthouse.com> User-Agent: alot/0.8.1 Date: Thu, 21 May 2020 10:27:16 +0100 Subject: Re: [Intel-gfx] [PATCH 2/2] drm/i915: Avoid using rq->engine after free during i915_fence_release X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" Quoting Tvrtko Ursulin (2020-05-21 10:13:14) > > On 21/05/2020 09:53, Chris Wilson wrote: > > In order to be valid to dereference during the i915_fence_release, after > > retiring the fence and releasing its refererences, we assume that > > rq->engine can only be a real engine (that stay intact until the device > > is shutdown after all fences have been flushed). However, due to a quirk > > of preempt-to-busy, we may retire a request that still belongs to a > > virtual engine and so eventually free it with rq->engine being invalid. > > To avoid dereferencing that invalid engine, we look at the > > execution_mask which if it indicates it may be executed on more than one > > engine, we know it originated on a virtual engine and may still be on > > one. > > > > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1906 > > Fixes: 43acd6516ca9 ("drm/i915: Keep a per-engine request pool") > > Signed-off-by: Chris Wilson > > Cc: Tvrtko Ursulin > > --- > > drivers/gpu/drm/i915/i915_request.c | 25 +++++++++++++++++++++++-- > > 1 file changed, 23 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/gpu/drm/i915/i915_request.c b/drivers/gpu/drm/i915/i915_request.c > > index 526c1e9acbd5..6e357183bece 100644 > > --- a/drivers/gpu/drm/i915/i915_request.c > > +++ b/drivers/gpu/drm/i915/i915_request.c > > @@ -121,8 +121,29 @@ static void i915_fence_release(struct dma_fence *fence) > > i915_sw_fence_fini(&rq->submit); > > i915_sw_fence_fini(&rq->semaphore); > > > > - /* Keep one request on each engine for reserved use under mempressure */ > > - if (!cmpxchg(&rq->engine->request_pool, NULL, rq)) > > + /* > > + * Keep one request on each engine for reserved use under mempressure > > + * > > + * We do not hold a reference to the engine here and so have to be > > + * very careful in what rq->engine we poke. The virtual engine is > > + * referenced via the rq->context and we released that ref during > > + * i915_request_retire(), ergo we must not dereference a virtual > > + * engine here. Not that we would want to, as the only consumer of > > + * the reserved engine->request_pool is the powermanagent parking, > > power management > > > + * which must-not-fail, and that is only run on the physical engines. > > + * > > + * Since the request must have been executed to be have completed, > > + * we know that it will have been processed by the HW and will > > + * not be unsubmitted again, so rq->engine and rq->execution_mask > > + * at this point is stable. rq->execution_mask will be a single > > + * bit if the last and only engine it could execution on was a > > + * physical engine, if it's multiple bits then it started on and > > + * could still be on a virtual engine. Thus if the mask is not a > > + * power-of-two we assume that rq->engine may still be a virtual > > + * engien and so a dangling invalid pointer that we cannot > > engine > > But.. submit fence can mask out execution_mask bits and make it appear > the request was on a physical engine. What then? Then we execute along a single engine and it is never returned to the virtual engine (in __unwind_incomplete_requests). + * at this point is stable. rq->execution_mask will be a single + * bit if the last and only engine it could execution on was a + * physical engine, if it's multiple bits then it started on and -Chris _______________________________________________ Intel-gfx mailing list Intel-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gfx