mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-01-27 08:42:42 +07:00
acc240d41e
So apparently under ridiculous amounts of memory pressure we can get
into trouble in do_switch when we try to move the old hw context
backing storage object onto the active lists.
With list debugging enabled that usually results in us chasing a
poisoned pointer - which means we've hit upon a vma that has been
removed from all lrus with list_del (and then deallocated, so it's a
real use-after free).
Ian Lister has done some great callchain chasing and noticed that we
can reenter do_switch:
i915_gem_do_execbuffer()
i915_switch_context()
do_switch()
from = ring->last_context;
i915_gem_object_pin()
i915_gem_object_bind_to_gtt()
ret = drm_mm_insert_node_in_range_generic();
// If the above call fails then it will try i915_gem_evict_something()
// If that fails it will call i915_gem_evict_everything() ...
i915_gem_evict_everything()
i915_gpu_idle()
i915_switch_context(DEFAULT_CONTEXT)
Like with everything else where the shrinker or eviction code can
invalidate pointers we need to reload relevant state.
Note that there's no need to recheck whether a context switch is still
required because:
- Doing a switch to the same context is harmless (besides wasting a
bit of energy).
- This can only happen with the default context. But since that one's
pinned we'll never call down into evict_everything under normal
circumstances. Note that there's a little driver bringup fun
involved namely that we could recourse into do_switch for the
initial switch. Atm we're fine since we assign the context pointer
only after the call to do_switch at driver load or resume time. And
in the gpu reset case we skip the entire setup sequence (which might
be a bug on its own, but definitely not this one here).
Cc'ing stable since apparently ChromeOS guys are seeing this in the
wild (and not just on artificial stress tests), see the reference.
Note that in upstream code doesn't calle evict_everything directly
from evict_something, that's an extension in this product branch. But
we can still hit upon this bug (and apparently we do, see the linked
backtraces). I've noticed this while trying to construct a testcase
for this bug and utterly failed to provoke it. It looks like we need
to driver the system squarly into the lowmem wall and provoke the
shrinker to evict the context object by doing the last-ditch
evict_everything call.
Aside: There's currently no means to get a badly-fragmenting hw
context object away from a bad spot in the upstream code. We should
fix this by at least adding some code to evict_something to handle hw
contexts.
References: https://code.google.com/p/chromium/issues/detail?id=248191
Reported-by: Ian Lister <ian.lister@intel.com>
Cc: Ian Lister <ian.lister@intel.com>
Cc: stable@vger.kernel.org
Cc: Ben Widawsky <benjamin.widawsky@intel.com>
Cc: Stéphane Marchesin <marcheu@chromium.org>
Cc: Bloomfield, Jon <jon.bloomfield@intel.com>
Tested-by: Rafael Barbalho <rafael.barbalho@intel.com>
Reviewed-by: Ian Lister <ian.lister@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||
|---|---|---|
| .. | ||
| dvo_ch7xxx.c | ||
| dvo_ch7017.c | ||
| dvo_ivch.c | ||
| dvo_ns2501.c | ||
| dvo_sil164.c | ||
| dvo_tfp410.c | ||
| dvo.h | ||
| i915_debugfs.c | ||
| i915_dma.c | ||
| i915_drv.c | ||
| i915_drv.h | ||
| i915_gem_context.c | ||
| i915_gem_debug.c | ||
| i915_gem_dmabuf.c | ||
| i915_gem_evict.c | ||
| i915_gem_execbuffer.c | ||
| i915_gem_gtt.c | ||
| i915_gem_stolen.c | ||
| i915_gem_tiling.c | ||
| i915_gem.c | ||
| i915_gpu_error.c | ||
| i915_ioc32.c | ||
| i915_irq.c | ||
| i915_reg.h | ||
| i915_suspend.c | ||
| i915_sysfs.c | ||
| i915_trace_points.c | ||
| i915_trace.h | ||
| i915_ums.c | ||
| intel_acpi.c | ||
| intel_bios.c | ||
| intel_bios.h | ||
| intel_crt.c | ||
| intel_ddi.c | ||
| intel_display.c | ||
| intel_dp.c | ||
| intel_drv.h | ||
| intel_dsi_cmd.c | ||
| intel_dsi_cmd.h | ||
| intel_dsi_pll.c | ||
| intel_dsi.c | ||
| intel_dsi.h | ||
| intel_dvo.c | ||
| intel_fbdev.c | ||
| intel_hdmi.c | ||
| intel_i2c.c | ||
| intel_lvds.c | ||
| intel_modes.c | ||
| intel_opregion.c | ||
| intel_overlay.c | ||
| intel_panel.c | ||
| intel_pm.c | ||
| intel_ringbuffer.c | ||
| intel_ringbuffer.h | ||
| intel_sdvo_regs.h | ||
| intel_sdvo.c | ||
| intel_sideband.c | ||
| intel_sprite.c | ||
| intel_tv.c | ||
| intel_uncore.c | ||
| Kconfig | ||
| Makefile | ||