linux_dsm_epyc7002/drivers/gpu/drm/i915/gem
Chris Wilson f524a774a4 drm/i915/gem: Hold obj->vma.lock over for_each_ggtt_vma()
While the ggtt vma are protected by their object lifetime, the list
continues until it hits a non-ggtt vma, and that vma is not protected
and may be freed as we inspect it. Hence, we require the obj->vma.lock
to protect the list as we iterate.

An example of forgetting to hold the obj->vma.lock is

[1642834.464973] general protection fault, probably for non-canonical address 0xdead000000000122: 0000 [#1] SMP PTI
[1642834.464977] CPU: 3 PID: 1954 Comm: Xorg Not tainted 5.6.0-300.fc32.x86_64 #1
[1642834.464979] Hardware name: LENOVO 20ARS25701/20ARS25701, BIOS GJET94WW (2.44 ) 09/14/2017
[1642834.465021] RIP: 0010:i915_gem_object_set_tiling+0x2c0/0x3e0 [i915]
[1642834.465024] Code: 8b 84 24 18 01 00 00 f6 c4 80 74 59 49 8b 94 24 a0 00 00 00 49 8b 84 24 e0 00 00 00 49 8b 74 24 10 48 8b 92 30 01 00 00 89 c7 <80> ba 0a 06 00 00 03 0f 87 86 00 00 00 ba 00 00 08 00 b9 00 00 10
[1642834.465025] RSP: 0018:ffffa98780c77d60 EFLAGS: 00010282
[1642834.465028] RAX: ffff8d232bfb2578 RBX: 0000000000000002 RCX: ffff8d25873a0000
[1642834.465029] RDX: dead000000000122 RSI: fffff0af8ac6e408 RDI: 000000002bfb2578
[1642834.465030] RBP: ffff8d25873a0000 R08: ffff8d252bfb5638 R09: 0000000000000000
[1642834.465031] R10: 0000000000000000 R11: ffff8d252bfb5640 R12: ffffa987801cb8f8
[1642834.465032] R13: 0000000000001000 R14: ffff8d233e972e50 R15: ffff8d233e972d00
[1642834.465034] FS:  00007f6a3d327f00(0000) GS:ffff8d25926c0000(0000) knlGS:0000000000000000
[1642834.465036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1642834.465037] CR2: 00007f6a2064d000 CR3: 00000002fb57c001 CR4: 00000000001606e0
[1642834.465038] Call Trace:
[1642834.465083]  i915_gem_set_tiling_ioctl+0x122/0x230 [i915]
[1642834.465121]  ? i915_gem_object_set_tiling+0x3e0/0x3e0 [i915]
[1642834.465151]  drm_ioctl_kernel+0x86/0xd0 [drm]
[1642834.465156]  ? avc_has_perm+0x3b/0x160
[1642834.465178]  drm_ioctl+0x206/0x390 [drm]
[1642834.465216]  ? i915_gem_object_set_tiling+0x3e0/0x3e0 [i915]
[1642834.465221]  ? selinux_file_ioctl+0x122/0x1c0
[1642834.465226]  ? __do_munmap+0x24b/0x4d0
[1642834.465231]  ksys_ioctl+0x82/0xc0
[1642834.465235]  __x64_sys_ioctl+0x16/0x20
[1642834.465238]  do_syscall_64+0x5b/0xf0
[1642834.465243]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[1642834.465245] RIP: 0033:0x7f6a3d7b047b
[1642834.465247] Code: 0f 1e fa 48 8b 05 1d aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed a9 0c 00 f7 d8 64 89 01 48
[1642834.465249] RSP: 002b:00007ffe71adba28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[1642834.465251] RAX: ffffffffffffffda RBX: 000055f99048fa40 RCX: 00007f6a3d7b047b
[1642834.465253] RDX: 00007ffe71adba30 RSI: 00000000c0106461 RDI: 000000000000000e
[1642834.465254] RBP: 0000000000000002 R08: 000055f98f3f1798 R09: 0000000000000002
[1642834.465255] R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000080
[1642834.465257] R13: 000055f98f3f1690 R14: 00000000c0106461 R15: 00007ffe71adba30

Now to take the spinlock during the list iteration, we need to break it
down into two phases. In the first phase under the lock, we cannot sleep
and so must defer the actual work to a second list, protected by the
ggtt->mutex.

We also need to hold the spinlock during creation of a new vma to
serialise with updates of the tiling on the object.

Reported-by: Dave Airlie <airlied@redhat.com>
Fixes: 2850748ef8 ("drm/i915: Pull i915_vma_pin under the vm->mutex")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: <stable@vger.kernel.org> # v5.5+
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200422072805.17340-1-chris@chris-wilson.co.uk
(cherry picked from commit cb593e5d2b)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
2020-04-27 09:47:37 -07:00
..
selftests drm/i915/selftests: Fix i915_address_space refcnt leak 2020-04-27 09:47:33 -07:00
i915_gem_busy.c drm/i915: Align engine->uabi_class/instance with i915_drm.h 2020-01-20 09:13:01 +00:00
i915_gem_clflush.c drm/i915: Hold reference to intel_frontbuffer as we track activity 2019-12-18 12:09:57 +00:00
i915_gem_clflush.h drm/i915: Move more GEM objects under gem/ 2019-05-28 12:45:29 +01:00
i915_gem_client_blt.c drm/i915: Apply i915_request_skip() on submission 2020-03-04 14:29:50 +00:00
i915_gem_client_blt.h drm/i915: add in-kernel blitter client 2019-05-30 12:01:44 +01:00
i915_gem_context_types.h drm/i915/gem: use spinlock_t instead of struct spinlock 2020-02-19 15:08:49 +02:00
i915_gem_context.c drm/i915: Use explicit flag to mark unreachable intel_context 2020-03-26 10:21:04 -07:00
i915_gem_context.h drm/i915/gem: Check for a closed context when looking up an engine 2020-03-20 07:04:41 -07:00
i915_gem_dmabuf.c drm/i915: Skip CPU synchronisation on dmabuf attachments 2020-02-11 00:16:15 +00:00
i915_gem_domain.c drm/i915: Hold reference to intel_frontbuffer as we track activity 2019-12-18 12:09:57 +00:00
i915_gem_execbuffer.c drm/i915/gem: Flush all the reloc_gpu batch 2020-04-06 10:31:38 -07:00
i915_gem_fence.c Merge drm/drm-next into drm-intel-next-queued 2019-08-22 00:10:36 -07:00
i915_gem_internal.c drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_gem_ioctls.h drm/i915: Introduce DRM_I915_GEM_MMAP_OFFSET 2019-12-04 15:11:44 +00:00
i915_gem_lmem.c drm/i915/gem: Support discontiguous lmem object maps 2020-01-03 11:26:01 +00:00
i915_gem_lmem.h drm/i915/gem: Support discontiguous lmem object maps 2020-01-03 11:26:01 +00:00
i915_gem_mman.c drm/i915/gem: Mark up the racy read of the mmap_singleton 2020-03-11 12:00:02 +00:00
i915_gem_mman.h drm/i915: Introduce DRM_I915_GEM_MMAP_OFFSET 2019-12-04 15:11:44 +00:00
i915_gem_object_blt.c drm/i915: Add Wa_1209644611:icl,ehl 2020-03-13 08:59:01 -07:00
i915_gem_object_blt.h drm/i915/blt: support copying objects 2019-08-10 19:35:36 +01:00
i915_gem_object_types.h drm/i915: Never allow userptr into the new mapping types 2020-02-08 11:26:03 +00:00
i915_gem_object.c drm/i915/gem: Break up long lists of object reclaim 2020-02-21 17:32:17 +00:00
i915_gem_object.h drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_gem_pages.c drm/i915/gem: manual conversion to struct drm_device logging macros. 2020-01-27 11:07:06 +02:00
i915_gem_phys.c drm/i915/phys: unconditionally call release_memory_region 2020-03-06 10:05:17 +00:00
i915_gem_pm.c drm/i915/gem: Make WARN* drm specific where drm_priv ptr is available 2020-01-22 17:52:39 +02:00
i915_gem_pm.h drm/i915: Teach record_defaults to operate on the intel_gt 2019-10-22 20:43:07 +01:00
i915_gem_region.c drm/i915/gem: Single page objects are naturally contiguous 2020-01-02 21:21:17 +00:00
i915_gem_region.h drm/i915/region: support contiguous allocations 2019-10-08 20:50:01 +01:00
i915_gem_shmem.c drm/i915/gem: Make WARN* drm specific where drm_priv ptr is available 2020-01-22 17:52:39 +02:00
i915_gem_shrinker.c drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_gem_shrinker.h drm/i915: extract i915_gem_shrinker.h from i915_drv.h 2019-08-09 12:03:32 +03:00
i915_gem_stolen.c drm/i915/vgpu: improve vgpu abstractions 2020-03-03 17:46:54 +02:00
i915_gem_stolen.h drm/i915/display: Be explicit in handling the preallocated vma 2020-02-05 09:20:39 +00:00
i915_gem_throttle.c drm/i915: Keep drm_i915_file_private around under RCU 2019-08-23 22:13:17 +01:00
i915_gem_tiling.c drm/i915/gem: Hold obj->vma.lock over for_each_ggtt_vma() 2020-04-27 09:47:37 -07:00
i915_gem_userptr.c drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_gem_wait.c dma-buf: rename reservation_object to dma_resv 2019-08-13 09:09:30 +02:00
i915_gemfs.c drm/i915: Stop reconfiguring our shmemfs mountpoint 2019-08-09 20:18:30 +01:00
i915_gemfs.h drm/i915: Move more GEM objects under gem/ 2019-05-28 12:45:29 +01:00