diff options
| author | Chris Wilson <chris@chris-wilson.co.uk> | 2013-12-04 06:37:09 -0500 |
|---|---|---|
| committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2013-12-12 04:49:05 -0500 |
| commit | 4db080f9e93411c3c41ec402244da28e2bbde835 (patch) | |
| tree | 6491769be6090a1e3ae93a564e1bcd9951b6f861 | |
| parent | 9ae9ab522094406915c27dc729d3ecef7b44af72 (diff) | |
drm/i915: Fix erroneous dereference of batch_obj inside reset_status
As the rings may be processed and their requests deallocated in a
different order to the natural retirement during a reset,
/* Whilst this request exists, batch_obj will be on the
* active_list, and so will hold the active reference. Only when this
* request is retired will the the batch_obj be moved onto the
* inactive_list and lose its active reference. Hence we do not need
* to explicitly hold another reference here.
*/
is violated, and the batch_obj may be dereferenced after it had been
freed on another ring. This can be simply avoided by processing the
status update prior to deallocating any requests.
Fixes regression (a possible OOPS following a GPU hang) from
commit aa60c664e6df502578454621c3a9b1f087ff8d25
Author: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Date: Wed Jun 12 15:13:20 2013 +0300
drm/i915: find guilty batch buffer on ring resets
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Mika Kuoppala <mika.kuoppala@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Mika Kuoppala <mika.kuoppala@intel.com>
[danvet: Add the code comment Chris supplied.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
| -rw-r--r-- | drivers/gpu/drm/i915/i915_gem.c | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 621c7c67a643..76d3d1ab73c6 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c | |||
| @@ -2343,15 +2343,24 @@ static void i915_gem_free_request(struct drm_i915_gem_request *request) | |||
| 2343 | kfree(request); | 2343 | kfree(request); |
| 2344 | } | 2344 | } |
| 2345 | 2345 | ||
| 2346 | static void i915_gem_reset_ring_lists(struct drm_i915_private *dev_priv, | 2346 | static void i915_gem_reset_ring_status(struct drm_i915_private *dev_priv, |
| 2347 | struct intel_ring_buffer *ring) | 2347 | struct intel_ring_buffer *ring) |
| 2348 | { | 2348 | { |
| 2349 | u32 completed_seqno; | 2349 | u32 completed_seqno = ring->get_seqno(ring, false); |
| 2350 | u32 acthd; | 2350 | u32 acthd = intel_ring_get_active_head(ring); |
| 2351 | struct drm_i915_gem_request *request; | ||
| 2352 | |||
| 2353 | list_for_each_entry(request, &ring->request_list, list) { | ||
| 2354 | if (i915_seqno_passed(completed_seqno, request->seqno)) | ||
| 2355 | continue; | ||
| 2351 | 2356 | ||
| 2352 | acthd = intel_ring_get_active_head(ring); | 2357 | i915_set_reset_status(ring, request, acthd); |
| 2353 | completed_seqno = ring->get_seqno(ring, false); | 2358 | } |
| 2359 | } | ||
| 2354 | 2360 | ||
| 2361 | static void i915_gem_reset_ring_cleanup(struct drm_i915_private *dev_priv, | ||
| 2362 | struct intel_ring_buffer *ring) | ||
| 2363 | { | ||
| 2355 | while (!list_empty(&ring->request_list)) { | 2364 | while (!list_empty(&ring->request_list)) { |
| 2356 | struct drm_i915_gem_request *request; | 2365 | struct drm_i915_gem_request *request; |
| 2357 | 2366 | ||
| @@ -2359,9 +2368,6 @@ static void i915_gem_reset_ring_lists(struct drm_i915_private *dev_priv, | |||
| 2359 | struct drm_i915_gem_request, | 2368 | struct drm_i915_gem_request, |
| 2360 | list); | 2369 | list); |
| 2361 | 2370 | ||
| 2362 | if (request->seqno > completed_seqno) | ||
| 2363 | i915_set_reset_status(ring, request, acthd); | ||
| 2364 | |||
| 2365 | i915_gem_free_request(request); | 2371 | i915_gem_free_request(request); |
| 2366 | } | 2372 | } |
| 2367 | 2373 | ||
| @@ -2403,8 +2409,16 @@ void i915_gem_reset(struct drm_device *dev) | |||
| 2403 | struct intel_ring_buffer *ring; | 2409 | struct intel_ring_buffer *ring; |
| 2404 | int i; | 2410 | int i; |
| 2405 | 2411 | ||
| 2412 | /* | ||
| 2413 | * Before we free the objects from the requests, we need to inspect | ||
| 2414 | * them for finding the guilty party. As the requests only borrow | ||
| 2415 | * their reference to the objects, the inspection must be done first. | ||
| 2416 | */ | ||
| 2417 | for_each_ring(ring, dev_priv, i) | ||
| 2418 | i915_gem_reset_ring_status(dev_priv, ring); | ||
| 2419 | |||
| 2406 | for_each_ring(ring, dev_priv, i) | 2420 | for_each_ring(ring, dev_priv, i) |
| 2407 | i915_gem_reset_ring_lists(dev_priv, ring); | 2421 | i915_gem_reset_ring_cleanup(dev_priv, ring); |
| 2408 | 2422 | ||
| 2409 | i915_gem_cleanup_ringbuffer(dev); | 2423 | i915_gem_cleanup_ringbuffer(dev); |
| 2410 | 2424 | ||