aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorChris Wilson <chris@chris-wilson.co.uk>2010-11-17 04:10:42 -0500
committerChris Wilson <chris@chris-wilson.co.uk>2010-11-19 04:30:15 -0500
commit51311d0a5c69adaec582080ad8d9b174a44dfd7a (patch)
treea9267db7d647ad7ef2a5693875de6c7245024c46 /drivers
parent1bb95834bbcdc969e477a9284cf96c17a4c2616f (diff)
drm/i915: Do not hold mutex when faulting in user addresses
Linus Torvalds found that it was rather trivial to trigger a system freeze: In fact, with lockdep, I don't even need to do the sysrq-d thing: it shows the bug as it happens. It's the X server taking the same lock recursively. Here's the problem: ============================================= [ INFO: possible recursive locking detected ] 2.6.37-rc2-00012-gbdbd01a #7 --------------------------------------------- Xorg/2816 is trying to acquire lock: (&dev->struct_mutex){+.+.+.}, at: [<ffffffff812c626c>] i915_gem_fault+0x50/0x17e but task is already holding lock: (&dev->struct_mutex){+.+.+.}, at: [<ffffffff812c403b>] i915_mutex_lock_interruptible+0x28/0x4a other info that might help us debug this: 2 locks held by Xorg/2816: #0: (&dev->struct_mutex){+.+.+.}, at: [<ffffffff812c403b>] i915_mutex_lock_interruptible+0x28/0x4a #1: (&mm->mmap_sem){++++++}, at: [<ffffffff81022d4f>] page_fault+0x156/0x37b This recursion was introduced by rearranging the locking to avoid the double locking on the fast path (4f27b5d and fbd5a26d) and the introduction of the prefault to encourage the fast paths (b5e4f2b). In order to undo the problem, we rearrange the code to perform the access validation upfront, attempt to prefault and then fight for control of the mutex. the best case scenario where the mutex is uncontended the prefaulting is not wasted. Reported-and-tested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/gpu/drm/i915/i915_gem.c63
1 files changed, 27 insertions, 36 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 781c26c37b38..17b1cba3b5f1 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -547,6 +547,19 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
547 struct drm_i915_gem_object *obj_priv; 547 struct drm_i915_gem_object *obj_priv;
548 int ret = 0; 548 int ret = 0;
549 549
550 if (args->size == 0)
551 return 0;
552
553 if (!access_ok(VERIFY_WRITE,
554 (char __user *)(uintptr_t)args->data_ptr,
555 args->size))
556 return -EFAULT;
557
558 ret = fault_in_pages_writeable((char __user *)(uintptr_t)args->data_ptr,
559 args->size);
560 if (ret)
561 return -EFAULT;
562
550 ret = i915_mutex_lock_interruptible(dev); 563 ret = i915_mutex_lock_interruptible(dev);
551 if (ret) 564 if (ret)
552 return ret; 565 return ret;
@@ -564,23 +577,6 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
564 goto out; 577 goto out;
565 } 578 }
566 579
567 if (args->size == 0)
568 goto out;
569
570 if (!access_ok(VERIFY_WRITE,
571 (char __user *)(uintptr_t)args->data_ptr,
572 args->size)) {
573 ret = -EFAULT;
574 goto out;
575 }
576
577 ret = fault_in_pages_writeable((char __user *)(uintptr_t)args->data_ptr,
578 args->size);
579 if (ret) {
580 ret = -EFAULT;
581 goto out;
582 }
583
584 ret = i915_gem_object_get_pages_or_evict(obj); 580 ret = i915_gem_object_get_pages_or_evict(obj);
585 if (ret) 581 if (ret)
586 goto out; 582 goto out;
@@ -981,7 +977,20 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
981 struct drm_i915_gem_pwrite *args = data; 977 struct drm_i915_gem_pwrite *args = data;
982 struct drm_gem_object *obj; 978 struct drm_gem_object *obj;
983 struct drm_i915_gem_object *obj_priv; 979 struct drm_i915_gem_object *obj_priv;
984 int ret = 0; 980 int ret;
981
982 if (args->size == 0)
983 return 0;
984
985 if (!access_ok(VERIFY_READ,
986 (char __user *)(uintptr_t)args->data_ptr,
987 args->size))
988 return -EFAULT;
989
990 ret = fault_in_pages_readable((char __user *)(uintptr_t)args->data_ptr,
991 args->size);
992 if (ret)
993 return -EFAULT;
985 994
986 ret = i915_mutex_lock_interruptible(dev); 995 ret = i915_mutex_lock_interruptible(dev);
987 if (ret) 996 if (ret)
@@ -994,30 +1003,12 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
994 } 1003 }
995 obj_priv = to_intel_bo(obj); 1004 obj_priv = to_intel_bo(obj);
996 1005
997
998 /* Bounds check destination. */ 1006 /* Bounds check destination. */
999 if (args->offset > obj->size || args->size > obj->size - args->offset) { 1007 if (args->offset > obj->size || args->size > obj->size - args->offset) {
1000 ret = -EINVAL; 1008 ret = -EINVAL;
1001 goto out; 1009 goto out;
1002 } 1010 }
1003 1011
1004 if (args->size == 0)
1005 goto out;
1006
1007 if (!access_ok(VERIFY_READ,
1008 (char __user *)(uintptr_t)args->data_ptr,
1009 args->size)) {
1010 ret = -EFAULT;
1011 goto out;
1012 }
1013
1014 ret = fault_in_pages_readable((char __user *)(uintptr_t)args->data_ptr,
1015 args->size);
1016 if (ret) {
1017 ret = -EFAULT;
1018 goto out;
1019 }
1020
1021 /* We can only do the GTT pwrite on untiled buffers, as otherwise 1012 /* We can only do the GTT pwrite on untiled buffers, as otherwise
1022 * it would end up going through the fenced access, and we'll get 1013 * it would end up going through the fenced access, and we'll get
1023 * different detiling behavior between reading and writing. 1014 * different detiling behavior between reading and writing.