public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers/gpu/drm/i915
History
Herton Ronaldo Krzesinski 09bfa51773 drm/i915: Prevent racy removal of request from client list 
When i915_gem_retire_requests_ring calls i915_gem_request_remove_from_client,
the client_list for that request may already be removed in i915_gem_release.
So we may call twice list_del(&request->client_list), resulting in an
oops like this report:

[126167.230394] BUG: unable to handle kernel paging request at 00100104
[126167.230699] IP: [<f8c2ce44>] i915_gem_retire_requests_ring+0xd4/0x240 [i915]
[126167.231042] *pdpt = 00000000314c1001 *pde = 0000000000000000
[126167.231314] Oops: 0002 [#1] SMP
[126167.231471] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0C0A:00/power_supply/BAT1/current_now
[126167.231901] Modules linked in: snd_seq_dummy nls_utf8 isofs btrfs zlib_deflate libcrc32c ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat jfs xfs exportfs reiserfs cryptd aes_i586 aes_generic binfmt_misc vboxnetadp vboxnetflt vboxdrv parport_pc ppdev snd_hda_codec_hdmi snd_hda_codec_conexant snd_hda_intel snd_hda_codec snd_hwdep arc4 snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq uvcvideo videodev snd_timer snd_seq_device joydev iwlagn iwlcore mac80211 snd cfg80211 soundcore i915 drm_kms_helper snd_page_alloc psmouse drm serio_raw i2c_algo_bit video lp parport usbhid hid sky2 sdhci_pci ahci sdhci libahci
[126167.232018]
[126167.232018] Pid: 1101, comm: Xorg Not tainted 2.6.38-6-generic-pae #34-Ubuntu Gateway                          MC7833U /
[126167.232018] EIP: 0060:[<f8c2ce44>] EFLAGS: 00213246 CPU: 0
[126167.232018] EIP is at i915_gem_retire_requests_ring+0xd4/0x240 [i915]
[126167.232018] EAX: 00200200 EBX: f1ac25b0 ECX: 00000040 EDX: 00100100
[126167.232018] ESI: f1a2801c EDI: e87fc060 EBP: ef4d7dd8 ESP: ef4d7db0
[126167.232018]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[126167.232018] Process Xorg (pid: 1101, ti=ef4d6000 task=f1ba6500 task.ti=ef4d6000)
[126167.232018] Stack:
[126167.232018]  f1a28000 f1a2809c f1a28094 0058bd97 f1aa2400 f1a2801c 0058bd7b 0058bd85
[126167.232018]  f1a2801c f1a28000 ef4d7e38 f8c2e995 ef4d7e30 ef4d7e60 c14d1ebc f6b3a040
[126167.232018]  f1522cc0 000000db 00000000 f1ba6500 ffffffa1 00000000 00000001 f1a29214
[126167.232018] Call Trace:

Unfortunately the call trace reported was cut, but looking at debug
symbols the crash is at __list_del, when probably list_del is called
twice on the same request->client_list, as the dereferenced value is
LIST_POISON1 + 4, and by looking more at the debug symbols before
list_del call it should have being called by
i915_gem_request_remove_from_client

And as I can see in the code, it seems we indeed have the possibility
to remove a request->client_list twice, which would cause the above,
because we do list_del(&request->client_list) on both
i915_gem_request_remove_from_client and i915_gem_release

As Chris Wilson pointed out, it's indeed the case:
"(...) I had thought that the actual insertion/deletion was serialised
under the struct mutex and the intention of the spinlock was to protect
the unlocked list traversal during throttling. However, I missed that
i915_gem_release() is also called without struct mutex and so we do need
the double check for i915_gem_request_remove_from_client()."

This change does the required check to avoid the duplicate remove of
request->client_list.

Bugzilla: http://bugs.launchpad.net/bugs/733780
Cc: stable@kernel.org # 2.6.38
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
2011-03-23 06:41:12 +00:00
..
dvo.h
dvo_ch7xxx.c drm/i915: use GMBUS to manage i2c links 2010-09-18 15:46:19 +01:00
dvo_ch7017.c drm/i915/dvo: Report LVDS attached to ch701x as connected 2010-12-30 13:50:43 +00:00
dvo_ivch.c drm/i915: use GMBUS to manage i2c links 2010-09-18 15:46:19 +01:00
dvo_sil164.c drm/i915: use GMBUS to manage i2c links 2010-09-18 15:46:19 +01:00
dvo_tfp410.c drm/i915: use GMBUS to manage i2c links 2010-09-18 15:46:19 +01:00
i915_debugfs.c Merge branch 'drm-intel-fixes' into drm-intel-next 2011-03-07 12:35:15 +00:00
i915_dma.c drm/i915: don't store the reg value for HWS_PGA 2011-03-02 09:40:14 +00:00
i915_drv.c Merge remote branch 'intel/drm-intel-next' of ../drm-next into drm-core-next 2011-03-14 14:15:13 +10:00
i915_drv.h Merge remote branch 'intel/drm-intel-next' of ../drm-next into drm-core-next 2011-03-14 14:15:13 +10:00
i915_gem.c drm/i915: Prevent racy removal of request from client list 2011-03-23 06:41:12 +00:00
i915_gem_debug.c drm/i915: Refine tracepoints 2011-02-07 14:59:18 +00:00
i915_gem_evict.c drm/i915: Refine tracepoints 2011-02-07 14:59:18 +00:00
i915_gem_execbuffer.c Merge branch 'drm-intel-fixes' into drm-intel-next 2011-03-07 12:35:15 +00:00
i915_gem_gtt.c drm/i915,agp/intel: Do not clear stolen entries 2011-01-24 18:26:25 +00:00
i915_gem_tiling.c Merge branch 'drm-intel-fixes' into drm-intel-next 2011-03-07 12:35:15 +00:00
i915_ioc32.c
i915_irq.c drm/i915: Replace vblank PM QoS with "Interrupt-Based AGPBUSY#" 2011-03-01 17:33:38 +00:00
i915_mem.c
i915_reg.h Merge commit '5359533801e3dd3abca5b7d3d985b0b33fd9fe8b' into drm-core-next 2011-03-16 11:34:41 +10:00
i915_suspend.c drm/i915: Don't save/restore hardware status page address register 2011-03-02 11:26:13 +00:00
i915_trace.h drm/i915: Refine tracepoints 2011-02-07 14:59:18 +00:00
i915_trace_points.c
intel_acpi.c drm/i915: i915 cannot provide switcher services. 2010-12-08 15:40:44 +10:00
intel_bios.c Revert "drm/i915: Disable SSC for outputs other than LVDS or DP" 2011-02-22 15:55:28 +00:00
intel_bios.h Revert "drm/i915: Disable SSC for outputs other than LVDS or DP" 2011-02-22 15:55:28 +00:00
intel_crt.c drm/i915: cleanup per-pipe reg usage 2011-02-07 21:17:15 +00:00
intel_display.c drm/i915: skip redundant operations whilst enabling pipes and planes 2011-03-23 06:41:02 +00:00
intel_dp.c drm/i915/dp: Sanity check eDP existence 2011-03-07 11:06:02 +00:00
intel_drv.h drm/i915: Add support for limited color range of broadcast outputs 2011-02-22 15:56:56 +00:00
intel_dvo.c drm/i915: cleanup per-pipe reg usage 2011-02-07 21:17:15 +00:00
intel_fb.c Revert "drm: Update fbdev fb_fix_screeninfo" 2011-01-14 16:10:28 -08:00
intel_hdmi.c drm/i915: Add support for limited color range of broadcast outputs 2011-02-22 15:56:56 +00:00
intel_i2c.c drm/i915: Enable GMBUS for post-gen2 chipsets 2011-02-01 09:01:13 +00:00
intel_lvds.c Merge branch 'drm-intel-fixes' into drm-intel-next 2011-02-16 09:44:30 +00:00
intel_modes.c drm/i915: Add support for limited color range of broadcast outputs 2011-02-22 15:56:56 +00:00
intel_opregion.c drm/i915: Use a symbolic constant for OpRegion lid state 2011-02-24 18:13:42 +00:00
intel_overlay.c drm/i915: Use a device flag for non-interruptible phases 2011-02-22 15:56:25 +00:00
intel_panel.c Merge commit '5359533801e3dd3abca5b7d3d985b0b33fd9fe8b' into drm-core-next 2011-03-16 11:34:41 +10:00
intel_ringbuffer.c Merge branch 'drm-intel-fixes' into drm-intel-next 2011-02-16 09:44:30 +00:00
intel_ringbuffer.h Merge branch 'drm-intel-fixes' into drm-intel-next 2011-03-07 12:35:15 +00:00
intel_sdvo.c Merge remote branch 'intel/drm-intel-next' of ../drm-next into drm-core-next 2011-03-14 14:15:13 +10:00
intel_sdvo_regs.h
intel_tv.c Merge branch 'drm-intel-fixes' into drm-intel-next 2011-02-16 09:44:30 +00:00
Makefile drm/i915: Split i915_gem_execbuffer into its own file. 2010-11-25 21:19:25 +00:00