Commit 77715906 authored by Chris Wilson's avatar Chris Wilson

drm/i915: Keep drm_i915_file_private around under RCU

Ensure that the drm_i915_file_private continues to exist as we attempt
to remove a request from its list, which may race with the destruction
of the file.

<6> [38.380714] [IGT] gem_ctx_create: starting subtest basic-files
<0> [42.201329] BUG: spinlock bad magic on CPU#0, kworker/u16:0/7
<4> [42.201356] general protection fault: 0000 [#1] PREEMPT SMP PTI
<4> [42.201371] CPU: 0 PID: 7 Comm: kworker/u16:0 Tainted: G     U            5.3.0-rc5-CI-Patchwork_14169+ #1
<4> [42.201391] Hardware name: Dell Inc.                 OptiPlex 745                 /0GW726, BIOS 2.3.1  05/21/2007
<4> [42.201594] Workqueue: i915 retire_work_handler [i915]
<4> [42.201614] RIP: 0010:spin_dump+0x5a/0x90
<4> [42.201625] Code: 00 48 8d 88 c0 06 00 00 48 c7 c7 00 71 09 82 e8 35 ef 00 00 48 85 db 44 8b 4d 08 41 b8 ff ff ff ff 48 c7 c1 0b cd 0f 82 74 0e <44> 8b 83 e0 04 00 00 48 8d 8b c0 06 00 00 8b 55 04 48 89 ee 48 c7
<4> [42.201660] RSP: 0018:ffffc9000004bd80 EFLAGS: 00010202
<4> [42.201673] RAX: 0000000000000031 RBX: 6b6b6b6b6b6b6b6b RCX: ffffffff820fcd0b
<4> [42.201688] RDX: 0000000000000000 RSI: ffff88803de266f8 RDI: 00000000ffffffff
<4> [42.201703] RBP: ffff888038381ff8 R08: 00000000ffffffff R09: 000000006b6b6b6b
<4> [42.201718] R10: 0000000041cb0b89 R11: 646162206b636f6c R12: ffff88802a618500
<4> [42.201733] R13: ffff88802b32c288 R14: ffff888038381ff8 R15: ffff88802b32c250
<4> [42.201748] FS:  0000000000000000(0000) GS:ffff88803de00000(0000) knlGS:0000000000000000
<4> [42.201765] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4> [42.201778] CR2: 00007f2cefc6d180 CR3: 00000000381ee000 CR4: 00000000000006f0
<4> [42.201793] Call Trace:
<4> [42.201805]  do_raw_spin_lock+0x66/0xb0
<4> [42.201898]  i915_request_retire+0x548/0x7c0 [i915]
<4> [42.201989]  retire_requests+0x4d/0x60 [i915]
<4> [42.202078]  i915_retire_requests+0x144/0x2e0 [i915]
<4> [42.202169]  retire_work_handler+0x10/0x40 [i915]

Recently, in commit 44c22f3f ("drm/i915: Serialize insertion into the
file->mm.request_list"), we fixed a race on insertion. Now, it appears
we also have a race with destruction!
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Cc: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: default avatarMatthew Auld <matthew.auld@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190823181455.31910-1-chris@chris-wilson.co.uk
parent 936ad29d
...@@ -50,10 +50,8 @@ i915_gem_throttle_ioctl(struct drm_device *dev, void *data, ...@@ -50,10 +50,8 @@ i915_gem_throttle_ioctl(struct drm_device *dev, void *data,
if (time_after_eq(request->emitted_jiffies, recent_enough)) if (time_after_eq(request->emitted_jiffies, recent_enough))
break; break;
if (target) { if (target && xchg(&target->file_priv, NULL))
list_del(&target->client_link); list_del(&target->client_link);
target->file_priv = NULL;
}
target = request; target = request;
} }
......
...@@ -1730,7 +1730,7 @@ static void i915_driver_postclose(struct drm_device *dev, struct drm_file *file) ...@@ -1730,7 +1730,7 @@ static void i915_driver_postclose(struct drm_device *dev, struct drm_file *file)
i915_gem_release(dev, file); i915_gem_release(dev, file);
mutex_unlock(&dev->struct_mutex); mutex_unlock(&dev->struct_mutex);
kfree(file_priv); kfree_rcu(file_priv, rcu);
/* Catch up with all the deferred frees from "this" client */ /* Catch up with all the deferred frees from "this" client */
i915_gem_flush_free_objects(to_i915(dev)); i915_gem_flush_free_objects(to_i915(dev));
......
...@@ -185,7 +185,11 @@ struct i915_mmu_object; ...@@ -185,7 +185,11 @@ struct i915_mmu_object;
struct drm_i915_file_private { struct drm_i915_file_private {
struct drm_i915_private *dev_priv; struct drm_i915_private *dev_priv;
struct drm_file *file;
union {
struct drm_file *file;
struct rcu_head rcu;
};
struct { struct {
spinlock_t lock; spinlock_t lock;
......
...@@ -169,16 +169,17 @@ remove_from_client(struct i915_request *request) ...@@ -169,16 +169,17 @@ remove_from_client(struct i915_request *request)
{ {
struct drm_i915_file_private *file_priv; struct drm_i915_file_private *file_priv;
file_priv = READ_ONCE(request->file_priv); if (!READ_ONCE(request->file_priv))
if (!file_priv)
return; return;
spin_lock(&file_priv->mm.lock); rcu_read_lock();
if (request->file_priv) { file_priv = xchg(&request->file_priv, NULL);
if (file_priv) {
spin_lock(&file_priv->mm.lock);
list_del(&request->client_link); list_del(&request->client_link);
request->file_priv = NULL; spin_unlock(&file_priv->mm.lock);
} }
spin_unlock(&file_priv->mm.lock); rcu_read_unlock();
} }
static void free_capture_list(struct i915_request *request) static void free_capture_list(struct i915_request *request)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment