1. 03 May, 2017 5 commits
  2. 02 May, 2017 3 commits
  3. 28 Apr, 2017 6 commits
  4. 27 Apr, 2017 3 commits
  5. 26 Apr, 2017 2 commits
  6. 25 Apr, 2017 3 commits
  7. 24 Apr, 2017 1 commit
  8. 22 Apr, 2017 1 commit
    • Chris Wilson's avatar
      drm/i915: Confirm the request is still active before adding it to the await · ade0b0c9
      Chris Wilson authored
      Although we do check the completion-status of the request before
      actually adding a wait on it (either to its submit fence or its
      completion dma-fence), we currently do not check before adding it to the
      dependency lists.
      
      In fact, without checking for a completed request we may try to use the
      signaler after it has been retired and its dependency tree freed:
      
      [   60.044057] BUG: KASAN: use-after-free in __list_add_valid+0x1d/0xd0 at addr ffff880348c9e6a0
      [   60.044118] Read of size 8 by task gem_exec_fence/530
      [   60.044164] CPU: 1 PID: 530 Comm: gem_exec_fence Tainted: G            E   4.11.0-rc7+ #46
      [   60.044226] Hardware name: ��������������������������������� ���������������������������������/���������������������������������, BIOS RYBDWi35.86A.0246.2
      [   60.044290] Call Trace:
      [   60.044337]  dump_stack+0x4d/0x6a
      [   60.044383]  kasan_object_err+0x21/0x70
      [   60.044435]  kasan_report+0x225/0x4e0
      [   60.044488]  ? __list_add_valid+0x1d/0xd0
      [   60.044534]  ? kasan_kmalloc+0xad/0xe0
      [   60.044587]  __asan_load8+0x5e/0x70
      [   60.044639]  __list_add_valid+0x1d/0xd0
      [   60.044788]  __i915_priotree_add_dependency+0x67/0x130 [i915]
      [   60.044895]  i915_gem_request_await_request+0xa8/0x370 [i915]
      [   60.044974]  i915_gem_request_await_dma_fence+0x129/0x140 [i915]
      [   60.045049]  i915_gem_do_execbuffer.isra.37+0xb0a/0x26b0 [i915]
      [   60.045077]  ? save_stack+0xb1/0xd0
      [   60.045105]  ? save_stack_trace+0x1b/0x20
      [   60.045132]  ? save_stack+0x46/0xd0
      [   60.045158]  ? kasan_kmalloc+0xad/0xe0
      [   60.045184]  ? __kmalloc+0xd8/0x670
      [   60.045229]  ? drm_ioctl+0x359/0x640 [drm]
      [   60.045256]  ? SyS_ioctl+0x41/0x70
      [   60.045330]  ? i915_vma_move_to_active+0x540/0x540 [i915]
      [   60.045360]  ? tty_insert_flip_string_flags+0xa1/0xf0
      [   60.045387]  ? tty_flip_buffer_push+0x63/0x70
      [   60.045414]  ? remove_wait_queue+0xa9/0xc0
      [   60.045441]  ? kasan_unpoison_shadow+0x35/0x50
      [   60.045467]  ? kasan_kmalloc+0xad/0xe0
      [   60.045494]  ? kasan_check_write+0x14/0x20
      [   60.045568]  i915_gem_execbuffer2+0xdb/0x2a0 [i915]
      [   60.045616]  drm_ioctl+0x359/0x640 [drm]
      [   60.045705]  ? i915_gem_execbuffer+0x5a0/0x5a0 [i915]
      [   60.045751]  ? drm_version+0x150/0x150 [drm]
      [   60.045778]  ? compat_start_thread+0x60/0x60
      [   60.045805]  ? plist_del+0xda/0x1a0
      [   60.045833]  do_vfs_ioctl+0x12e/0x910
      [   60.045860]  ? ioctl_preallocate+0x130/0x130
      [   60.045886]  ? pci_mmcfg_check_reserved+0xc0/0xc0
      [   60.045913]  ? vfs_write+0x196/0x240
      [   60.045939]  ? __fget_light+0xa7/0xc0
      [   60.045965]  SyS_ioctl+0x41/0x70
      [   60.045991]  entry_SYSCALL_64_fastpath+0x17/0x98
      [   60.046017] RIP: 0033:0x7feb2baefc47
      [   60.046042] RSP: 002b:00007fff56d28e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [   60.046075] RAX: ffffffffffffffda RBX: 00007fff56d290a8 RCX: 00007feb2baefc47
      [   60.046102] RDX: 00007fff56d29050 RSI: 00000000c0406469 RDI: 0000000000000003
      [   60.046129] RBP: 00007fff56d29050 R08: 000055ecc4cd27d0 R09: 00007feb2bda8600
      [   60.046154] R10: 0000000000000073 R11: 0000000000000246 R12: 00000000c0406469
      [   60.046177] R13: 0000000000000003 R14: 000000000000000f R15: 0000000000000099
      [   60.046203] Object at ffff880348c9e680, in cache i915_dependency size: 64
      [   60.046225] Allocated:
      [   60.046246] PID = 530
      [   60.046269]  save_stack_trace+0x1b/0x20
      [   60.046292]  save_stack+0x46/0xd0
      [   60.046318]  kasan_kmalloc+0xad/0xe0
      [   60.046343]  kasan_slab_alloc+0x12/0x20
      [   60.046368]  kmem_cache_alloc+0xab/0x650
      [   60.046445]  i915_gem_request_await_request+0x88/0x370 [i915]
      [   60.046559]  i915_gem_request_await_dma_fence+0x129/0x140 [i915]
      [   60.046705]  i915_gem_do_execbuffer.isra.37+0xb0a/0x26b0 [i915]
      [   60.046849]  i915_gem_execbuffer2+0xdb/0x2a0 [i915]
      [   60.046936]  drm_ioctl+0x359/0x640 [drm]
      [   60.046987]  do_vfs_ioctl+0x12e/0x910
      [   60.047038]  SyS_ioctl+0x41/0x70
      [   60.047090]  entry_SYSCALL_64_fastpath+0x17/0x98
      [   60.047139] Freed:
      [   60.047179] PID = 530
      [   60.047223]  save_stack_trace+0x1b/0x20
      [   60.047269]  save_stack+0x46/0xd0
      [   60.047317]  kasan_slab_free+0x72/0xc0
      [   60.047366]  kmem_cache_free+0x39/0x160
      [   60.047512]  i915_gem_request_retire+0x83f/0x930 [i915]
      [   60.047657]  i915_gem_request_alloc+0x166/0x600 [i915]
      [   60.047799]  i915_gem_do_execbuffer.isra.37+0xad8/0x26b0 [i915]
      [   60.047897]  i915_gem_execbuffer2+0xdb/0x2a0 [i915]
      [   60.047942]  drm_ioctl+0x359/0x640 [drm]
      [   60.047968]  do_vfs_ioctl+0x12e/0x910
      [   60.047993]  SyS_ioctl+0x41/0x70
      [   60.048019]  entry_SYSCALL_64_fastpath+0x17/0x98
      [   60.048044] Memory state around the buggy address:
      [   60.048066]  ffff880348c9e580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
      [   60.048105]  ffff880348c9e600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
      [   60.048138] >ffff880348c9e680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [   60.048170]                                ^
      [   60.048191]  ffff880348c9e700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
      [   60.048225]  ffff880348c9e780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
      
      Note to hit the use-after-free requires us to be passed back a request
      via a fence-array, that is from explicit fencing accumulated into a
      sync-file fence-array.
      
      Fixes: 52e54209 ("drm/i915/scheduler: Record all dependencies upon request construction")
      Testcase: igt/gem_exec_fence/expired-history
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: default avatarMichał Winiarski <michal.winiarski@intel.com>
      Reviewed-by: default avatarJoonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170422081537.6468-1-chris@chris-wilson.co.uk
      ade0b0c9
  9. 21 Apr, 2017 2 commits
    • Chris Wilson's avatar
      drm/i915: Avoid busy-spinning on VLV_GLTC_PW_STATUS mmio · 3dd14c04
      Chris Wilson authored
      The busy-spin, as the first stage of intel_wait_for_register(), is
      currently under suspicion for causing:
      
      [   62.034926] NMI watchdog: Watchdog detected hard LOCKUP on cpu 1
      [   62.034928] Modules linked in: i2c_dev i915 intel_gtt drm_kms_helper prime_numbers
      [   62.034932] CPU: 1 PID: 183 Comm: kworker/1:2 Not tainted 4.11.0-rc7+ #471
      [   62.034933] Hardware name:                  /        , BIOS PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
      [   62.034934] Workqueue: pm pm_runtime_work
      [   62.034936] task: ffff880275a04ec0 task.stack: ffffc900002d8000
      [   62.034936] RIP: 0010:__intel_wait_for_register_fw+0x77/0x1a0 [i915]
      [   62.034937] RSP: 0018:ffffc900002dbc38 EFLAGS: 00000082
      [   62.034939] RAX: ffffc90003530094 RBX: 0000000000130094 RCX: 0000000000000001
      [   62.034940] RDX: 00000000000000a1 RSI: ffff88027fd15e58 RDI: 0000000000000000
      [   62.034941] RBP: ffffc900002dbc78 R08: 0000000000000002 R09: 0000000000000000
      [   62.034942] R10: ffffc900002dbc18 R11: ffff880276429dd0 R12: ffff8802707c0000
      [   62.034943] R13: 00000000000000a0 R14: 0000000000000000 R15: 00000000fffefc10
      [   62.034945] FS:  0000000000000000(0000) GS:ffff88027fd00000(0000) knlGS:0000000000000000
      [   62.034945] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   62.034947] CR2: 00007ffd3cd98ff8 CR3: 0000000274c19000 CR4: 00000000001006e0
      [   62.034947] Call Trace:
      [   62.034948]  intel_wait_for_register+0x77/0x140 [i915]
      [   62.034949]  vlv_suspend_complete+0x23/0x5b0 [i915]
      [   62.034950]  intel_runtime_suspend+0x16c/0x2a0 [i915]
      [   62.034950]  pci_pm_runtime_suspend+0x50/0x180
      [   62.034951]  ? pci_pm_runtime_resume+0xa0/0xa0
      [   62.034952]  __rpm_callback+0xc5/0x210
      [   62.034953]  rpm_callback+0x1f/0x80
      [   62.034953]  ? pci_pm_runtime_resume+0xa0/0xa0
      [   62.034954]  rpm_suspend+0x118/0x580
      [   62.034955]  pm_runtime_work+0x64/0x90
      [   62.034956]  process_one_work+0x1bb/0x3e0
      [   62.034956]  worker_thread+0x46/0x4f0
      [   62.034957]  ? __schedule+0x18b/0x610
      [   62.034958]  kthread+0xff/0x140
      [   62.034958]  ? process_one_work+0x3e0/0x3e0
      [   62.034959]  ? kthread_create_on_node+
      
      and related hard lockups in CI for byt and bsw.
      
      Note this effectively reverts commits 41ce405e and b2736695
      ("drm/i915: Convert wait_for(I915_READ(reg)) to intel_wait_for_register()")
      
      v2: Convert bool allow into a u32 mask for clarity and repeat the
      comment on vlv rc6 timing to justify the 3ms timeout used for the wait (Ville)
      
      Fixes: 41ce405e ("drm/i915: Convert wait_for(I915_READ(reg)) to intel_wait_for_register()")
      Fixes: b2736695 ("drm/i915: Convert wait_for(I915_READ(reg)) to intel_wait_for_register()")
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100718Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
      Cc: Tomi Sarvela <tomi.p.sarvela@intel.com>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170421135815.11897-1-chris@chris-wilson.co.ukTested-by: default avatarTomi Sarvela <tomi.p.sarvela@intel.com>
      3dd14c04
    • Chris Wilson's avatar
      drm/i915: Stop touching hangcheck.seqno from intel_engine_init_global_seqno() · 546cdbc7
      Chris Wilson authored
      The hangcheck runs independently to the main flow of seqno through the
      driver. However, we have an odd coupling of the seqno reset that is
      unwelcome, and if poked at just the right rate can cause spurious hangs
      (e.g. gem_exec_whisper) on an apparently idle engine.
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
      Reviewed-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170421083113.21321-1-chris@chris-wilson.co.uk
      546cdbc7
  10. 20 Apr, 2017 2 commits
  11. 19 Apr, 2017 2 commits
  12. 18 Apr, 2017 2 commits
  13. 15 Apr, 2017 2 commits
  14. 13 Apr, 2017 4 commits
  15. 12 Apr, 2017 2 commits
    • Chris Wilson's avatar
      drm/i915: Fix use after free in lpe_audio_platdev_destroy() · 48ae8074
      Chris Wilson authored
      [31908.547136] BUG: KASAN: use-after-free in intel_lpe_audio_teardown+0x78/0xb0 [i915] at addr ffff8801f7788358
      [31908.547297] Read of size 8 by task drv_selftest/3781
      [31908.547405] CPU: 0 PID: 3781 Comm: drv_selftest Tainted: G    BU  W       4.10.0+ #451
      [31908.547553] Hardware name:                  /        , BIOS PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
      [31908.547682] Call Trace:
      [31908.547772]  dump_stack+0x68/0x9f
      [31908.547857]  kasan_object_err+0x1c/0x70
      [31908.547947]  kasan_report_error+0x1f1/0x4f0
      [31908.548038]  ? kfree+0xaa/0x170
      [31908.548121]  kasan_report+0x34/0x40
      [31908.548211]  ? klist_children_get+0x20/0x30
      [31908.548472]  ? intel_lpe_audio_teardown+0x78/0xb0 [i915]
      [31908.548567]  __asan_load8+0x5e/0x70
      [31908.548824]  intel_lpe_audio_teardown+0x78/0xb0 [i915]
      [31908.549080]  intel_audio_deinit+0x28/0x80 [i915]
      [31908.549315]  i915_driver_unload+0xe4/0x360 [i915]
      [31908.549551]  ? i915_driver_load+0x1d70/0x1d70 [i915]
      [31908.549651]  ? trace_hardirqs_on+0xd/0x10
      [31908.549885]  i915_pci_remove+0x23/0x30 [i915]
      [31908.549978]  pci_device_remove+0x5c/0x100
      [31908.550069]  device_release_driver_internal+0x1db/0x2e0
      [31908.550165]  driver_detach+0x68/0xc0
      [31908.550256]  bus_remove_driver+0x8b/0x150
      [31908.550346]  driver_unregister+0x3e/0x60
      [31908.550439]  pci_unregister_driver+0x1d/0x110
      [31908.550531]  ? find_module_all+0x7a/0xa0
      [31908.550791]  i915_exit+0x1a/0x87 [i915]
      [31908.550881]  SyS_delete_module+0x264/0x2c0
      [31908.550971]  ? free_module+0x430/0x430
      [31908.551064]  ? trace_hardirqs_off_caller+0x16/0x110
      [31908.551159]  ? trace_hardirqs_on_caller+0x16/0x280
      [31908.551256]  ? trace_hardirqs_on_thunk+0x1a/0x1c
      [31908.551350]  entry_SYSCALL_64_fastpath+0x1c/0xb1
      [31908.551440] RIP: 0033:0x7f1d67312ec7
      [31908.551520] RSP: 002b:00007ffebe34e888 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [31908.551650] RAX: ffffffffffffffda RBX: ffffffff811123f6 RCX: 00007f1d67312ec7
      [31908.551743] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000560d0af476b8
      [31908.551837] RBP: ffff880233d87f98 R08: 0000000000000000 R09: 00007ffebe34e8b8
      [31908.551930] R10: 00007f1d68adf8c0 R11: 0000000000000206 R12: 0000000000000000
      [31908.552023] R13: 0000560d0af46440 R14: 0000000000000034 R15: 00007ffebe34d860
      [31908.552121]  ? trace_hardirqs_off_caller+0x16/0x110
      [31908.552217] Object at ffff8801f7788000, in cache kmalloc-2048 size: 2048
      [31908.552306] Allocated:
      [31908.552377] PID = 3781
      [31908.552456]  save_stack_trace+0x16/0x20
      [31908.552539]  kasan_kmalloc+0xee/0x190
      [31908.552627]  __kmalloc+0xdb/0x1b0
      [31908.552713]  platform_device_alloc+0x27/0x90
      [31908.552804]  platform_device_register_full+0x36/0x220
      [31908.553066]  intel_lpe_audio_init+0x41e/0x570 [i915]
      [31908.553320]  intel_audio_init+0xd/0x40 [i915]
      [31908.553552]  i915_driver_load+0x13f5/0x1d70 [i915]
      [31908.553788]  i915_pci_probe+0x65/0xe0 [i915]
      [31908.553881]  pci_device_probe+0xda/0x140
      [31908.553969]  driver_probe_device+0x400/0x660
      [31908.554058]  __driver_attach+0x11c/0x120
      [31908.554147]  bus_for_each_dev+0xe6/0x150
      [31908.554237]  driver_attach+0x26/0x30
      [31908.554325]  bus_add_driver+0x26b/0x3b0
      [31908.554412]  driver_register+0xce/0x190
      [31908.554502]  __pci_register_driver+0xaf/0xc0
      [31908.554589]  0xffffffffa0550063
      [31908.554675]  do_one_initcall+0x8b/0x1e0
      [31908.554764]  do_init_module+0x102/0x325
      [31908.554852]  load_module+0x3aad/0x45e0
      [31908.554944]  SyS_finit_module+0x169/0x1a0
      [31908.555033]  entry_SYSCALL_64_fastpath+0x1c/0xb1
      [31908.555119] Freed:
      [31908.555188] PID = 3781
      [31908.555266]  save_stack_trace+0x16/0x20
      [31908.555349]  kasan_slab_free+0xb0/0x180
      [31908.555436]  kfree+0xaa/0x170
      [31908.555520]  platform_device_release+0x76/0x80
      [31908.555610]  device_release+0x45/0xe0
      [31908.555698]  kobject_put+0x11f/0x260
      [31908.555785]  put_device+0x12/0x20
      [31908.555871]  platform_device_unregister+0x1b/0x20
      [31908.556135]  intel_lpe_audio_teardown+0x5c/0xb0 [i915]
      [31908.556390]  intel_audio_deinit+0x28/0x80 [i915]
      [31908.556622]  i915_driver_unload+0xe4/0x360 [i915]
      [31908.556858]  i915_pci_remove+0x23/0x30 [i915]
      [31908.556948]  pci_device_remove+0x5c/0x100
      [31908.557037]  device_release_driver_internal+0x1db/0x2e0
      [31908.557129]  driver_detach+0x68/0xc0
      [31908.557217]  bus_remove_driver+0x8b/0x150
      [31908.557304]  driver_unregister+0x3e/0x60
      [31908.557394]  pci_unregister_driver+0x1d/0x110
      [31908.557653]  i915_exit+0x1a/0x87 [i915]
      [31908.557741]  SyS_delete_module+0x264/0x2c0
      [31908.557834]  entry_SYSCALL_64_fastpath+0x1c/0xb1
      [31908.557919] Memory state around the buggy address:
      [31908.558005]  ffff8801f7788200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [31908.558127]  ffff8801f7788280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [31908.558255] >ffff8801f7788300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [31908.558374]                                                     ^
      [31908.558467]  ffff8801f7788380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [31908.558595]  ffff8801f7788400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      v2: Just leak the memory (8 bytes) as freeing it ourselves is not safe,
      and we need to coordinate a proper fix in platform_device itself.
      
      Fixes: eef57324 ("drm/i915: setup bridge for HDMI LPE audio driver")
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99952Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Cc: Jerome Anand <jerome.anand@intel.com>
      Cc: Jani Nikula <jani.nikula@intel.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170412080251.30648-1-chris@chris-wilson.co.ukReviewed-by: default avatarTakashi Iwai <tiwai@suse.de>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      48ae8074
    • Manasi Navare's avatar
      drm/i915/dp: Validate cached link rate and lane count before retraining · 14c562c0
      Manasi Navare authored
      Currently intel_dp_check_link_status() tries to retrain the link if
      Clock recovery or Channel EQ for any of the lanes indicated by
      intel_dp->lane_count is not set. However these values cached in intel_dp
      structure can be stale if link training has failed for these values
      during previous modeset. Or these values can get stale since we have
      now re read the DPCD registers or it can be 0 in case of connected boot
      case.
      
      This patch validates these values against the max link rate and max lane
      count values.
      
      This is absolutely required incase the common_rates or max lane count
      are now different due to link fallback.
      
      v2:
      * Include the FIXME commnet inside the function (Ville Syrjala)
      * Remove the redundant parenthesis (Ville Syrjala)
      
      v3 by Jani:
      * rebase on the DP refactoring series
      * rename intel_dp_link_params_is_valid to intel_dp_link_params_valid
      * minor stylistic changes
      
      v4:
      * Compare the link rate against max link rate not the
      common_rates since common_rates does not account for the
      lowered fallback link rate value. (Ville Syrjala)
      
      v5:
      * Fixed a warning for unused variable (Manasi)
      
      Cc: Ville Syrjala <ville.syrjala@linux.intel.com>
      Cc: Jani Nikula <jani.nikula@linux.intel.com>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarManasi Navare <manasi.d.navare@intel.com>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/1491512412-30016-1-git-send-email-manasi.d.navare@intel.com
      14c562c0