1. 13 May, 2020 1 commit
  2. 12 May, 2020 1 commit
  3. 11 May, 2020 3 commits
  4. 09 May, 2020 1 commit
  5. 06 May, 2020 6 commits
    • Chris Wilson's avatar
      drm/i915/execlists: Track inflight CCID · 1bc6a601
      Chris Wilson authored
      The presumption is that by using a circular counter that is twice as
      large as the maximum ELSP submission, we would never reuse the same CCID
      for two inflight contexts.
      
      However, if we continually preempt an active context such that it always
      remains inflight, it can be resubmitted with an arbitrary number of
      paired contexts. As each of its paired contexts will use a new CCID,
      eventually it will wrap and submit two ELSP with the same CCID.
      
      Rather than use a simple circular counter, switch over to a small bitmap
      of inflight ids so we can avoid reusing one that is still potentially
      active.
      
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1796
      Fixes: 2935ed53 ("drm/i915: Remove logical HW ID")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
      Cc: <stable@vger.kernel.org> # v5.5+
      Reviewed-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200428184751.11257-2-chris@chris-wilson.co.uk
      (cherry picked from commit 5c4a53e3)
      (cherry picked from commit 134711240307d5586ae8e828d2699db70a8b74f2)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      1bc6a601
    • Chris Wilson's avatar
      drm/i915/execlists: Avoid reusing the same logical CCID · 53b2622e
      Chris Wilson authored
      The bspec is confusing on the nature of the upper 32bits of the LRC
      descriptor. Once upon a time, it said that it uses the upper 32b to
      decide if it should perform a lite-restore, and so we must ensure that
      each unique context submitted to HW is given a unique CCID [for the
      duration of it being on the HW]. Currently, this is achieved by using
      a small circular tag, and assigning every context submitted to HW a
      new id. However, this tag is being cleared on repinning an inflight
      context such that we end up re-using the 0 tag for multiple contexts.
      
      To avoid accidentally clearing the CCID in the upper 32bits of the LRC
      descriptor, split the descriptor into two dwords so we can update the
      GGTT address separately from the CCID.
      
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1796
      Fixes: 2935ed53 ("drm/i915: Remove logical HW ID")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
      Cc: <stable@vger.kernel.org> # v5.5+
      Reviewed-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200428184751.11257-1-chris@chris-wilson.co.uk
      (cherry picked from commit 2632f174)
      (cherry picked from commit a4b70fcc587860f4b972f68217d8ebebe295ec15)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      53b2622e
    • Chris Wilson's avatar
      drm/i915/gem: Remove object_is_locked assertion from unpin_from_display_plane · 47bf7b7a
      Chris Wilson authored
      Since moving the obj->vma.list to a spin_lock, and the vm->bound_list to
      its vm->mutex, along with tracking shrinkable status under its own
      spinlock, we no long require the object to be locked by the caller.
      
      This is fortunate as it appears we can be called with the lock along an
      error path in flipping:
      
      <4> [139.942851] WARN_ON(debug_locks && !lock_is_held(&(&((obj)->base.resv)->lock.base)->dep_map))
      <4> [139.943242] WARNING: CPU: 0 PID: 1203 at drivers/gpu/drm/i915/gem/i915_gem_domain.c:405 i915_gem_object_unpin_from_display_plane+0x70/0x130 [i915]
      <4> [139.943263] Modules linked in: snd_hda_intel i915 vgem snd_hda_codec_realtek snd_hda_codec_generic coretemp snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core r8169 lpc_ich snd_pcm realtek prime_numbers [last unloaded: i915]
      <4> [139.943347] CPU: 0 PID: 1203 Comm: kms_flip Tainted: G     U            5.6.0-gd0fda5c2cf3f1-drmtip_474+ #1
      <4> [139.943363] Hardware name:  /D510MO, BIOS MOPNV10J.86A.0311.2010.0802.2346 08/02/2010
      <4> [139.943589] RIP: 0010:i915_gem_object_unpin_from_display_plane+0x70/0x130 [i915]
      <4> [139.943589] Code: 85 28 01 00 00 be ff ff ff ff 48 8d 78 60 e8 d7 9b f0 e2 85 c0 75 b9 48 c7 c6 50 b9 38 c0 48 c7 c7 e9 48 3c c0 e8 20 d4 e9 e2 <0f> 0b eb a2 48 c7 c1 08 bb 38 c0 ba 0a 01 00 00 48 c7 c6 88 a3 35
      <4> [139.943589] RSP: 0018:ffffb774c0603b48 EFLAGS: 00010282
      <4> [139.943589] RAX: 0000000000000000 RBX: ffff9a142fa36e80 RCX: 0000000000000006
      <4> [139.943589] RDX: 000000000000160d RSI: ffff9a142c1a88f8 RDI: ffffffffa434a64d
      <4> [139.943589] RBP: ffff9a1410a513c0 R08: ffff9a142c1a88f8 R09: 0000000000000000
      <4> [139.943589] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9a1436ee94b8
      <4> [139.943589] R13: 0000000000000001 R14: 00000000ffffffff R15: ffff9a1410960000
      <4> [139.943589] FS:  00007fc73a744e40(0000) GS:ffff9a143da00000(0000) knlGS:0000000000000000
      <4> [139.943589] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      <4> [139.943589] CR2: 00007fc73997e098 CR3: 000000002f5fe000 CR4: 00000000000006f0
      <4> [139.943589] Call Trace:
      <4> [139.943589]  intel_pin_and_fence_fb_obj+0x1c9/0x1f0 [i915]
      <4> [139.943589]  intel_plane_pin_fb+0x3f/0xd0 [i915]
      <4> [139.943589]  intel_prepare_plane_fb+0x13b/0x5c0 [i915]
      <4> [139.943589]  drm_atomic_helper_prepare_planes+0x85/0x110
      <4> [139.943589]  intel_atomic_commit+0xda/0x390 [i915]
      <4> [139.943589]  drm_atomic_helper_page_flip+0x9c/0xd0
      <4> [139.943589]  ? drm_event_reserve_init+0x46/0x60
      <4> [139.943589]  drm_mode_page_flip_ioctl+0x587/0x5d0
      
      This completes the symmetry lost in commit 8b1c78e0 ("drm/i915: Avoid
      calling i915_gem_object_unbind holding object lock").
      
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1743
      Fixes: 8b1c78e0 ("drm/i915: Avoid calling i915_gem_object_unbind holding object lock")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Matthew Auld <matthew.auld@intel.com>
      Cc: Andi Shyti <andi.shyti@intel.com>
      Cc: <stable@vger.kernel.org> # v5.6+
      Reviewed-by: default avatarMatthew Auld <matthew.auld@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200420125356.26614-1-chris@chris-wilson.co.uk
      (cherry picked from commit a95f3ac2)
      (cherry picked from commit 2208b85fa1766ee4821a9435d548578b67090531)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      47bf7b7a
    • Chris Wilson's avatar
      drm/i915/gt: Yield the timeslice if caught waiting on a user semaphore · 220dcfc1
      Chris Wilson authored
      If we find ourselves waiting on a MI_SEMAPHORE_WAIT, either within the
      user batch or in our own preamble, the engine raises a
      GT_WAIT_ON_SEMAPHORE interrupt. We can unmask that interrupt and so
      respond to a semaphore wait by yielding the timeslice, if we have
      another context to yield to!
      
      The only real complication is that the interrupt is only generated for
      the start of the semaphore wait, and is asynchronous to our
      process_csb() -- that is, we may not have registered the timeslice before
      we see the interrupt. To ensure we don't miss a potential semaphore
      blocking forward progress (e.g. selftests/live_timeslice_preempt) we mark
      the interrupt and apply it to the next timeslice regardless of whether it
      was active at the time.
      
      v2: We use semaphores in preempt-to-busy, within the timeslicing
      implementation itself! Ergo, when we do insert a preemption due to an
      expired timeslice, the new context may start with the missed semaphore
      flagged by the retired context and be yielded, ad infinitum. To avoid
      this, read the context id at the time of the semaphore interrupt and
      only yield if that context is still active.
      
      Fixes: 8ee36e04 ("drm/i915/execlists: Minimalistic timeslicing")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Cc: Kenneth Graunke <kenneth@whitecape.org>
      Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200407130811.17321-1-chris@chris-wilson.co.uk
      (cherry picked from commit c4e8ba73)
      (cherry picked from commit cd60e4ac4738a6921592c4f7baf87f9a3499f0e2)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      220dcfc1
    • Chris Wilson's avatar
      drm/i915: Check current i915_vma.pin_count status first on unbind · af23facc
      Chris Wilson authored
      Do an early rejection of a i915_vma_unbind() attempt if the i915_vma is
      currently pinned, without waiting to see if the inflight operations may
      unpin it. We see this problem with the shrinker trying to unbind the
      active vma from inside its bind worker:
      
      <6> [472.618968] Workqueue: events_unbound fence_work [i915]
      <4> [472.618970] Call Trace:
      <4> [472.618974]  ? __schedule+0x2e5/0x810
      <4> [472.618978]  schedule+0x37/0xe0
      <4> [472.618982]  schedule_preempt_disabled+0xf/0x20
      <4> [472.618984]  __mutex_lock+0x281/0x9c0
      <4> [472.618987]  ? mark_held_locks+0x49/0x70
      <4> [472.618989]  ? _raw_spin_unlock_irqrestore+0x47/0x60
      <4> [472.619038]  ? i915_vma_unbind+0xae/0x110 [i915]
      <4> [472.619084]  ? i915_vma_unbind+0xae/0x110 [i915]
      <4> [472.619122]  i915_vma_unbind+0xae/0x110 [i915]
      <4> [472.619165]  i915_gem_object_unbind+0x1dc/0x400 [i915]
      <4> [472.619208]  i915_gem_shrink+0x328/0x660 [i915]
      <4> [472.619250]  ? i915_gem_shrink_all+0x38/0x60 [i915]
      <4> [472.619282]  i915_gem_shrink_all+0x38/0x60 [i915]
      <4> [472.619325]  vm_alloc_page.constprop.25+0x1aa/0x240 [i915]
      <4> [472.619330]  ? rcu_read_lock_sched_held+0x4d/0x80
      <4> [472.619363]  ? __alloc_pd+0xb/0x30 [i915]
      <4> [472.619366]  ? module_assert_mutex_or_preempt+0xf/0x30
      <4> [472.619368]  ? __module_address+0x23/0xe0
      <4> [472.619371]  ? is_module_address+0x26/0x40
      <4> [472.619374]  ? static_obj+0x34/0x50
      <4> [472.619376]  ? lockdep_init_map+0x4d/0x1e0
      <4> [472.619407]  setup_page_dma+0xd/0x90 [i915]
      <4> [472.619437]  alloc_pd+0x29/0x50 [i915]
      <4> [472.619470]  __gen8_ppgtt_alloc+0x443/0x6b0 [i915]
      <4> [472.619503]  gen8_ppgtt_alloc+0xd7/0x300 [i915]
      <4> [472.619535]  ppgtt_bind_vma+0x2a/0xe0 [i915]
      <4> [472.619577]  __vma_bind+0x26/0x40 [i915]
      <4> [472.619611]  fence_work+0x1c/0x90 [i915]
      <4> [472.619617]  process_one_work+0x26a/0x620
      
      Fixes: 2850748e ("drm/i915: Pull i915_vma_pin under the vm->mutex")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200403120150.17091-1-chris@chris-wilson.co.uk
      (cherry picked from commit 614654ab)
      (cherry picked from commit dd086cf516d9bea3878abb267f62ccc53acd764b)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      af23facc
    • Imre Deak's avatar
      drm/i915/tgl+: Fix interrupt handling for DP AUX transactions · 4457a9db
      Imre Deak authored
      Unmask/enable AUX interrupts on all ports on TGL+. So far the interrupts
      worked only on port A, which meant each transaction on other ports took
      10ms.
      
      Cc: <stable@vger.kernel.org> # v5.4+
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200504075828.20348-1-imre.deak@intel.com
      (cherry picked from commit 054318c7)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      4457a9db
  6. 04 May, 2020 4 commits
    • Peter Jones's avatar
      Make the "Reducing compressed framebufer size" message be DRM_INFO_ONCE() · 82152d42
      Peter Jones authored
      This was sort of annoying me:
      
      random:~$ dmesg | tail -1
      [523884.039227] [drm] Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS.
      random:~$ dmesg | grep -c "Reducing the compressed"
      47
      
      This patch makes it DRM_INFO_ONCE() just like the similar message
      farther down in that function is pr_info_once().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPeter Jones <pjones@redhat.com>
      Acked-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1745
      Link: https://patchwork.freedesktop.org/patch/msgid/20180706190424.29194-1-pjones@redhat.com
      [vsyrjala: Rebase due to per-device logging]
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      (cherry picked from commit 6b7fc6a3)
      [Rodrigo: port back to DRM_INFO_ONCE]
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      82152d42
    • Sultan Alsawaf's avatar
      drm/i915: Don't enable WaIncreaseLatencyIPCEnabled when IPC is disabled · 421abe20
      Sultan Alsawaf authored
      In commit 5a7d202b, a logical AND was erroneously changed to an OR,
      causing WaIncreaseLatencyIPCEnabled to be enabled unconditionally for
      kabylake and coffeelake, even when IPC is disabled. Fix the logic so
      that WaIncreaseLatencyIPCEnabled is only used when IPC is enabled.
      
      Fixes: 5a7d202b ("drm/i915: Drop WaIncreaseLatencyIPCEnabled/1140 for cnl")
      Cc: stable@vger.kernel.org # 5.3.x+
      Signed-off-by: default avatarSultan Alsawaf <sultan@kerneltoast.com>
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200430214654.51314-1-sultan@kerneltoast.com
      (cherry picked from commit 690d22da)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      421abe20
    • Chris Wilson's avatar
      drm/i915/gt: Make timeslicing an explicit engine property · fe5a7082
      Chris Wilson authored
      In order to allow userspace to rely on timeslicing to reorder their
      batches, we must support preemption of those user batches. Declare
      timeslicing as an explicit property that is a combination of having the
      kernel support and HW support.
      Suggested-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Fixes: 8ee36e04 ("drm/i915/execlists: Minimalistic timeslicing")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200501122249.12417-1-chris@chris-wilson.co.uk
      (cherry picked from commit a211da9c)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      fe5a7082
    • Chris Wilson's avatar
      drm/i915: Avoid dereferencing a dead context · 30523408
      Chris Wilson authored
      Once the intel_context is closed, the GEM context may be freed and so
      the link from intel_context.gem_context is invalid.
      
      <3>[  219.782944] BUG: KASAN: use-after-free in intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
      <3>[  219.782996] Read of size 8 at addr ffff8881d7dff0b8 by task kworker/0:1/12
      
      <4>[  219.783052] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G     U            5.7.0-rc2-g1f3ffd7683d54-kasan_118+ #1
      <4>[  219.783055] Hardware name: System manufacturer System Product Name/Z170 PRO GAMING, BIOS 3402 04/26/2017
      <4>[  219.783105] Workqueue: events heartbeat [i915]
      <4>[  219.783109] Call Trace:
      <4>[  219.783113]  <IRQ>
      <4>[  219.783119]  dump_stack+0x96/0xdb
      <4>[  219.783177]  ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
      <4>[  219.783182]  print_address_description.constprop.6+0x16/0x310
      <4>[  219.783239]  ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
      <4>[  219.783295]  ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
      <4>[  219.783300]  __kasan_report+0x137/0x190
      <4>[  219.783359]  ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
      <4>[  219.783366]  kasan_report+0x32/0x50
      <4>[  219.783426]  intel_engine_coredump_alloc+0x1bc3/0x2250 [i915]
      <4>[  219.783481]  execlists_reset+0x39c/0x13d0 [i915]
      <4>[  219.783494]  ? mark_held_locks+0x9e/0xe0
      <4>[  219.783546]  ? execlists_hold+0xfc0/0xfc0 [i915]
      <4>[  219.783551]  ? lockdep_hardirqs_on+0x348/0x5f0
      <4>[  219.783557]  ? _raw_spin_unlock_irqrestore+0x34/0x60
      <4>[  219.783606]  ? execlists_submission_tasklet+0x118/0x3a0 [i915]
      <4>[  219.783615]  tasklet_action_common.isra.14+0x13b/0x410
      <4>[  219.783623]  ? __do_softirq+0x1e4/0x9a7
      <4>[  219.783630]  __do_softirq+0x226/0x9a7
      <4>[  219.783643]  do_softirq_own_stack+0x2a/0x40
      <4>[  219.783647]  </IRQ>
      <4>[  219.783692]  ? heartbeat+0x3e2/0x10f0 [i915]
      <4>[  219.783696]  do_softirq.part.13+0x49/0x50
      <4>[  219.783700]  __local_bh_enable_ip+0x1a2/0x1e0
      <4>[  219.783748]  heartbeat+0x409/0x10f0 [i915]
      <4>[  219.783801]  ? __live_idle_pulse+0x9f0/0x9f0 [i915]
      <4>[  219.783806]  ? lock_acquire+0x1ac/0x8a0
      <4>[  219.783811]  ? process_one_work+0x811/0x1870
      <4>[  219.783827]  ? rcu_read_lock_sched_held+0x9c/0xd0
      <4>[  219.783832]  ? rcu_read_lock_bh_held+0xb0/0xb0
      <4>[  219.783836]  ? _raw_spin_unlock_irq+0x1f/0x40
      <4>[  219.783845]  process_one_work+0x8ca/0x1870
      <4>[  219.783848]  ? lock_acquire+0x1ac/0x8a0
      <4>[  219.783852]  ? worker_thread+0x1d0/0xb80
      <4>[  219.783864]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
      <4>[  219.783870]  ? do_raw_spin_lock+0x129/0x290
      <4>[  219.783886]  worker_thread+0x82/0xb80
      <4>[  219.783895]  ? __kthread_parkme+0xaf/0x1b0
      <4>[  219.783902]  ? process_one_work+0x1870/0x1870
      <4>[  219.783906]  kthread+0x34e/0x420
      <4>[  219.783911]  ? kthread_create_on_node+0xc0/0xc0
      <4>[  219.783918]  ret_from_fork+0x3a/0x50
      
      <3>[  219.783950] Allocated by task 1264:
      <4>[  219.783975]  save_stack+0x19/0x40
      <4>[  219.783978]  __kasan_kmalloc.constprop.3+0xa0/0xd0
      <4>[  219.784029]  i915_gem_create_context+0xa2/0xab8 [i915]
      <4>[  219.784081]  i915_gem_context_create_ioctl+0x1fa/0x450 [i915]
      <4>[  219.784085]  drm_ioctl_kernel+0x1d8/0x270
      <4>[  219.784088]  drm_ioctl+0x676/0x930
      <4>[  219.784092]  ksys_ioctl+0xb7/0xe0
      <4>[  219.784096]  __x64_sys_ioctl+0x6a/0xb0
      <4>[  219.784100]  do_syscall_64+0x94/0x530
      <4>[  219.784103]  entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      <3>[  219.784120] Freed by task 12:
      <4>[  219.784141]  save_stack+0x19/0x40
      <4>[  219.784145]  __kasan_slab_free+0x130/0x180
      <4>[  219.784148]  kmem_cache_free_bulk+0x1bd/0x500
      <4>[  219.784152]  kfree_rcu_work+0x1d8/0x890
      <4>[  219.784155]  process_one_work+0x8ca/0x1870
      <4>[  219.784158]  worker_thread+0x82/0xb80
      <4>[  219.784162]  kthread+0x34e/0x420
      <4>[  219.784165]  ret_from_fork+0x3a/0x50
      
      Fixes: 2e46a2a0 ("drm/i915: Use explicit flag to mark unreachable intel_context")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Acked-by: default avatarAkeem G Abodunrin <akeem.g.abodunrin@intel.com>
      Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200428090255.10035-1-chris@chris-wilson.co.uk
      (cherry picked from commit 24aac336)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      30523408
  7. 28 Apr, 2020 1 commit
  8. 27 Apr, 2020 3 commits
    • Chris Wilson's avatar
      drm/i915/gt: Check cacheline is valid before acquiring · 2abaad4e
      Chris Wilson authored
      The hwsp_cacheline pointer from i915_request is very, very flimsy. The
      i915_request.timeline (and the hwsp_cacheline) are lost upon retiring
      (after an RCU grace). Therefore we need to confirm that once we have the
      right pointer for the cacheline, it is not in the process of being
      retired and disposed of before we attempt to acquire a reference to the
      cacheline.
      
      <3>[  547.208237] BUG: KASAN: use-after-free in active_debug_hint+0x6a/0x70 [i915]
      <3>[  547.208366] Read of size 8 at addr ffff88822a0d2710 by task gem_exec_parall/2536
      
      <4>[  547.208547] CPU: 3 PID: 2536 Comm: gem_exec_parall Tainted: G     U            5.7.0-rc2-ged7a286b5d02d-kasan_117+ #1
      <4>[  547.208556] Hardware name: Dell Inc. XPS 13 9350/, BIOS 1.4.12 11/30/2016
      <4>[  547.208564] Call Trace:
      <4>[  547.208579]  dump_stack+0x96/0xdb
      <4>[  547.208707]  ? active_debug_hint+0x6a/0x70 [i915]
      <4>[  547.208719]  print_address_description.constprop.6+0x16/0x310
      <4>[  547.208841]  ? active_debug_hint+0x6a/0x70 [i915]
      <4>[  547.208963]  ? active_debug_hint+0x6a/0x70 [i915]
      <4>[  547.208975]  __kasan_report+0x137/0x190
      <4>[  547.209106]  ? active_debug_hint+0x6a/0x70 [i915]
      <4>[  547.209127]  kasan_report+0x32/0x50
      <4>[  547.209257]  ? i915_gemfs_fini+0x40/0x40 [i915]
      <4>[  547.209376]  active_debug_hint+0x6a/0x70 [i915]
      <4>[  547.209389]  debug_print_object+0xa7/0x220
      <4>[  547.209405]  ? lockdep_hardirqs_on+0x348/0x5f0
      <4>[  547.209426]  debug_object_assert_init+0x297/0x430
      <4>[  547.209449]  ? debug_object_free+0x360/0x360
      <4>[  547.209472]  ? lock_acquire+0x1ac/0x8a0
      <4>[  547.209592]  ? intel_timeline_read_hwsp+0x4f/0x840 [i915]
      <4>[  547.209737]  ? i915_active_acquire_if_busy+0x66/0x120 [i915]
      <4>[  547.209861]  i915_active_acquire_if_busy+0x66/0x120 [i915]
      <4>[  547.209990]  ? __live_alloc.isra.15+0xc0/0xc0 [i915]
      <4>[  547.210005]  ? rcu_read_lock_sched_held+0xd0/0xd0
      <4>[  547.210017]  ? print_usage_bug+0x580/0x580
      <4>[  547.210153]  intel_timeline_read_hwsp+0xbc/0x840 [i915]
      <4>[  547.210284]  __emit_semaphore_wait+0xd5/0x480 [i915]
      <4>[  547.210415]  ? i915_fence_get_timeline_name+0x110/0x110 [i915]
      <4>[  547.210428]  ? lockdep_hardirqs_on+0x348/0x5f0
      <4>[  547.210442]  ? _raw_spin_unlock_irq+0x2a/0x40
      <4>[  547.210567]  ? __await_execution.constprop.51+0x2e0/0x570 [i915]
      <4>[  547.210706]  i915_request_await_dma_fence+0x8f7/0xc70 [i915]
      
      Fixes: 85bedbf1 ("drm/i915/gt: Eliminate the trylock for reading a timeline's hwsp")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Cc: <stable@vger.kernel.org> # v5.6+
      Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200427093038.29219-1-chris@chris-wilson.co.uk
      (cherry picked from commit 2759e395)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      2abaad4e
    • Chris Wilson's avatar
      drm/i915/gem: Hold obj->vma.lock over for_each_ggtt_vma() · f524a774
      Chris Wilson authored
      While the ggtt vma are protected by their object lifetime, the list
      continues until it hits a non-ggtt vma, and that vma is not protected
      and may be freed as we inspect it. Hence, we require the obj->vma.lock
      to protect the list as we iterate.
      
      An example of forgetting to hold the obj->vma.lock is
      
      [1642834.464973] general protection fault, probably for non-canonical address 0xdead000000000122: 0000 [#1] SMP PTI
      [1642834.464977] CPU: 3 PID: 1954 Comm: Xorg Not tainted 5.6.0-300.fc32.x86_64 #1
      [1642834.464979] Hardware name: LENOVO 20ARS25701/20ARS25701, BIOS GJET94WW (2.44 ) 09/14/2017
      [1642834.465021] RIP: 0010:i915_gem_object_set_tiling+0x2c0/0x3e0 [i915]
      [1642834.465024] Code: 8b 84 24 18 01 00 00 f6 c4 80 74 59 49 8b 94 24 a0 00 00 00 49 8b 84 24 e0 00 00 00 49 8b 74 24 10 48 8b 92 30 01 00 00 89 c7 <80> ba 0a 06 00 00 03 0f 87 86 00 00 00 ba 00 00 08 00 b9 00 00 10
      [1642834.465025] RSP: 0018:ffffa98780c77d60 EFLAGS: 00010282
      [1642834.465028] RAX: ffff8d232bfb2578 RBX: 0000000000000002 RCX: ffff8d25873a0000
      [1642834.465029] RDX: dead000000000122 RSI: fffff0af8ac6e408 RDI: 000000002bfb2578
      [1642834.465030] RBP: ffff8d25873a0000 R08: ffff8d252bfb5638 R09: 0000000000000000
      [1642834.465031] R10: 0000000000000000 R11: ffff8d252bfb5640 R12: ffffa987801cb8f8
      [1642834.465032] R13: 0000000000001000 R14: ffff8d233e972e50 R15: ffff8d233e972d00
      [1642834.465034] FS:  00007f6a3d327f00(0000) GS:ffff8d25926c0000(0000) knlGS:0000000000000000
      [1642834.465036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [1642834.465037] CR2: 00007f6a2064d000 CR3: 00000002fb57c001 CR4: 00000000001606e0
      [1642834.465038] Call Trace:
      [1642834.465083]  i915_gem_set_tiling_ioctl+0x122/0x230 [i915]
      [1642834.465121]  ? i915_gem_object_set_tiling+0x3e0/0x3e0 [i915]
      [1642834.465151]  drm_ioctl_kernel+0x86/0xd0 [drm]
      [1642834.465156]  ? avc_has_perm+0x3b/0x160
      [1642834.465178]  drm_ioctl+0x206/0x390 [drm]
      [1642834.465216]  ? i915_gem_object_set_tiling+0x3e0/0x3e0 [i915]
      [1642834.465221]  ? selinux_file_ioctl+0x122/0x1c0
      [1642834.465226]  ? __do_munmap+0x24b/0x4d0
      [1642834.465231]  ksys_ioctl+0x82/0xc0
      [1642834.465235]  __x64_sys_ioctl+0x16/0x20
      [1642834.465238]  do_syscall_64+0x5b/0xf0
      [1642834.465243]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [1642834.465245] RIP: 0033:0x7f6a3d7b047b
      [1642834.465247] Code: 0f 1e fa 48 8b 05 1d aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed a9 0c 00 f7 d8 64 89 01 48
      [1642834.465249] RSP: 002b:00007ffe71adba28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [1642834.465251] RAX: ffffffffffffffda RBX: 000055f99048fa40 RCX: 00007f6a3d7b047b
      [1642834.465253] RDX: 00007ffe71adba30 RSI: 00000000c0106461 RDI: 000000000000000e
      [1642834.465254] RBP: 0000000000000002 R08: 000055f98f3f1798 R09: 0000000000000002
      [1642834.465255] R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000080
      [1642834.465257] R13: 000055f98f3f1690 R14: 00000000c0106461 R15: 00007ffe71adba30
      
      Now to take the spinlock during the list iteration, we need to break it
      down into two phases. In the first phase under the lock, we cannot sleep
      and so must defer the actual work to a second list, protected by the
      ggtt->mutex.
      
      We also need to hold the spinlock during creation of a new vma to
      serialise with updates of the tiling on the object.
      Reported-by: default avatarDave Airlie <airlied@redhat.com>
      Fixes: 2850748e ("drm/i915: Pull i915_vma_pin under the vm->mutex")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: <stable@vger.kernel.org> # v5.5+
      Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200422072805.17340-1-chris@chris-wilson.co.uk
      (cherry picked from commit cb593e5d)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      f524a774
    • Xiyu Yang's avatar
      drm/i915/selftests: Fix i915_address_space refcnt leak · 5d5e100a
      Xiyu Yang authored
      igt_ppgtt_pin_update() invokes i915_gem_context_get_vm_rcu(), which
      returns a reference of the i915_address_space object to "vm" with
      increased refcount.
      
      When igt_ppgtt_pin_update() returns, "vm" becomes invalid, so the
      refcount should be decreased to keep refcount balanced.
      
      The reference counting issue happens in two exception handling paths of
      igt_ppgtt_pin_update(). When i915_gem_object_create_internal() returns
      IS_ERR, the refcnt increased by i915_gem_context_get_vm_rcu() is not
      decreased, causing a refcnt leak.
      
      Fix this issue by jumping to "out_vm" label when
      i915_gem_object_create_internal() returns IS_ERR.
      
      Fixes: a4e7ccda ("drm/i915: Move context management under GEM")
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Link: https://patchwork.freedesktop.org/patch/msgid/1587361342-83494-1-git-send-email-xiyuyang19@fudan.edu.cn
      (cherry picked from commit e07c7606)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      5d5e100a
  9. 20 Apr, 2020 7 commits
  10. 14 Apr, 2020 4 commits
  11. 13 Apr, 2020 1 commit
  12. 12 Apr, 2020 8 commits
    • Linus Torvalds's avatar
      Linux 5.7-rc1 · 8f3d9f35
      Linus Torvalds authored
      8f3d9f35
    • Linus Torvalds's avatar
      MAINTAINERS: sort field names for all entries · 3b50142d
      Linus Torvalds authored
      This sorts the actual field names too, potentially causing even more
      chaos and confusion at merge time if you have edited the MAINTAINERS
      file.  But the end result is a more consistent layout, and hopefully
      it's a one-time pain minimized by doing this just before the -rc1
      release.
      
      This was entirely scripted:
      
        ./scripts/parse-maintainers.pl --input=MAINTAINERS --output=MAINTAINERS --order
      Requested-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3b50142d
    • Linus Torvalds's avatar
      MAINTAINERS: sort entries by entry name · 4400b7d6
      Linus Torvalds authored
      They are all supposed to be sorted, but people who add new entries don't
      always know the alphabet.  Plus sometimes the entry names get edited,
      and people don't then re-order the entry.
      
      Let's see how painful this will be for merging purposes (the MAINTAINERS
      file is often edited in various different trees), but Joe claims there's
      relatively few patches in -next that touch this, and doing it just
      before -rc1 is likely the best time.  Fingers crossed.
      
      This was scripted with
      
        /scripts/parse-maintainers.pl --input=MAINTAINERS --output=MAINTAINERS
      
      but then I also ended up manually upper-casing a few entry names that
      stood out when looking at the end result.
      Requested-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4400b7d6
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4f8a3cc1
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of three patches to fix the fallout of the newly added split
        lock detection feature.
      
        It addressed the case where a KVM guest triggers a split lock #AC and
        KVM reinjects it into the guest which is not prepared to handle it.
      
        Add proper sanity checks which prevent the unconditional injection
        into the guest and handles the #AC on the host side in the same way as
        user space detections are handled. Depending on the detection mode it
        either warns and disables detection for the task or kills the task if
        the mode is set to fatal"
      
      * tag 'x86-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        KVM: VMX: Extend VMXs #AC interceptor to handle split lock #AC in guest
        KVM: x86: Emulate split-lock access as a write in emulator
        x86/split_lock: Provide handle_guest_split_lock()
      4f8a3cc1
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0785249f
      Linus Torvalds authored
      Pull time(keeping) updates from Thomas Gleixner:
      
       - Fix the time_for_children symlink in /proc/$PID/ so it properly
         reflects that it part of the 'time' namespace
      
       - Add the missing userns limit for the allowed number of time
         namespaces, which was half defined but the actual array member was
         not added. This went unnoticed as the array has an exessive empty
         member at the end but introduced a user visible regression as the
         output was corrupted.
      
       - Prevent further silent ucount corruption by adding a BUILD_BUG_ON()
         to catch half updated data.
      
      * tag 'timers-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        ucount: Make sure ucounts in /proc/sys/user don't regress again
        time/namespace: Add max_time_namespaces ucount
        time/namespace: Fix time_for_children symlink
      0785249f
    • Linus Torvalds's avatar
      Merge tag 'sched-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 590680d1
      Linus Torvalds authored
      Pull scheduler fixes/updates from Thomas Gleixner:
      
       - Deduplicate the average computations in the scheduler core and the
         fair class code.
      
       - Fix a raise between runtime distribution and assignement which can
         cause exceeding the quota by up to 70%.
      
       - Prevent negative results in the imbalanace calculation
      
       - Remove a stale warning in the workqueue code which can be triggered
         since the call site was moved out of preempt disabled code. It's a
         false positive.
      
       - Deduplicate the print macros for procfs
      
       - Add the ucmap values to the SCHED_DEBUG procfs output for completness
      
      * tag 'sched-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/debug: Add task uclamp values to SCHED_DEBUG procfs
        sched/debug: Factor out printing formats into common macros
        sched/debug: Remove redundant macro define
        sched/core: Remove unused rq::last_load_update_tick
        workqueue: Remove the warning in wq_worker_sleeping()
        sched/fair: Fix negative imbalance in imbalance calculation
        sched/fair: Fix race between runtime distribution and assignment
        sched/fair: Align rq->avg_idle and rq->avg_scan_cost
      590680d1
    • Linus Torvalds's avatar
      Merge tag 'perf-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 20e2aa81
      Linus Torvalds authored
      Pull perf fixes from Thomas Gleixner:
       "Three fixes/updates for perf:
      
         - Fix the perf event cgroup tracking which tries to track the cgroup
           even for disabled events.
      
         - Add Ice Lake server support for uncore events
      
         - Disable pagefaults when retrieving the physical address in the
           sampling code"
      
      * tag 'perf-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/core: Disable page faults when getting phys address
        perf/x86/intel/uncore: Add Ice Lake server uncore support
        perf/cgroup: Correct indirection in perf_less_group_idx()
        perf/core: Fix event cgroup tracking
      20e2aa81
    • Linus Torvalds's avatar
      Merge tag 'locking-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 652fa53c
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "Three small fixes/updates for the locking core code:
      
         - Plug a task struct reference leak in the percpu rswem
           implementation.
      
         - Document the refcount interaction with PID_MAX_LIMIT
      
         - Improve the 'invalid wait context' data dump in lockdep so it
           contains all information which is required to decode the problem"
      
      * tag 'locking-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/lockdep: Improve 'invalid wait context' splat
        locking/refcount: Document interaction with PID_MAX_LIMIT
        locking/percpu-rwsem: Fix a task_struct refcount
      652fa53c