1. 11 5月, 2011 2 次提交
  2. 23 3月, 2011 6 次提交
    • C
      drm/i915: Avoid unmapping pages from a NULL address space · f6e47884
      Chris Wilson 提交于
      Found by gem_stress.
      
      As we perform retirement from a workqueue, it is possible for us to free
      and unbind objects after the last close on the device, and so after the
      address space has been torn down and reset to NULL:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000054
      IP: [<c1295a20>] mutex_lock+0xf/0x27
      *pde = 00000000
      Oops: 0002 [#1] SMP
      last sysfs file: /sys/module/vt/parameters/default_utf8
      
      Pid: 5, comm: kworker/u:0 Not tainted 2.6.38+ #214
      EIP: 0060:[<c1295a20>] EFLAGS: 00010206 CPU: 1
      EIP is at mutex_lock+0xf/0x27
      EAX: 00000054 EBX: 00000054 ECX: 00000000 EDX: 00012fff
      ESI: 00000028 EDI: 00000000 EBP: f706fe20 ESP: f706fe18
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      Process kworker/u:0 (pid: 5, ti=f706e000 task=f7060d00 task.ti=f706e000)
      Stack:
       f5aa3c60 00000000 f706fe74 c107e7df 00000246 dea55380 00000054 f5aa3c60
       f706fe44 00000061 f70b4000 c13fff84 00000008 f706fe54 00000000 00000000
       00012f00 00012fff 00000028 c109e575 f6b36700 00100000 00000000 f706fe90
      Call Trace:
       [<c107e7df>] unmap_mapping_range+0x7d/0x1e6
       [<c109e575>] ? mntput_no_expire+0x52/0xb6
       [<c11c12f6>] i915_gem_release_mmap+0x49/0x58
       [<c11c3449>] i915_gem_object_unbind+0x4c/0x125
       [<c11c353f>] i915_gem_free_object_tail+0x1d/0xdb
       [<c11c55a2>] i915_gem_free_object+0x3d/0x41
       [<c11a6be2>] ? drm_gem_object_free+0x0/0x27
       [<c11a6c07>] drm_gem_object_free+0x25/0x27
       [<c113c3ca>] kref_put+0x39/0x42
       [<c11c0a59>] drm_gem_object_unreference+0x16/0x18
       [<c11c0b15>] i915_gem_object_move_to_inactive+0xba/0xbe
       [<c11c0c87>] i915_gem_retire_requests_ring+0x16e/0x1a5
       [<c11c3645>] i915_gem_retire_requests+0x48/0x63
       [<c11c36ac>] i915_gem_retire_work_handler+0x4c/0x117
       [<c10385d1>] process_one_work+0x140/0x21b
       [<c103734c>] ? __need_more_worker+0x13/0x2a
       [<c10373b1>] ? need_to_create_worker+0x1c/0x35
       [<c11c3660>] ? i915_gem_retire_work_handler+0x0/0x117
       [<c1038faf>] worker_thread+0xd4/0x14b
       [<c1038edb>] ? worker_thread+0x0/0x14b
       [<c103be1b>] kthread+0x68/0x6d
       [<c103bdb3>] ? kthread+0x0/0x6d
       [<c12970f6>] kernel_thread_helper+0x6/0x10
      Code: 00 e8 98 fe ff ff 5d c3 55 89 e5 3e 8d 74 26 00 ba 01 00 00 00 e8
      84 fe ff ff 5d c3 55 89 e5 53 8d 64 24 fc 3e 8d 74 26 00 89 c3 <f0> ff
      08 79 05 e8 ab ff ff ff 89 e0 25 00 e0 ff ff 89 43 10 58
      EIP: [<c1295a20>] mutex_lock+0xf/0x27 SS:ESP 0068:f706fe18
      CR2: 0000000000000054
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NKeith Packard <keithp@keithp.com>
      f6e47884
    • C
      drm/i915: Fix use after free within tracepoint · 26e12f89
      Chris Wilson 提交于
      Detected by scripts/coccinelle/free/kfree.cocci.
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NKeith Packard <keithp@keithp.com>
      26e12f89
    • C
      drm/i915: Restore missing command flush before interrupt on BLT ring · 36d527de
      Chris Wilson 提交于
      We always skipped flushing the BLT ring if the request flush did not
      include the RENDER domain. However, this neglects that we try to flush
      the COMMAND domain after every batch and before the breadcrumb interrupt
      (to make sure the batch is indeed completed prior to the interrupt
      firing and so insuring CPU coherency). As a result of the missing flush,
      incoherency did indeed creep in, most notable when using lots of command
      buffers and so potentially rewritting an active command buffer (i.e.
      the GPU was still executing from it even though the following interrupt
      had already fired and the request/buffer retired).
      
      As all ring->flush routines now have the same preconditions, de-duplicate
      and move those checks up into i915_gem_flush_ring().
      
      Fixes gem_linear_blit.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=35284Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Tested-by: mengmeng.meng@intel.com
      36d527de
    • C
      drm/i915: Fix computation of pitch for dumb bo creator · ed0291fd
      Chris Wilson 提交于
      Cc: Dave Airlie <airlied@linux.ie>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      ed0291fd
    • C
      drm/i915: Fix tiling corruption from pipelined fencing · 29c5a587
      Chris Wilson 提交于
      ... even though it was disabled. A mistake in the handling of fence reuse
      caused us to skip the vital delay of waiting for the object to finish
      rendering before changing the register. This resulted in us changing the
      fence register whilst the bo was active and so causing the blits to
      complete using the wrong stride or even the wrong tiling. (Visually the
      effect is that small blocks of the screen look like they have been
      interlaced). The fix is to wait for the GPU to finish using the memory
      region pointed to by the fence before changing it.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=34584
      Cc: Andy Whitcroft <apw@canonical.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      [Note for 2.6.38-stable, we need to reintroduce the interruptible passing]
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Tested-by: NDave Airlie <airlied@linux.ie>
      29c5a587
    • H
      drm/i915: Prevent racy removal of request from client list · 09bfa517
      Herton Ronaldo Krzesinski 提交于
      When i915_gem_retire_requests_ring calls i915_gem_request_remove_from_client,
      the client_list for that request may already be removed in i915_gem_release.
      So we may call twice list_del(&request->client_list), resulting in an
      oops like this report:
      
      [126167.230394] BUG: unable to handle kernel paging request at 00100104
      [126167.230699] IP: [<f8c2ce44>] i915_gem_retire_requests_ring+0xd4/0x240 [i915]
      [126167.231042] *pdpt = 00000000314c1001 *pde = 0000000000000000
      [126167.231314] Oops: 0002 [#1] SMP
      [126167.231471] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0C0A:00/power_supply/BAT1/current_now
      [126167.231901] Modules linked in: snd_seq_dummy nls_utf8 isofs btrfs zlib_deflate libcrc32c ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat jfs xfs exportfs reiserfs cryptd aes_i586 aes_generic binfmt_misc vboxnetadp vboxnetflt vboxdrv parport_pc ppdev snd_hda_codec_hdmi snd_hda_codec_conexant snd_hda_intel snd_hda_codec snd_hwdep arc4 snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq uvcvideo videodev snd_timer snd_seq_device joydev iwlagn iwlcore mac80211 snd cfg80211 soundcore i915 drm_kms_helper snd_page_alloc psmouse drm serio_raw i2c_algo_bit video lp parport usbhid hid sky2 sdhci_pci ahci sdhci libahci
      [126167.232018]
      [126167.232018] Pid: 1101, comm: Xorg Not tainted 2.6.38-6-generic-pae #34-Ubuntu Gateway                          MC7833U /
      [126167.232018] EIP: 0060:[<f8c2ce44>] EFLAGS: 00213246 CPU: 0
      [126167.232018] EIP is at i915_gem_retire_requests_ring+0xd4/0x240 [i915]
      [126167.232018] EAX: 00200200 EBX: f1ac25b0 ECX: 00000040 EDX: 00100100
      [126167.232018] ESI: f1a2801c EDI: e87fc060 EBP: ef4d7dd8 ESP: ef4d7db0
      [126167.232018]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      [126167.232018] Process Xorg (pid: 1101, ti=ef4d6000 task=f1ba6500 task.ti=ef4d6000)
      [126167.232018] Stack:
      [126167.232018]  f1a28000 f1a2809c f1a28094 0058bd97 f1aa2400 f1a2801c 0058bd7b 0058bd85
      [126167.232018]  f1a2801c f1a28000 ef4d7e38 f8c2e995 ef4d7e30 ef4d7e60 c14d1ebc f6b3a040
      [126167.232018]  f1522cc0 000000db 00000000 f1ba6500 ffffffa1 00000000 00000001 f1a29214
      [126167.232018] Call Trace:
      
      Unfortunately the call trace reported was cut, but looking at debug
      symbols the crash is at __list_del, when probably list_del is called
      twice on the same request->client_list, as the dereferenced value is
      LIST_POISON1 + 4, and by looking more at the debug symbols before
      list_del call it should have being called by
      i915_gem_request_remove_from_client
      
      And as I can see in the code, it seems we indeed have the possibility
      to remove a request->client_list twice, which would cause the above,
      because we do list_del(&request->client_list) on both
      i915_gem_request_remove_from_client and i915_gem_release
      
      As Chris Wilson pointed out, it's indeed the case:
      "(...) I had thought that the actual insertion/deletion was serialised
      under the struct mutex and the intention of the spinlock was to protect
      the unlocked list traversal during throttling. However, I missed that
      i915_gem_release() is also called without struct mutex and so we do need
      the double check for i915_gem_request_remove_from_client()."
      
      This change does the required check to avoid the duplicate remove of
      request->client_list.
      
      Bugzilla: http://bugs.launchpad.net/bugs/733780
      Cc: stable@kernel.org # 2.6.38
      Signed-off-by: NHerton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      09bfa517
  3. 07 3月, 2011 1 次提交
  4. 22 2月, 2011 2 次提交
    • C
      drm/i915: Use a device flag for non-interruptible phases · ce453d81
      Chris Wilson 提交于
      The code paths for modesetting are growing in complexity as we may need
      to move the buffers around in order to fit the scanout in the aperture.
      Therefore we face a choice as to whether to thread the interruptible status
      through the entire pinning and unbinding code paths or to add a flag to
      the device when we may not be interrupted by a signal. This does the
      latter and so fixes a few instances of modesetting failures under stress.
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      ce453d81
    • C
      drm/i915: Protect against drm_gem_object not being the first member · c8725226
      Chris Wilson 提交于
      Dave Airlie spotted that we had a potential bug should we ever rearrange
      the drm_i915_gem_object so not the base drm_gem_object was not its first
      member. He noticed that we often convert the return of
      drm_gem_object_lookup() immediately into drm_i915_gem_object and then
      check the result for nullity. This is only valid when the base object is
      the first member and so the superobject has the same address. Play safe
      instead and use the compiler to convert back to the original return
      address for sanity testing.
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      c8725226
  5. 12 2月, 2011 1 次提交
  6. 07 2月, 2011 4 次提交
  7. 27 1月, 2011 2 次提交
  8. 25 1月, 2011 2 次提交
  9. 23 1月, 2011 1 次提交
  10. 12 1月, 2011 5 次提交
  11. 20 12月, 2010 1 次提交
  12. 14 12月, 2010 2 次提交
  13. 07 12月, 2010 1 次提交
  14. 06 12月, 2010 3 次提交
  15. 05 12月, 2010 1 次提交
  16. 02 12月, 2010 4 次提交
    • C
      drm/i915: Kill the get_fence tracepoint · 60de2ba5
      Chris Wilson 提交于
      As the tracepoint is now decoupled from when the actual register is
      assigned and was never complemented by detailing when the object lost
      its fence, it has outlived its limited usefulness. Profiling the actual
      stalls is a far more profitable venture anyway.
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      60de2ba5
    • C
      drm/i915: Remove inactive LRU tracking from set_domain_ioctl · c6748e09
      Chris Wilson 提交于
      As the userspace mappings are torn down on every GPU write, we prefer to
      track when the buffer is activated (via a fresh i915_gem_fault). This
      makes the LRU conceptually simpler. With coherent mappings, the
      remaining use-case for set_domain_ioctl is GPU synchronisation.
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      c6748e09
    • C
      drm/i915: Pipelined fencing [infrastructure] · d9e86c0e
      Chris Wilson 提交于
      With this change, every batchbuffer can use all available fences (save
      pinned and scanout, of course) without ever stalling the gpu!
      
      In theory. Currently the actual pipelined update of the register is
      disabled due to some stability issues. However, just the deferred update
      is a significant win.
      
      Based on a series of patches by Daniel Vetter.
      
      The premise is that before every access to a buffer through the GTT we
      have to declare whether we need a register or not. If the access is by
      the GPU, a pipelined update to the register is made via the ringbuffer,
      and we track the last seqno of the batches that access it. If by the
      CPU we wait for the last GPU access and update the register (either
      to clear or to set it for the current buffer).
      
      One advantage of being able to pipeline changes is that we can defer the
      actual updating of the fence register until we first need to access the
      object through the GTT, i.e. we can eliminate the stall on set_tiling.
      This is important as the userspace bo cache does not track the tiling
      status of active buffers which generate frequent stalls on gen3 when
      enabling tiling for an already bound buffer.
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      d9e86c0e
    • C
  17. 29 11月, 2010 1 次提交
  18. 28 11月, 2010 1 次提交