1. 13 4月, 2011 6 次提交
  2. 09 4月, 2011 5 次提交
  3. 06 4月, 2011 2 次提交
  4. 05 4月, 2011 10 次提交
  5. 04 4月, 2011 2 次提交
  6. 01 4月, 2011 2 次提交
  7. 31 3月, 2011 3 次提交
  8. 25 3月, 2011 1 次提交
  9. 24 3月, 2011 5 次提交
  10. 23 3月, 2011 4 次提交
    • C
      drm/i915: Avoid unmapping pages from a NULL address space · f6e47884
      Chris Wilson 提交于
      Found by gem_stress.
      
      As we perform retirement from a workqueue, it is possible for us to free
      and unbind objects after the last close on the device, and so after the
      address space has been torn down and reset to NULL:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000054
      IP: [<c1295a20>] mutex_lock+0xf/0x27
      *pde = 00000000
      Oops: 0002 [#1] SMP
      last sysfs file: /sys/module/vt/parameters/default_utf8
      
      Pid: 5, comm: kworker/u:0 Not tainted 2.6.38+ #214
      EIP: 0060:[<c1295a20>] EFLAGS: 00010206 CPU: 1
      EIP is at mutex_lock+0xf/0x27
      EAX: 00000054 EBX: 00000054 ECX: 00000000 EDX: 00012fff
      ESI: 00000028 EDI: 00000000 EBP: f706fe20 ESP: f706fe18
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      Process kworker/u:0 (pid: 5, ti=f706e000 task=f7060d00 task.ti=f706e000)
      Stack:
       f5aa3c60 00000000 f706fe74 c107e7df 00000246 dea55380 00000054 f5aa3c60
       f706fe44 00000061 f70b4000 c13fff84 00000008 f706fe54 00000000 00000000
       00012f00 00012fff 00000028 c109e575 f6b36700 00100000 00000000 f706fe90
      Call Trace:
       [<c107e7df>] unmap_mapping_range+0x7d/0x1e6
       [<c109e575>] ? mntput_no_expire+0x52/0xb6
       [<c11c12f6>] i915_gem_release_mmap+0x49/0x58
       [<c11c3449>] i915_gem_object_unbind+0x4c/0x125
       [<c11c353f>] i915_gem_free_object_tail+0x1d/0xdb
       [<c11c55a2>] i915_gem_free_object+0x3d/0x41
       [<c11a6be2>] ? drm_gem_object_free+0x0/0x27
       [<c11a6c07>] drm_gem_object_free+0x25/0x27
       [<c113c3ca>] kref_put+0x39/0x42
       [<c11c0a59>] drm_gem_object_unreference+0x16/0x18
       [<c11c0b15>] i915_gem_object_move_to_inactive+0xba/0xbe
       [<c11c0c87>] i915_gem_retire_requests_ring+0x16e/0x1a5
       [<c11c3645>] i915_gem_retire_requests+0x48/0x63
       [<c11c36ac>] i915_gem_retire_work_handler+0x4c/0x117
       [<c10385d1>] process_one_work+0x140/0x21b
       [<c103734c>] ? __need_more_worker+0x13/0x2a
       [<c10373b1>] ? need_to_create_worker+0x1c/0x35
       [<c11c3660>] ? i915_gem_retire_work_handler+0x0/0x117
       [<c1038faf>] worker_thread+0xd4/0x14b
       [<c1038edb>] ? worker_thread+0x0/0x14b
       [<c103be1b>] kthread+0x68/0x6d
       [<c103bdb3>] ? kthread+0x0/0x6d
       [<c12970f6>] kernel_thread_helper+0x6/0x10
      Code: 00 e8 98 fe ff ff 5d c3 55 89 e5 3e 8d 74 26 00 ba 01 00 00 00 e8
      84 fe ff ff 5d c3 55 89 e5 53 8d 64 24 fc 3e 8d 74 26 00 89 c3 <f0> ff
      08 79 05 e8 ab ff ff ff 89 e0 25 00 e0 ff ff 89 43 10 58
      EIP: [<c1295a20>] mutex_lock+0xf/0x27 SS:ESP 0068:f706fe18
      CR2: 0000000000000054
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NKeith Packard <keithp@keithp.com>
      f6e47884
    • C
      drm/i915: Fix use after free within tracepoint · 26e12f89
      Chris Wilson 提交于
      Detected by scripts/coccinelle/free/kfree.cocci.
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NKeith Packard <keithp@keithp.com>
      26e12f89
    • C
      drm/i915: Restore missing command flush before interrupt on BLT ring · 36d527de
      Chris Wilson 提交于
      We always skipped flushing the BLT ring if the request flush did not
      include the RENDER domain. However, this neglects that we try to flush
      the COMMAND domain after every batch and before the breadcrumb interrupt
      (to make sure the batch is indeed completed prior to the interrupt
      firing and so insuring CPU coherency). As a result of the missing flush,
      incoherency did indeed creep in, most notable when using lots of command
      buffers and so potentially rewritting an active command buffer (i.e.
      the GPU was still executing from it even though the following interrupt
      had already fired and the request/buffer retired).
      
      As all ring->flush routines now have the same preconditions, de-duplicate
      and move those checks up into i915_gem_flush_ring().
      
      Fixes gem_linear_blit.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=35284Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Tested-by: mengmeng.meng@intel.com
      36d527de
    • C
      drm/i915: Disable pagefaults along execbuffer relocation fast path · d4aeee77
      Chris Wilson 提交于
      Along the fast path for relocation handling, we attempt to copy directly
      from the user data structures whilst holding our mutex. This causes
      lockdep to warn about circular lock dependencies if we need to pagefault
      the user pages. [Since when handling a page fault on a mmapped bo, we
      need to acquire the struct mutex whilst already holding the mm
      semaphore, it is then verboten to acquire the mm semaphore when already
      holding the struct mutex. The likelihood of the user passing in the
      relocations contained in a GTT mmaped bo is low, but conceivable for
      extreme pathology.] In order to force the mm to return EFAULT rather
      than handle the pagefault, we therefore need to disable pagefaults
      across the relocation fast path.
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Cc: stable@kernel.org
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      d4aeee77
新手
引导
客服 返回
顶部