mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-23 16:53:58 -05:00
4364bcb2cd
This fixes a general protection fault, caused by accessing the contents of a flip_done completion object that has already been freed. It occurs due to the preemption of a non-blocking commit worker thread W by another commit thread X. X continues to clear its atomic state at the end, destroying the CRTC commit object that W still needs. Switching back to W and accessing the commit objects then leads to bad results. Worker W becomes preemptable when waiting for flip_done to complete. At this point, a frequently occurring commit thread X can take over. Here's an example where W is a worker thread that flips on both CRTCs, and X does a legacy cursor update on both CRTCs: ... 1. W does flip work 2. W runs commit_hw_done() 3. W waits for flip_done on CRTC 1 4. > flip_done for CRTC 1 completes 5. W finishes waiting for CRTC 1 6. W waits for flip_done on CRTC 2 7. > Preempted by X 8. > flip_done for CRTC 2 completes 9. X atomic_check: hw_done and flip_done are complete on all CRTCs 10. X updates cursor on both CRTCs 11. X destroys atomic state 12. X done 13. > Switch back to W 14. W waits for flip_done on CRTC 2 15. W raises general protection fault The error looks like so: general protection fault: 0000 [#1] PREEMPT SMP PTI **snip** Call Trace: lock_acquire+0xa2/0x1b0 _raw_spin_lock_irq+0x39/0x70 wait_for_completion_timeout+0x31/0x130 drm_atomic_helper_wait_for_flip_done+0x64/0x90 [drm_kms_helper] amdgpu_dm_atomic_commit_tail+0xcae/0xdd0 [amdgpu] commit_tail+0x3d/0x70 [drm_kms_helper] process_one_work+0x212/0x650 worker_thread+0x49/0x420 kthread+0xfb/0x130 ret_from_fork+0x3a/0x50 Modules linked in: x86_pkg_temp_thermal amdgpu(O) chash(O) gpu_sched(O) drm_kms_helper(O) syscopyarea sysfillrect sysimgblt fb_sys_fops ttm(O) drm(O) Note that i915 has this issue masked, since hw_done is signaled after waiting for flip_done. Doing so will block the cursor update from happening until hw_done is signaled, preventing the cursor commit from destroying the state. v2: The reference on the commit object needs to be obtained before hw_done() is signaled, since that's the point where another commit is allowed to modify the state. Assuming that the new_crtc_state->commit object still exists within flip_done() is incorrect. Fix by getting a reference in setup_commit(), and releasing it during default_clear(). Signed-off-by: Leo Li <sunpeng.li@amd.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Harry Wentland <harry.wentland@amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/1539611200-6184-1-git-send-email-sunpeng.li@amd.com |
||
---|---|---|
.. | ||
bridge | ||
i2c | ||
tinydrm | ||
ttm | ||
amd_asic_type.h | ||
ati_pcigart.h | ||
drm_agpsupport.h | ||
drm_atomic.h | ||
drm_atomic_helper.h | ||
drm_audio_component.h | ||
drm_auth.h | ||
drm_blend.h | ||
drm_bridge.h | ||
drm_cache.h | ||
drm_client.h | ||
drm_color_mgmt.h | ||
drm_connector.h | ||
drm_crtc.h | ||
drm_crtc_helper.h | ||
drm_debugfs.h | ||
drm_debugfs_crc.h | ||
drm_device.h | ||
drm_displayid.h | ||
drm_dp_dual_mode_helper.h | ||
drm_dp_helper.h | ||
drm_dp_mst_helper.h | ||
drm_drv.h | ||
drm_edid.h | ||
drm_encoder.h | ||
drm_encoder_slave.h | ||
drm_fb_cma_helper.h | ||
drm_fb_helper.h | ||
drm_file.h | ||
drm_fixed.h | ||
drm_flip_work.h | ||
drm_fourcc.h | ||
drm_framebuffer.h | ||
drm_gem.h | ||
drm_gem_cma_helper.h | ||
drm_gem_framebuffer_helper.h | ||
drm_global.h | ||
drm_hashtab.h | ||
drm_hdcp.h | ||
drm_ioctl.h | ||
drm_irq.h | ||
drm_lease.h | ||
drm_legacy.h | ||
drm_mipi_dsi.h | ||
drm_mm.h | ||
drm_mode_config.h | ||
drm_mode_object.h | ||
drm_modes.h | ||
drm_modeset_helper.h | ||
drm_modeset_helper_vtables.h | ||
drm_modeset_lock.h | ||
drm_of.h | ||
drm_os_linux.h | ||
drm_panel.h | ||
drm_pci.h | ||
drm_pciids.h | ||
drm_plane.h | ||
drm_plane_helper.h | ||
drm_prime.h | ||
drm_print.h | ||
drm_property.h | ||
drm_rect.h | ||
drm_scdc_helper.h | ||
drm_simple_kms_helper.h | ||
drm_syncobj.h | ||
drm_sysfs.h | ||
drm_utils.h | ||
drm_vblank.h | ||
drm_vma_manager.h | ||
drm_writeback.h | ||
drmP.h | ||
gma_drm.h | ||
gpu_scheduler.h | ||
i915_component.h | ||
i915_drm.h | ||
i915_pciids.h | ||
intel-gtt.h | ||
intel_lpe_audio.h | ||
spsc_queue.h |