renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-23 04:34:11 +08:00
Code
09bfa51773
linux-next/drivers
History
Herton Ronaldo Krzesinski 09bfa51773 drm/i915: Prevent racy removal of request from client list 
When i915_gem_retire_requests_ring calls i915_gem_request_remove_from_client,
the client_list for that request may already be removed in i915_gem_release.
So we may call twice list_del(&request->client_list), resulting in an
oops like this report:

[126167.230394] BUG: unable to handle kernel paging request at 00100104
[126167.230699] IP: [<f8c2ce44>] i915_gem_retire_requests_ring+0xd4/0x240 [i915]
[126167.231042] *pdpt = 00000000314c1001 *pde = 0000000000000000
[126167.231314] Oops: 0002 [#1] SMP
[126167.231471] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0C0A:00/power_supply/BAT1/current_now
[126167.231901] Modules linked in: snd_seq_dummy nls_utf8 isofs btrfs zlib_deflate libcrc32c ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat jfs xfs exportfs reiserfs cryptd aes_i586 aes_generic binfmt_misc vboxnetadp vboxnetflt vboxdrv parport_pc ppdev snd_hda_codec_hdmi snd_hda_codec_conexant snd_hda_intel snd_hda_codec snd_hwdep arc4 snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq uvcvideo videodev snd_timer snd_seq_device joydev iwlagn iwlcore mac80211 snd cfg80211 soundcore i915 drm_kms_helper snd_page_alloc psmouse drm serio_raw i2c_algo_bit video lp parport usbhid hid sky2 sdhci_pci ahci sdhci libahci
[126167.232018]
[126167.232018] Pid: 1101, comm: Xorg Not tainted 2.6.38-6-generic-pae #34-Ubuntu Gateway                          MC7833U /
[126167.232018] EIP: 0060:[<f8c2ce44>] EFLAGS: 00213246 CPU: 0
[126167.232018] EIP is at i915_gem_retire_requests_ring+0xd4/0x240 [i915]
[126167.232018] EAX: 00200200 EBX: f1ac25b0 ECX: 00000040 EDX: 00100100
[126167.232018] ESI: f1a2801c EDI: e87fc060 EBP: ef4d7dd8 ESP: ef4d7db0
[126167.232018]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[126167.232018] Process Xorg (pid: 1101, ti=ef4d6000 task=f1ba6500 task.ti=ef4d6000)
[126167.232018] Stack:
[126167.232018]  f1a28000 f1a2809c f1a28094 0058bd97 f1aa2400 f1a2801c 0058bd7b 0058bd85
[126167.232018]  f1a2801c f1a28000 ef4d7e38 f8c2e995 ef4d7e30 ef4d7e60 c14d1ebc f6b3a040
[126167.232018]  f1522cc0 000000db 00000000 f1ba6500 ffffffa1 00000000 00000001 f1a29214
[126167.232018] Call Trace:

Unfortunately the call trace reported was cut, but looking at debug
symbols the crash is at __list_del, when probably list_del is called
twice on the same request->client_list, as the dereferenced value is
LIST_POISON1 + 4, and by looking more at the debug symbols before
list_del call it should have being called by
i915_gem_request_remove_from_client

And as I can see in the code, it seems we indeed have the possibility
to remove a request->client_list twice, which would cause the above,
because we do list_del(&request->client_list) on both
i915_gem_request_remove_from_client and i915_gem_release

As Chris Wilson pointed out, it's indeed the case:
"(...) I had thought that the actual insertion/deletion was serialised
under the struct mutex and the intention of the spinlock was to protect
the unlocked list traversal during throttling. However, I missed that
i915_gem_release() is also called without struct mutex and so we do need
the double check for i915_gem_request_remove_from_client()."

This change does the required check to avoid the duplicate remove of
request->client_list.

Bugzilla: http://bugs.launchpad.net/bugs/733780
Cc: stable@kernel.org # 2.6.38
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
2011-03-23 06:41:12 +00:00
..
accessibility
acpi ACPI / ACPICA: Implicit notify for multiple devices 2011-02-24 19:59:21 +01:00
amba
ata libata: set queue DMA alignment to sector size for ATAPI too 2011-01-28 03:16:20 -05:00
atm ATM, Solos PCI ADSL2+: Don't deref NULL pointer if net_ratelimit() and alloc_skb() interact badly. 2011-02-13 16:55:46 -08:00
auxdisplay
base PM / Runtime: Don't enable interrupts while running in_interrupt 2011-01-25 20:50:07 +01:00
block block: kill loop_mutex 2011-03-03 11:53:25 -05:00
bluetooth Revert "Bluetooth: Enable USB autosuspend by default on btusb" 2011-02-23 19:42:03 -08:00
cdrom cdrom: support devices that have check_events but not media_changed 2011-02-09 14:22:37 +01:00
char ipmi: Fix IPMI errors due to timing problems 2011-03-10 13:21:16 -08:00
clk
clocksource drivers/clocksource/tcb_clksrc.c: fix init sequence 2011-01-26 10:50:04 +10:00
connector
cpufreq [CPUFREQ] fix BUG on cpufreq policy init failure 2011-03-01 18:49:44 -05:00
cpuidle Merge branch 'cpuidle-perf-events' into idle-test 2011-01-12 18:06:19 -05:00
crypto Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2011-01-13 10:25:58 -08:00
dca dca: remove unneeded NULL check 2011-01-13 08:03:09 -08:00
dio
dma Merge branch 'imx' into dmaengine-fixes 2011-02-14 02:40:46 -08:00
edac amd64_edac: Fix DIMMs per DCTs output 2011-02-10 14:41:49 +01:00
eisa
firewire Merge branches 'fixes' and 'fwnet' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2011-01-21 13:34:39 -08:00
firmware x86, dmi, debug: Log board name (when present) in dmesg/oops output 2011-02-15 04:20:57 +01:00
gpio drivers/gpio/pca953x.c: add a mutex to fix race condition 2011-02-11 16:12:20 -08:00
gpu drm/i915: Prevent racy removal of request from client list 2011-03-23 06:41:12 +00:00
hid kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
hwmon hwmon: (adt7411) add MODULE_DEVICE_TABLE 2011-02-26 08:59:32 -08:00
i2c i2c-eg20t: include slab.h for memory allocations 2011-03-08 23:13:30 +00:00
ide kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
idle intel_idle: disable Atom/Lincroft HW C-state auto-demotion 2011-02-17 17:08:48 -05:00
ieee802154
infiniband Merge branches 'nes' and 'qib' into for-next 2011-02-17 14:04:59 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2011-02-23 14:44:25 -08:00
isdn drivers:isdn:istream.c Fix typo pice to piece 2011-02-28 12:07:32 -08:00
leds leds: leds-pwm: return proper error if pwm_request failed 2011-01-26 10:49:58 +10:00
lguest lguest: compile fixes 2011-01-20 21:37:29 +10:30
macintosh powerpc/macintosh: Fix wrong test in fan_{read,write}_reg() 2011-01-21 14:08:34 +11:00
mca
md md: Fix - again - partition detection when array becomes active 2011-02-24 17:26:41 +11:00
media Merge branch 'media_fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6 2011-03-10 13:22:10 -08:00
memstick workqueue, freezer: unify spelling of 'freeze' + 'able' to 'freezable' 2011-02-16 17:48:59 +01:00
message [SCSI] mptfusion: Bump version 03.04.18 2011-02-12 12:51:21 -06:00
mfd mfd: Avoid tps6586x burst writes 2011-03-02 10:57:50 +01:00
misc drivers/misc/bmp085.c: add MODULE_DEVICE_TABLE 2011-03-04 17:53:38 -08:00
mmc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc 2011-03-09 14:00:44 -08:00
mtd workqueue, freezer: unify spelling of 'freeze' + 'able' to 'freezable' 2011-02-16 17:48:59 +01:00
net r8169: disable ASPM 2011-03-03 11:55:43 -08:00
nfc drivers/nfc/pn544.c: add missing regulator 2011-02-25 15:07:36 -08:00
nubus
of of/promtree: allow DT device matching by fixing 'name' brokenness (v5) 2011-03-02 13:45:19 -07:00
oprofile
parisc
parport parport: make lockdep happy with waitlist_lock 2011-01-26 10:49:59 +10:00
pci pci: use security_capable() when checking capablities during config space read 2011-02-15 19:06:31 +11:00
pcmcia Merge branch 'fixes' of master.kernel.org:/home/rmk/linux-2.6-arm 2011-03-07 20:45:42 -08:00
platform dell-laptop: Toggle the unsupported hardware killswitch 2011-02-21 17:06:21 -05:00
pnp Merge branch 'pnp' into release 2011-01-12 04:59:44 -05:00
power Merge git://git.infradead.org/battery-2.6 2011-01-14 09:25:59 -08:00
pps pps: make pps_gen_parport depend on BROKEN 2011-03-04 17:53:38 -08:00
ps3
rapidio rapidio: fix sysfs config attribute to access 16MB of maint space 2011-02-25 15:07:37 -08:00
regulator regulator, mc13xxx: Remove pointless test for unsigned less than zero 2011-02-25 08:51:07 +00:00
rtc drivers/rtc/rtc-s3c.c: fix prototype for s3c_rtc_setaie() 2011-03-04 17:53:38 -08:00
s390 [S390] tape: deadlock on system work queue 2011-03-03 17:56:14 +01:00
sbus
scsi block: add @force_kblockd to __blk_run_queue() 2011-03-02 08:48:05 -05:00
sfi SFI: use ioremap_cache() instead of ioremap() 2011-01-11 23:27:25 -05:00
sh sh: update INTC to clear IRQ sense valid flag 2011-01-19 19:02:35 +09:00
sn
spi spi/pxa2xx pci: fix the release - remove race 2011-02-15 13:25:36 -07:00
ssb Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-02-08 12:03:54 -08:00
staging Merge branch 'staging-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6 2011-02-10 12:19:23 -08:00
target [SCSI] target: fix use after free detected by SLUB poison 2011-02-12 12:32:41 -06:00
tc
telephony Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
thermal ACPI: Fix build for CONFIG_NET unset 2011-02-28 18:00:31 -08:00
tty fmvj18x_cs: add new id 2011-02-28 12:06:20 -08:00
uio
usb Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-03 15:43:15 -08:00
uwb
vhost vhost: rcu annotation fixup 2011-02-01 16:48:46 +02:00
video drivers/video/backlight/ltv350qv.c: fix a memory leak 2011-03-04 17:53:38 -08:00
virtio virtio: remove virtio-pci root device 2011-01-20 21:37:30 +10:30
vlynq
w1 drivers/w1/masters/omap_hdq.c: add missing clk_put 2011-02-11 16:12:20 -08:00
watchdog watchdog: sbc_fitpc2_wdt, fix crash on systems without DMI_BOARD_NAME 2011-03-09 21:33:37 +00:00
xen xen: suspend and resume system devices when running PVHVM 2011-02-17 10:31:20 +00:00
zorro
Kconfig [SCSI] target: Add LIO target core v4.0.0-rc6 2011-01-14 10:12:29 -06:00
Makefile Merge branch 'tty-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6 2011-01-20 16:39:23 -08:00