review.tizen.org Git - platform/kernel/linux-exynos.git/commit

author	Chris Wilson <chris@chris-wilson.co.uk>
	Mon, 6 Feb 2017 17:05:02 +0000 (17:05 +0000)
committer	Chris Wilson <chris@chris-wilson.co.uk>
	Mon, 6 Feb 2017 20:41:01 +0000 (20:41 +0000)
commit	2ffe80aa442461eb2fa3cd4c5dda81832e5dd291
tree	f2a0b3da9dc8e3f3b94a63ecf454cf359d81cb6a	tree \| snapshot
parent	eca56a35111c9e6663fbcd7dc37bcc572367efa3	commit \| diff

drm/i915: Avoid unguarded reads from the request pointer

In commit 86aa7e760a67 ("drm/i915: Assert that the context-switch
completion matches our context") I added a read to the irq tasklet
handler that compared the on-chip status with that of our sw tracking,
using an unguarded read of the request pointer to get the context and
beyond. Whilst we hold a reference to the request, we do not hold
anything on the context and if we are unlucky it may be reaped from a
second thread retiring the request (since it may retire the request as
soon as the breadcrumb is complete, even before we finish processing the
context switch) as we try to read from the context pointer.

Avoid the racy read from underneath the request by storing the expected
result in the execlist_port[].

v2: Include commentary about port[].request being unprotected.

Fixes: 86aa7e760a67 ("drm/i915: Assert that the context-switch completion matches our context")
Reported-by: Mika Kuoppala <mika.kuoppala@intel.com>
Testcase: igt/gem_ctx_create
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Mika Kuoppala <mika.kuoppala@intel.com>
Reviewed-by: Mika Kuoppala <mika.kuoppala@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170206170502.30944-2-chris@chris-wilson.co.uk

drivers/gpu/drm/i915/intel_lrc.c		diff \| blob \| history
drivers/gpu/drm/i915/intel_ringbuffer.h		diff \| blob \| history