From 429732e860fda07fc1bb96fe23c43146c27e08e0 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Wed, 15 Mar 2017 21:07:23 +0000 Subject: [PATCH] drm/i915/breadcrumbs: Update bottom-half before marking as complete When adding a new request to the breadcrumb rbtree, we mark all those requests inside the rbtree that are already completed as complete. This wakes those waiters up and allows them to skip the spinlock before returning to userspace. If one of those is the current bottom-half and allocated its intel_wait on the stack, it may then overwrite the b->irq_wait upon exiting i915_wait_request() just as the interrupt handler dereferences it. Fixes: 56299fb7d904 ("drm/i915: Signal first fence from irq handler if complete") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: Mika Kuoppala Reviewed-by: Tvrtko Ursulin Link: http://patchwork.freedesktop.org/patch/msgid/20170315210726.12095-2-chris@chris-wilson.co.uk --- drivers/gpu/drm/i915/intel_breadcrumbs.c | 34 ++++++++++++++++---------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/drivers/gpu/drm/i915/intel_breadcrumbs.c b/drivers/gpu/drm/i915/intel_breadcrumbs.c index 3f222de..438f874 100644 --- a/drivers/gpu/drm/i915/intel_breadcrumbs.c +++ b/drivers/gpu/drm/i915/intel_breadcrumbs.c @@ -303,6 +303,7 @@ static inline void __intel_breadcrumbs_next(struct intel_engine_cs *engine, spin_lock(&b->irq_lock); GEM_BUG_ON(!b->irq_armed); + GEM_BUG_ON(!b->irq_wait); b->irq_wait = to_wait(next); spin_unlock(&b->irq_lock); @@ -378,25 +379,8 @@ static bool __intel_engine_add_wait(struct intel_engine_cs *engine, rb_link_node(&wait->node, parent, p); rb_insert_color(&wait->node, &b->waiters); - if (completed) { - struct rb_node *next = rb_next(completed); - - GEM_BUG_ON(!next && !first); - if (next && next != &wait->node) { - GEM_BUG_ON(first); - __intel_breadcrumbs_next(engine, next); - } - - do { - struct intel_wait *crumb = to_wait(completed); - completed = rb_prev(completed); - __intel_breadcrumbs_finish(b, crumb); - } while (completed); - } - if (first) { spin_lock(&b->irq_lock); - GEM_BUG_ON(rb_first(&b->waiters) != &wait->node); b->irq_wait = wait; /* After assigning ourselves as the new bottom-half, we must * perform a cursory check to prevent a missed interrupt. @@ -409,7 +393,23 @@ static bool __intel_engine_add_wait(struct intel_engine_cs *engine, __intel_breadcrumbs_enable_irq(b); spin_unlock(&b->irq_lock); } + + if (completed) { + if (!first) { + struct rb_node *next = rb_next(completed); + GEM_BUG_ON(next == &wait->node); + __intel_breadcrumbs_next(engine, next); + } + + do { + struct intel_wait *crumb = to_wait(completed); + completed = rb_prev(completed); + __intel_breadcrumbs_finish(b, crumb); + } while (completed); + } + GEM_BUG_ON(!b->irq_wait); + GEM_BUG_ON(!b->irq_armed); GEM_BUG_ON(rb_first(&b->waiters) != &b->irq_wait->node); return first; -- 2.7.4