c63462184b
If we hit the sync case, like when skipping clearing for kernel internal objects, or when falling back to cpu clearing, like in i915, we end up trying to add a NULL fence, but with some recent changes in this area this now just results in NULL deref in dma_resv_add_fence: <1>[ 5.466383] BUG: kernel NULL pointer dereference, address: 0000000000000008 <1>[ 5.466384] #PF: supervisor read access in kernel mode <1>[ 5.466385] #PF: error_code(0x0000) - not-present page <6>[ 5.466386] PGD 0 P4D 0 <4>[ 5.466387] Oops: 0000 [#1] PREEMPT SMP NOPTI <4>[ 5.466389] CPU: 5 PID: 267 Comm: modprobe Not tainted 5.18.0-rc2-CI-CI_DRM_11481+ #1 <4>[ 5.466391] RIP: 0010:dma_resv_add_fence+0x63/0x260 <4>[ 5.466395] Code: 38 85 c0 0f 84 df 01 00 00 0f 88 e8 01 00 00 83 c0 01 0f 88 df 01 00 00 8b 05 35 89 10 01 49 8d 5e 68 85 c0 0f 85 45 01 00 00 <48> 8b 45 08 48 3d c0 a5 0a 82 0f 84 5c 01 00 00 48 3d 60 a5 0a 82 <4>[ 5.466396] RSP: 0018:ffffc90000e974f8 EFLAGS: 00010202 <4>[ 5.466397] RAX: 0000000000000001 RBX: ffff888123e88b28 RCX: 00000000ffffffff <4>[ 5.466398] RDX: 0000000000000001 RSI: ffffffff822e4f50 RDI: ffffffff8233f087 <4>[ 5.466399] RBP: 0000000000000000 R08: ffff8881313dbc80 R09: 0000000000000001 <4>[ 5.466399] R10: 0000000000000001 R11: 00000000da354294 R12: 0000000000000000 <4>[ 5.466400] R13: ffff88810927dc58 R14: ffff888123e88ac0 R15: ffff88810a88d600 <4>[ 5.466401] FS: 00007f5fa1193540(0000) GS:ffff88845d880000(0000) knlGS:0000000000000000 <4>[ 5.466402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 5.466402] CR2: 0000000000000008 CR3: 0000000106dd6003 CR4: 00000000003706e0 <4>[ 5.466403] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 <4>[ 5.466404] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 <4>[ 5.466404] Call Trace: <4>[ 5.466405] <TASK> <4>[ 5.466406] ttm_bo_move_accel_cleanup+0x62/0x270 [ttm] <4>[ 5.466411] ? i915_rsgt_from_buddy_resource+0x185/0x1e0 [i915] <4>[ 5.466529] i915_ttm_move+0xfd/0x430 [i915] <4>[ 5.466833] ? dma_resv_reserve_fences+0x4e/0x320 <4>[ 5.466836] ? ttm_bo_add_move_fence.constprop.20+0xf7/0x140 [ttm] <4>[ 5.466841] ttm_bo_handle_move_mem+0xa1/0x140 [ttm] <4>[ 5.466845] ttm_bo_validate+0xee/0x160 [ttm] <4>[ 5.466849] __i915_ttm_get_pages+0x4f/0x210 [i915] <4>[ 5.466976] i915_ttm_get_pages+0xad/0x140 [i915] <4>[ 5.467094] ____i915_gem_object_get_pages+0x32/0xf0 [i915] <4>[ 5.467210] __i915_gem_object_get_pages+0x89/0xa0 [i915] <4>[ 5.467323] i915_vma_get_pages+0x114/0x1d0 [i915] <4>[ 5.467446] i915_vma_pin_ww+0xd3/0xa90 [i915] <4>[ 5.467570] i915_vma_pin.constprop.10+0x119/0x1b0 [i915] <4>[ 5.467700] ? __mutex_unlock_slowpath+0x3e/0x2b0 <4>[ 5.467704] intel_alloc_initial_plane_obj.isra.6+0x1a9/0x390 [i915] <4>[ 5.467833] intel_crtc_initial_plane_config+0x83/0x340 [i915] In the ttm_bo_move_sync_cleanup() case it seems we only really care about calling ttm_bo_wait_free_node(), so let's instead just call that directly. Signed-off-by: Matthew Auld <matthew.auld@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Christian König <christian.koenig@amd.com> Cc: Lucas De Marchi <lucas.demarchi@intel.com> Cc: Nirmoy Das <nirmoy.das@linux.intel.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Christian König <christian.koenig@amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/20220411085603.58156-1-matthew.auld@intel.com
304 lines
9.3 KiB
C
304 lines
9.3 KiB
C
/**************************************************************************
|
|
*
|
|
* Copyright (c) 2006-2009 Vmware, Inc., Palo Alto, CA., USA
|
|
* All Rights Reserved.
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the
|
|
* "Software"), to deal in the Software without restriction, including
|
|
* without limitation the rights to use, copy, modify, merge, publish,
|
|
* distribute, sub license, and/or sell copies of the Software, and to
|
|
* permit persons to whom the Software is furnished to do so, subject to
|
|
* the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice (including the
|
|
* next paragraph) shall be included in all copies or substantial portions
|
|
* of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
|
|
* THE COPYRIGHT HOLDERS, AUTHORS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM,
|
|
* DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
|
* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
|
|
* USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
*
|
|
**************************************************************************/
|
|
/*
|
|
* Authors: Thomas Hellstrom <thellstrom-at-vmware-dot-com>
|
|
*/
|
|
#ifndef _TTM_BO_DRIVER_H_
|
|
#define _TTM_BO_DRIVER_H_
|
|
|
|
#include <drm/drm_mm.h>
|
|
#include <drm/drm_vma_manager.h>
|
|
#include <linux/workqueue.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/dma-resv.h>
|
|
|
|
#include <drm/ttm/ttm_device.h>
|
|
|
|
#include "ttm_bo_api.h"
|
|
#include "ttm_kmap_iter.h"
|
|
#include "ttm_placement.h"
|
|
#include "ttm_tt.h"
|
|
#include "ttm_pool.h"
|
|
|
|
/*
|
|
* ttm_bo.c
|
|
*/
|
|
|
|
/**
|
|
* ttm_bo_mem_space
|
|
*
|
|
* @bo: Pointer to a struct ttm_buffer_object. the data of which
|
|
* we want to allocate space for.
|
|
* @proposed_placement: Proposed new placement for the buffer object.
|
|
* @mem: A struct ttm_resource.
|
|
* @interruptible: Sleep interruptible when sliping.
|
|
* @no_wait_gpu: Return immediately if the GPU is busy.
|
|
*
|
|
* Allocate memory space for the buffer object pointed to by @bo, using
|
|
* the placement flags in @mem, potentially evicting other idle buffer objects.
|
|
* This function may sleep while waiting for space to become available.
|
|
* Returns:
|
|
* -EBUSY: No space available (only if no_wait == 1).
|
|
* -ENOMEM: Could not allocate memory for the buffer object, either due to
|
|
* fragmentation or concurrent allocators.
|
|
* -ERESTARTSYS: An interruptible sleep was interrupted by a signal.
|
|
*/
|
|
int ttm_bo_mem_space(struct ttm_buffer_object *bo,
|
|
struct ttm_placement *placement,
|
|
struct ttm_resource **mem,
|
|
struct ttm_operation_ctx *ctx);
|
|
|
|
/**
|
|
* ttm_bo_unmap_virtual
|
|
*
|
|
* @bo: tear down the virtual mappings for this BO
|
|
*/
|
|
void ttm_bo_unmap_virtual(struct ttm_buffer_object *bo);
|
|
|
|
/**
|
|
* ttm_bo_reserve:
|
|
*
|
|
* @bo: A pointer to a struct ttm_buffer_object.
|
|
* @interruptible: Sleep interruptible if waiting.
|
|
* @no_wait: Don't sleep while trying to reserve, rather return -EBUSY.
|
|
* @ticket: ticket used to acquire the ww_mutex.
|
|
*
|
|
* Locks a buffer object for validation. (Or prevents other processes from
|
|
* locking it for validation), while taking a number of measures to prevent
|
|
* deadlocks.
|
|
*
|
|
* Returns:
|
|
* -EDEADLK: The reservation may cause a deadlock.
|
|
* Release all buffer reservations, wait for @bo to become unreserved and
|
|
* try again.
|
|
* -ERESTARTSYS: A wait for the buffer to become unreserved was interrupted by
|
|
* a signal. Release all buffer reservations and return to user-space.
|
|
* -EBUSY: The function needed to sleep, but @no_wait was true
|
|
* -EALREADY: Bo already reserved using @ticket. This error code will only
|
|
* be returned if @use_ticket is set to true.
|
|
*/
|
|
static inline int ttm_bo_reserve(struct ttm_buffer_object *bo,
|
|
bool interruptible, bool no_wait,
|
|
struct ww_acquire_ctx *ticket)
|
|
{
|
|
int ret = 0;
|
|
|
|
if (no_wait) {
|
|
bool success;
|
|
if (WARN_ON(ticket))
|
|
return -EBUSY;
|
|
|
|
success = dma_resv_trylock(bo->base.resv);
|
|
return success ? 0 : -EBUSY;
|
|
}
|
|
|
|
if (interruptible)
|
|
ret = dma_resv_lock_interruptible(bo->base.resv, ticket);
|
|
else
|
|
ret = dma_resv_lock(bo->base.resv, ticket);
|
|
if (ret == -EINTR)
|
|
return -ERESTARTSYS;
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* ttm_bo_reserve_slowpath:
|
|
* @bo: A pointer to a struct ttm_buffer_object.
|
|
* @interruptible: Sleep interruptible if waiting.
|
|
* @sequence: Set (@bo)->sequence to this value after lock
|
|
*
|
|
* This is called after ttm_bo_reserve returns -EAGAIN and we backed off
|
|
* from all our other reservations. Because there are no other reservations
|
|
* held by us, this function cannot deadlock any more.
|
|
*/
|
|
static inline int ttm_bo_reserve_slowpath(struct ttm_buffer_object *bo,
|
|
bool interruptible,
|
|
struct ww_acquire_ctx *ticket)
|
|
{
|
|
if (interruptible) {
|
|
int ret = dma_resv_lock_slow_interruptible(bo->base.resv,
|
|
ticket);
|
|
if (ret == -EINTR)
|
|
ret = -ERESTARTSYS;
|
|
return ret;
|
|
}
|
|
dma_resv_lock_slow(bo->base.resv, ticket);
|
|
return 0;
|
|
}
|
|
|
|
static inline void
|
|
ttm_bo_move_to_lru_tail_unlocked(struct ttm_buffer_object *bo)
|
|
{
|
|
spin_lock(&bo->bdev->lru_lock);
|
|
ttm_bo_move_to_lru_tail(bo);
|
|
spin_unlock(&bo->bdev->lru_lock);
|
|
}
|
|
|
|
static inline void ttm_bo_assign_mem(struct ttm_buffer_object *bo,
|
|
struct ttm_resource *new_mem)
|
|
{
|
|
WARN_ON(bo->resource);
|
|
bo->resource = new_mem;
|
|
}
|
|
|
|
/**
|
|
* ttm_bo_move_null = assign memory for a buffer object.
|
|
* @bo: The bo to assign the memory to
|
|
* @new_mem: The memory to be assigned.
|
|
*
|
|
* Assign the memory from new_mem to the memory of the buffer object bo.
|
|
*/
|
|
static inline void ttm_bo_move_null(struct ttm_buffer_object *bo,
|
|
struct ttm_resource *new_mem)
|
|
{
|
|
ttm_resource_free(bo, &bo->resource);
|
|
ttm_bo_assign_mem(bo, new_mem);
|
|
}
|
|
|
|
/**
|
|
* ttm_bo_unreserve
|
|
*
|
|
* @bo: A pointer to a struct ttm_buffer_object.
|
|
*
|
|
* Unreserve a previous reservation of @bo.
|
|
*/
|
|
static inline void ttm_bo_unreserve(struct ttm_buffer_object *bo)
|
|
{
|
|
ttm_bo_move_to_lru_tail_unlocked(bo);
|
|
dma_resv_unlock(bo->base.resv);
|
|
}
|
|
|
|
/*
|
|
* ttm_bo_util.c
|
|
*/
|
|
int ttm_mem_io_reserve(struct ttm_device *bdev,
|
|
struct ttm_resource *mem);
|
|
void ttm_mem_io_free(struct ttm_device *bdev,
|
|
struct ttm_resource *mem);
|
|
|
|
/**
|
|
* ttm_bo_move_memcpy
|
|
*
|
|
* @bo: A pointer to a struct ttm_buffer_object.
|
|
* @interruptible: Sleep interruptible if waiting.
|
|
* @no_wait_gpu: Return immediately if the GPU is busy.
|
|
* @new_mem: struct ttm_resource indicating where to move.
|
|
*
|
|
* Fallback move function for a mappable buffer object in mappable memory.
|
|
* The function will, if successful,
|
|
* free any old aperture space, and set (@new_mem)->mm_node to NULL,
|
|
* and update the (@bo)->mem placement flags. If unsuccessful, the old
|
|
* data remains untouched, and it's up to the caller to free the
|
|
* memory space indicated by @new_mem.
|
|
* Returns:
|
|
* !0: Failure.
|
|
*/
|
|
|
|
int ttm_bo_move_memcpy(struct ttm_buffer_object *bo,
|
|
struct ttm_operation_ctx *ctx,
|
|
struct ttm_resource *new_mem);
|
|
|
|
/**
|
|
* ttm_bo_move_accel_cleanup.
|
|
*
|
|
* @bo: A pointer to a struct ttm_buffer_object.
|
|
* @fence: A fence object that signals when moving is complete.
|
|
* @evict: This is an evict move. Don't return until the buffer is idle.
|
|
* @pipeline: evictions are to be pipelined.
|
|
* @new_mem: struct ttm_resource indicating where to move.
|
|
*
|
|
* Accelerated move function to be called when an accelerated move
|
|
* has been scheduled. The function will create a new temporary buffer object
|
|
* representing the old placement, and put the sync object on both buffer
|
|
* objects. After that the newly created buffer object is unref'd to be
|
|
* destroyed when the move is complete. This will help pipeline
|
|
* buffer moves.
|
|
*/
|
|
int ttm_bo_move_accel_cleanup(struct ttm_buffer_object *bo,
|
|
struct dma_fence *fence, bool evict,
|
|
bool pipeline,
|
|
struct ttm_resource *new_mem);
|
|
|
|
/**
|
|
* ttm_bo_move_sync_cleanup.
|
|
*
|
|
* @bo: A pointer to a struct ttm_buffer_object.
|
|
* @new_mem: struct ttm_resource indicating where to move.
|
|
*
|
|
* Special case of ttm_bo_move_accel_cleanup where the bo is guaranteed
|
|
* by the caller to be idle. Typically used after memcpy buffer moves.
|
|
*/
|
|
void ttm_bo_move_sync_cleanup(struct ttm_buffer_object *bo,
|
|
struct ttm_resource *new_mem);
|
|
|
|
/**
|
|
* ttm_bo_pipeline_gutting.
|
|
*
|
|
* @bo: A pointer to a struct ttm_buffer_object.
|
|
*
|
|
* Pipelined gutting a BO of its backing store.
|
|
*/
|
|
int ttm_bo_pipeline_gutting(struct ttm_buffer_object *bo);
|
|
|
|
/**
|
|
* ttm_io_prot
|
|
*
|
|
* bo: ttm buffer object
|
|
* res: ttm resource object
|
|
* @tmp: Page protection flag for a normal, cached mapping.
|
|
*
|
|
* Utility function that returns the pgprot_t that should be used for
|
|
* setting up a PTE with the caching model indicated by @c_state.
|
|
*/
|
|
pgprot_t ttm_io_prot(struct ttm_buffer_object *bo, struct ttm_resource *res,
|
|
pgprot_t tmp);
|
|
|
|
/**
|
|
* ttm_bo_tt_bind
|
|
*
|
|
* Bind the object tt to a memory resource.
|
|
*/
|
|
int ttm_bo_tt_bind(struct ttm_buffer_object *bo, struct ttm_resource *mem);
|
|
|
|
/**
|
|
* ttm_bo_tt_destroy.
|
|
*/
|
|
void ttm_bo_tt_destroy(struct ttm_buffer_object *bo);
|
|
|
|
void ttm_move_memcpy(bool clear,
|
|
u32 num_pages,
|
|
struct ttm_kmap_iter *dst_iter,
|
|
struct ttm_kmap_iter *src_iter);
|
|
|
|
struct ttm_kmap_iter *
|
|
ttm_kmap_iter_iomap_init(struct ttm_kmap_iter_iomap *iter_io,
|
|
struct io_mapping *iomap,
|
|
struct sg_table *st,
|
|
resource_size_t start);
|
|
#endif
|