1. 06 Aug, 2024 3 commits
  2. 05 Aug, 2024 2 commits
  3. 18 Jul, 2024 3 commits
  4. 15 Jul, 2024 1 commit
  5. 09 Jul, 2024 1 commit
  6. 27 Jun, 2024 1 commit
  7. 20 Jun, 2024 2 commits
  8. 19 Jun, 2024 1 commit
    • Janusz Krzysztofik's avatar
      drm/i915/gt: Fix potential UAF by revoke of fence registers · 24bb052d
      Janusz Krzysztofik authored
      CI has been sporadically reporting the following issue triggered by
      igt@i915_selftest@live@hangcheck on ADL-P and similar machines:
      
      <6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence
      ...
      <6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled
      <6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled
      <3> [414.070354] Unable to pin Y-tiled fence; err:-4
      <3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))
      ...
      <4>[  609.603992] ------------[ cut here ]------------
      <2>[  609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!
      <4>[  609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
      <4>[  609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G     U  W          6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1
      <4>[  609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
      <4>[  609.604010] Workqueue: i915 __i915_gem_free_work [i915]
      <4>[  609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]
      ...
      <4>[  609.604271] Call Trace:
      <4>[  609.604273]  <TASK>
      ...
      <4>[  609.604716]  __i915_vma_evict+0x2e9/0x550 [i915]
      <4>[  609.604852]  __i915_vma_unbind+0x7c/0x160 [i915]
      <4>[  609.604977]  force_unbind+0x24/0xa0 [i915]
      <4>[  609.605098]  i915_vma_destroy+0x2f/0xa0 [i915]
      <4>[  609.605210]  __i915_gem_object_pages_fini+0x51/0x2f0 [i915]
      <4>[  609.605330]  __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]
      <4>[  609.605440]  process_scheduled_works+0x351/0x690
      ...
      
      In the past, there were similar failures reported by CI from other IGT
      tests, observed on other platforms.
      
      Before commit 63baf4f3 ("drm/i915/gt: Only wait for GPU activity
      before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for
      idleness of vma->active via fence_update().   That commit introduced
      vma->fence->active in order for the fence_update() to be able to wait
      selectively on that one instead of vma->active since only idleness of
      fence registers was needed.  But then, another commit 0d86ee35
      ("drm/i915/gt: Make fence revocation unequivocal") replaced the call to
      fence_update() in i915_vma_revoke_fence() with only fence_write(), and
      also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.
      No justification was provided on why we might then expect idleness of
      vma->fence->active without first waiting on it.
      
      The issue can be potentially caused by a race among revocation of fence
      registers on one side and sequential execution of signal callbacks invoked
      on completion of a request that was using them on the other, still
      processed in parallel to revocation of those fence registers.  Fix it by
      waiting for idleness of vma->fence->active in i915_vma_revoke_fence().
      
      Fixes: 0d86ee35 ("drm/i915/gt: Make fence revocation unequivocal")
      Closes: https://gitlab.freedesktop.org/drm/intel/issues/10021Signed-off-by: default avatarJanusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
      Cc: stable@vger.kernel.org # v5.8+
      Reviewed-by: default avatarAndi Shyti <andi.shyti@linux.intel.com>
      Signed-off-by: default avatarAndi Shyti <andi.shyti@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240603195446.297690-2-janusz.krzysztofik@linux.intel.com
      24bb052d
  9. 15 Jun, 2024 2 commits
  10. 12 Jun, 2024 1 commit
    • Jonathan Cavitt's avatar
      drm/i915/gem: Downgrade stolen lmem setup warning · 05da7d9f
      Jonathan Cavitt authored
      In the case where lmem_size < dsm_base, hardware is reporting that
      stolen lmem is unusable.  In this case, instead of throwing a warning,
      we can continue execution as normal by disabling stolen LMEM support.
      For example, this change will allow the following error report from
      ATS-M to no longer apply:
      
      <6> [144.859887] pcieport 0000:4b:00.0: bridge window [mem 0xb1000000-0xb11fffff]
      <6> [144.859900] pcieport 0000:4b:00.0: bridge window [mem 0x3bbc00000000-0x3bbc17ffffff 64bit pref]
      <6> [144.859917] pcieport 0000:4c:01.0: PCI bridge to [bus 4d-4e]
      <6> [144.859932] pcieport 0000:4c:01.0: bridge window [mem 0xb1000000-0xb11fffff]
      <6> [144.859945] pcieport 0000:4c:01.0: bridge window [mem 0x3bbc00000000-0x3bbc17ffffff 64bit pref]
      <6> [144.859984] i915 0000:4d:00.0: [drm] BAR2 resized to 256M
      <6> [144.860640] i915 0000:4d:00.0: [drm] Using a reduced BAR size of 256MiB. Consider enabling 'Resizable BAR' or similar, if available in the BIOS.
      <4> [144.860719] -----------[ cut here ]-----------
      <4> [144.860727] WARNING: CPU: 17 PID: 1815 at drivers/gpu/drm/i915/gem/i915_gem_stolen.c:939 i915_gem_stolen_lmem_setup+0x38c/0x430 [i915]
      <4> [144.861430] Modules linked in: i915 snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core snd_pcm vgem drm_shmem_helper prime_numbers i2c_algo_bit ttm video drm_display_helper drm_buddy fuse x86_pkg_temp_thermal coretemp kvm_intel kvm ixgbe mdio irqbypass ptp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pps_core i2c_i801 mei_me i2c_smbus mei wmi acpi_power_meter [last unloaded: i915]
      <4> [144.861611] CPU: 17 PID: 1815 Comm: i915_module_loa Tainted: G U 6.8.0-rc5-drmtip_1515-g78f49af27723+ #1
      <4> [144.861624] Hardware name: Intel Corporation WHITLEY/WHITLEY, BIOS SE5C6200.86B.0020.P41.2109300305 09/30/2021
      <4> [144.861632] RIP: 0010:i915_gem_stolen_lmem_setup+0x38c/0x430 [i915]
      <4> [144.862287] Code: ff 41 c1 e4 05 e9 ac fe ff ff 4d 63 e4 48 89 ef 48 85 ed 74 04 48 8b 7d 08 48 c7 c6 10 a3 7b a0 e8 e9 90 43 e1 e9 ee fd ff ff <0f> 0b 49 c7 c4 ed ff ff ff e9 e0 fd ff ff 0f b7 d2 48 c7 c6 00 d9
      <4> [144.862299] RSP: 0018:ffffc90005607980 EFLAGS: 00010207
      <4> [144.862315] RAX: fffffffffff00000 RBX: 0000000000000003 RCX: 0000000000000000
      
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10833Suggested-by: default avatarChris Wilson <chris.p.wilson@linux.intel.com>
      Signed-off-by: default avatarJonathan Cavitt <jonathan.cavitt@intel.com>
      Reviewed-by: default avatarAndi Shyti <andi.shyti@linux.intel.com>
      Signed-off-by: default avatarAndi Shyti <andi.shyti@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240422135959.4127003-1-jonathan.cavitt@intel.com
      05da7d9f
  11. 11 Jun, 2024 2 commits
  12. 07 Jun, 2024 1 commit
  13. 06 Jun, 2024 2 commits
  14. 22 May, 2024 1 commit
  15. 16 May, 2024 6 commits
  16. 14 May, 2024 1 commit
    • Chris Wilson's avatar
      drm/i915/gt: Disarm breadcrumbs if engines are already idle · fbad43ec
      Chris Wilson authored
      The breadcrumbs use a GT wakeref for guarding the interrupt, but are
      disarmed during release of the engine wakeref. This leaves a hole where
      we may attach a breadcrumb just as the engine is parking (after it has
      parked its breadcrumbs), execute the irq worker with some signalers still
      attached, but never be woken again.
      
      That issue manifests itself in CI with IGT runner timeouts while tests
      are waiting indefinitely for release of all GT wakerefs.
      
      <6> [209.151778] i915: Running live_engine_pm_selftests/live_engine_busy_stats
      <7> [209.231628] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_5
      <7> [209.231816] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_4
      <7> [209.231944] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_3
      <7> [209.232056] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling PW_2
      <7> [209.232166] i915 0000:00:02.0: [drm:intel_power_well_disable [i915]] disabling DC_off
      <7> [209.232270] i915 0000:00:02.0: [drm:skl_enable_dc6 [i915]] Enabling DC6
      <7> [209.232368] i915 0000:00:02.0: [drm:gen9_set_dc_state.part.0 [i915]] Setting DC state from 00 to 02
      <4> [299.356116] [IGT] Inactivity timeout exceeded. Killing the current test with SIGQUIT.
      ...
      <6> [299.356526] sysrq: Show State
      ...
      <6> [299.373964] task:i915_selftest   state:D stack:11784 pid:5578  tgid:5578  ppid:873    flags:0x00004002
      <6> [299.373967] Call Trace:
      <6> [299.373968]  <TASK>
      <6> [299.373970]  __schedule+0x3bb/0xda0
      <6> [299.373974]  schedule+0x41/0x110
      <6> [299.373976]  intel_wakeref_wait_for_idle+0x82/0x100 [i915]
      <6> [299.374083]  ? __pfx_var_wake_function+0x10/0x10
      <6> [299.374087]  live_engine_busy_stats+0x9b/0x500 [i915]
      <6> [299.374173]  __i915_subtests+0xbe/0x240 [i915]
      <6> [299.374277]  ? __pfx___intel_gt_live_setup+0x10/0x10 [i915]
      <6> [299.374369]  ? __pfx___intel_gt_live_teardown+0x10/0x10 [i915]
      <6> [299.374456]  intel_engine_live_selftests+0x1c/0x30 [i915]
      <6> [299.374547]  __run_selftests+0xbb/0x190 [i915]
      <6> [299.374635]  i915_live_selftests+0x4b/0x90 [i915]
      <6> [299.374717]  i915_pci_probe+0x10d/0x210 [i915]
      
      At the end of the interrupt worker, if there are no more engines awake,
      disarm the breadcrumb and go to sleep.
      
      Fixes: 9d5612ca ("drm/i915/gt: Defer enabling the breadcrumb interrupt to after submission")
      Closes: https://gitlab.freedesktop.org/drm/intel/issues/10026Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Andrzej Hajda <andrzej.hajda@intel.com>
      Cc: <stable@vger.kernel.org> # v5.12+
      Signed-off-by: default avatarJanusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
      Acked-by: default avatarNirmoy Das <nirmoy.das@intel.com>
      Reviewed-by: default avatarAndrzej Hajda <andrzej.hajda@intel.com>
      Reviewed-by: default avatarAndi Shyti <andi.shyti@linux.intel.com>
      Signed-off-by: default avatarAndi Shyti <andi.shyti@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240423165505.465734-2-janusz.krzysztofik@linux.intel.com
      fbad43ec
  17. 13 May, 2024 1 commit
  18. 10 May, 2024 3 commits
  19. 09 May, 2024 2 commits
  20. 08 May, 2024 3 commits
  21. 07 May, 2024 1 commit
    • Janusz Krzysztofik's avatar
      Revert "drm/i915: Remove extra multi-gt pm-references" · 749670a5
      Janusz Krzysztofik authored
      This reverts commit 1f33dc0c.
      
      There was a patch supposed to fix an issue of illegal attempts to free a
      still active i915 VMA object when parking a GT believed to be idle,
      reported by CI on 2-GT Meteor Lake.  As a solution, an extra wakeref for
      a Primary GT was acquired from i915_gem_do_execbuffer() -- see commit
      f56fe3e9 ("drm/i915: Fix a VMA UAF for multi-gt platform").
      
      However, that fix occurred insufficient -- the issue was still reported by
      CI.  That wakeref was released on exit from i915_gem_do_execbuffer(), then
      potentially before completion of the request and deactivation of its
      associated VMAs.  Moreover, CI reports indicated that single-GT platforms
      also suffered sporadically from the same race.
      
      Since that issue was fixed by another commit f3c71b2d ("drm/i915/vma:
      Fix UAF on destroy against retire race"), the changes introduced by that
      insufficient fix were dropped as no longer useful.  However, that series
      resulted in another VMA UAF scenario now being triggered in CI.
      
      <4> [260.290809] ------------[ cut here ]------------
      <4> [260.290988] list_del corruption. prev->next should be ffff888118c5d990, but was ffff888118c5a510. (prev=ffff888118c5a510)
      <4> [260.291004] WARNING: CPU: 2 PID: 1143 at lib/list_debug.c:62 __list_del_entry_valid_or_report+0xb7/0xe0
      ..
      <4> [260.291055] CPU: 2 PID: 1143 Comm: kms_plane Not tainted 6.9.0-rc2-CI_DRM_14524-ga25d180c6853+ #1
      <4> [260.291058] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024
      <4> [260.291060] RIP: 0010:__list_del_entry_valid_or_report+0xb7/0xe0
      ...
      <4> [260.291087] Call Trace:
      <4> [260.291089]  <TASK>
      <4> [260.291124]  i915_vma_reopen+0x43/0x80 [i915]
      <4> [260.291298]  eb_lookup_vmas+0x9cb/0xcc0 [i915]
      <4> [260.291579]  i915_gem_do_execbuffer+0xc9a/0x26d0 [i915]
      <4> [260.291883]  i915_gem_execbuffer2_ioctl+0x123/0x2a0 [i915]
      ...
      <4> [260.292301]  </TASK>
      ...
      <4> [260.292506] ---[ end trace 0000000000000000 ]---
      <4> [260.292782] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6ca3: 0000 [#1] PREEMPT SMP NOPTI
      <4> [260.303575] CPU: 2 PID: 1143 Comm: kms_plane Tainted: G        W          6.9.0-rc2-CI_DRM_14524-ga25d180c6853+ #1
      <4> [260.313851] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024
      <4> [260.326359] RIP: 0010:eb_validate_vmas+0x114/0xd80 [i915]
      ...
      <4> [260.428756] Call Trace:
      <4> [260.431192]  <TASK>
      <4> [639.283393]  i915_gem_do_execbuffer+0xd05/0x26d0 [i915]
      <4> [639.305245]  i915_gem_execbuffer2_ioctl+0x123/0x2a0 [i915]
      ...
      <4> [639.411134]  </TASK>
      ...
      <4> [639.449979] ---[ end trace 0000000000000000 ]---
      
      We defer actually closing, unbinding and destroying a VMA until next idle
      point, or until the object is freed in the meantime.  By postponing the
      unbind, we allow for the VMA to be reopened by the client, avoiding the
      work required to rebind the VMA.
      
      Starting from commit b0647a5e ("drm/i915: Avoid live-lock with
      i915_vma_parked()"), we assume that as long as a GT is held idle, no VMA
      would be reopened while we destroy them.  That assumption is no longer
      true in multi-GT configurations, where a VMA we reopen may be handled by a
      GT different from the one that we already keep active via its engine while
      we set up an execbuf request.
      
      Restoring the extra GT0 PM wakeref removed from i915_gem_do_execbuffer()
      processing path seems to fix this issue.
      
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10608Signed-off-by: default avatarJanusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
      Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Cc: Nirmoy Das <nirmoy.das@linux.intel.com>
      Reviewed-by: default avatarNirmoy Das <nirmoy.das@linux.intel.com>
      Fixes: 1f33dc0c ("drm/i915: Remove extra multi-gt pm-references")
      Link: https://patchwork.freedesktop.org/patch/msgid/20240506180253.96858-2-janusz.krzysztofik@linux.intel.comSigned-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      749670a5