| Message ID | 1400238502-10299-1-git-send-email-oscar.mateo@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, May 16, 2014 at 12:08:22PM +0100, oscar.mateo@intel.com wrote: > From: Oscar Mateo <oscar.mateo@intel.com> > > Otherwise, we do a NULL pointer dereference. > > I've seen this happen while handling an error in > i915_gem_object_pin_to_display_plane(): > > If i915_gem_object_set_cache_level() fails, we call is_pin_display() > to handle the error. At this point, the object is still not pinned > to GGTT and maybe not even bound, so we have to check before we > dereference its GGTT vma. > > v2: Chris Wilson says restoring the old value is easier, but that > is_pin_display is useful as a theory of operation. Take the solomonic > decision: at least this way is_pin_display is a little more robust > (until Chris can kill it off). > > Issue: VIZ-3772 I heard you wrote a testcase? > Signed-off-by: Oscar Mateo <oscar.mateo@intel.com> > --- > drivers/gpu/drm/i915/i915_gem.c | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c > index 034ba2c..211b778 100644 > --- a/drivers/gpu/drm/i915/i915_gem.c > +++ b/drivers/gpu/drm/i915/i915_gem.c > @@ -3641,6 +3641,15 @@ unlock: > > static bool is_pin_display(struct drm_i915_gem_object *obj) > { > + struct i915_vma *vma; > + > + if (list_empty(&obj->vma_list)) > + return false; Hmm, this is so that we don't trigger the WARN from inside i915_gem_obj_to_ggtt(). I would say that means the WARN in the callee has outlived its usefulness. Other callers WARN if they fail to find the ggtt_vma they expect, so I think we can just drop the WARN and save the duplication here. > + > + vma = i915_gem_obj_to_ggtt(obj); > + if (!vma) > + return false; > + > /* There are 3 sources that pin objects: > * 1. The display engine (scanouts, sprites, cursors); > * 2. Reservations for execbuffer; > @@ -3652,7 +3661,7 @@ static bool is_pin_display(struct drm_i915_gem_object *obj) > * subtracting the potential reference by the user, any pin_count > * remains, it must be due to another use by the display engine. > */ > - return i915_gem_obj_to_ggtt(obj)->pin_count - !!obj->user_pin_count; > + return vma->pin_count - !!obj->user_pin_count; > } > > /* > @@ -3666,6 +3675,7 @@ i915_gem_object_pin_to_display_plane(struct drm_i915_gem_object *obj, > struct intel_ring_buffer *pipelined) > { > u32 old_read_domains, old_write_domain; > + bool was_pin_display; > int ret; > > if (pipelined != obj->ring) { > @@ -3677,6 +3687,7 @@ i915_gem_object_pin_to_display_plane(struct drm_i915_gem_object *obj, > /* Mark the pin_display early so that we account for the > * display coherency whilst setting up the cache domains. > */ > + was_pin_display = obj->pin_display; > obj->pin_display = true; > > /* The display engine is not coherent with the LLC cache on gen6. As > @@ -3719,7 +3730,8 @@ i915_gem_object_pin_to_display_plane(struct drm_i915_gem_object *obj, > return 0; > > err_unpin_display: > - obj->pin_display = is_pin_display(obj); > + WARN_ON(was_pin_display != is_pin_display(obj)); > + obj->pin_display = was_pin_display; > return ret; > } Ok, this looks like a useful check. Other than the debate over the placement of the WARN() in i915_gem_obj_to_ggtt() (maybe leave a comment here to remind us to drop the WARN and the check later?), Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> -Chris
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 034ba2c..211b778 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -3641,6 +3641,15 @@ unlock: static bool is_pin_display(struct drm_i915_gem_object *obj) { + struct i915_vma *vma; + + if (list_empty(&obj->vma_list)) + return false; + + vma = i915_gem_obj_to_ggtt(obj); + if (!vma) + return false; + /* There are 3 sources that pin objects: * 1. The display engine (scanouts, sprites, cursors); * 2. Reservations for execbuffer; @@ -3652,7 +3661,7 @@ static bool is_pin_display(struct drm_i915_gem_object *obj) * subtracting the potential reference by the user, any pin_count * remains, it must be due to another use by the display engine. */ - return i915_gem_obj_to_ggtt(obj)->pin_count - !!obj->user_pin_count; + return vma->pin_count - !!obj->user_pin_count; } /* @@ -3666,6 +3675,7 @@ i915_gem_object_pin_to_display_plane(struct drm_i915_gem_object *obj, struct intel_ring_buffer *pipelined) { u32 old_read_domains, old_write_domain; + bool was_pin_display; int ret; if (pipelined != obj->ring) { @@ -3677,6 +3687,7 @@ i915_gem_object_pin_to_display_plane(struct drm_i915_gem_object *obj, /* Mark the pin_display early so that we account for the * display coherency whilst setting up the cache domains. */ + was_pin_display = obj->pin_display; obj->pin_display = true; /* The display engine is not coherent with the LLC cache on gen6. As @@ -3719,7 +3730,8 @@ i915_gem_object_pin_to_display_plane(struct drm_i915_gem_object *obj, return 0; err_unpin_display: - obj->pin_display = is_pin_display(obj); + WARN_ON(was_pin_display != is_pin_display(obj)); + obj->pin_display = was_pin_display; return ret; }