From 96c7cda65c369172bc659b8b666e4048d8081e58 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 11 Apr 2020 13:39:46 +0200 Subject: [PATCH] 5.4-stable patches added patches: drm-i915-fix-ref-mutex-deadlock-in-i915_active_wait.patch --- ...f-mutex-deadlock-in-i915_active_wait.patch | 150 ++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 151 insertions(+) create mode 100644 queue-5.4/drm-i915-fix-ref-mutex-deadlock-in-i915_active_wait.patch diff --git a/queue-5.4/drm-i915-fix-ref-mutex-deadlock-in-i915_active_wait.patch b/queue-5.4/drm-i915-fix-ref-mutex-deadlock-in-i915_active_wait.patch new file mode 100644 index 00000000000..4f81e63299a --- /dev/null +++ b/queue-5.4/drm-i915-fix-ref-mutex-deadlock-in-i915_active_wait.patch @@ -0,0 +1,150 @@ +From sultan@kerneltoast.com Sat Apr 11 13:39:11 2020 +From: Sultan Alsawaf +Date: Tue, 7 Apr 2020 13:32:22 -0700 +Subject: drm/i915: Fix ref->mutex deadlock in i915_active_wait() +To: stable@vger.kernel.org +Cc: Greg KH , Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , David Airlie , Daniel Vetter , Chris Wilson , intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, Sultan Alsawaf +Message-ID: <20200407203222.2493-1-sultan@kerneltoast.com> + +From: Sultan Alsawaf + +The following deadlock exists in i915_active_wait() due to a double lock +on ref->mutex (call chain listed in order from top to bottom): + i915_active_wait(); + mutex_lock_interruptible(&ref->mutex); <-- ref->mutex first acquired + i915_active_request_retire(); + node_retire(); + active_retire(); + mutex_lock_nested(&ref->mutex, SINGLE_DEPTH_NESTING); <-- DEADLOCK + +Fix the deadlock by skipping the second ref->mutex lock when +active_retire() is called through i915_active_request_retire(). + +Note that this bug only affects 5.4 and has since been fixed in 5.5. +Normally, a backport of the fix from 5.5 would be in order, but the +patch set that fixes this deadlock involves massive changes that are +neither feasible nor desirable for backporting [1][2][3]. Therefore, +this small patch was made to address the deadlock specifically for 5.4. + +[1] 274cbf20fd10 ("drm/i915: Push the i915_active.retire into a worker") +[2] 093b92287363 ("drm/i915: Split i915_active.mutex into an irq-safe spinlock for the rbtree") +[3] 750bde2fd4ff ("drm/i915: Serialise with remote retirement") + +Fixes: 12c255b5dad1 ("drm/i915: Provide an i915_active.acquire callback") +Cc: # 5.4.x +Signed-off-by: Sultan Alsawaf +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_active.c | 29 +++++++++++++++++++---------- + drivers/gpu/drm/i915/i915_active.h | 4 ++-- + 2 files changed, 21 insertions(+), 12 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_active.c ++++ b/drivers/gpu/drm/i915/i915_active.c +@@ -121,7 +121,7 @@ static inline void debug_active_assert(s + #endif + + static void +-__active_retire(struct i915_active *ref) ++__active_retire(struct i915_active *ref, bool lock) + { + struct active_node *it, *n; + struct rb_root root; +@@ -138,7 +138,8 @@ __active_retire(struct i915_active *ref) + retire = true; + } + +- mutex_unlock(&ref->mutex); ++ if (likely(lock)) ++ mutex_unlock(&ref->mutex); + if (!retire) + return; + +@@ -153,21 +154,28 @@ __active_retire(struct i915_active *ref) + } + + static void +-active_retire(struct i915_active *ref) ++active_retire(struct i915_active *ref, bool lock) + { + GEM_BUG_ON(!atomic_read(&ref->count)); + if (atomic_add_unless(&ref->count, -1, 1)) + return; + + /* One active may be flushed from inside the acquire of another */ +- mutex_lock_nested(&ref->mutex, SINGLE_DEPTH_NESTING); +- __active_retire(ref); ++ if (likely(lock)) ++ mutex_lock_nested(&ref->mutex, SINGLE_DEPTH_NESTING); ++ __active_retire(ref, lock); + } + + static void + node_retire(struct i915_active_request *base, struct i915_request *rq) + { +- active_retire(node_from_active(base)->ref); ++ active_retire(node_from_active(base)->ref, true); ++} ++ ++static void ++node_retire_nolock(struct i915_active_request *base, struct i915_request *rq) ++{ ++ active_retire(node_from_active(base)->ref, false); + } + + static struct i915_active_request * +@@ -364,7 +372,7 @@ int i915_active_acquire(struct i915_acti + void i915_active_release(struct i915_active *ref) + { + debug_active_assert(ref); +- active_retire(ref); ++ active_retire(ref, true); + } + + static void __active_ungrab(struct i915_active *ref) +@@ -391,7 +399,7 @@ void i915_active_ungrab(struct i915_acti + { + GEM_BUG_ON(!test_bit(I915_ACTIVE_GRAB_BIT, &ref->flags)); + +- active_retire(ref); ++ active_retire(ref, true); + __active_ungrab(ref); + } + +@@ -421,12 +429,13 @@ int i915_active_wait(struct i915_active + break; + } + +- err = i915_active_request_retire(&it->base, BKL(ref)); ++ err = i915_active_request_retire(&it->base, BKL(ref), ++ node_retire_nolock); + if (err) + break; + } + +- __active_retire(ref); ++ __active_retire(ref, true); + if (err) + return err; + +--- a/drivers/gpu/drm/i915/i915_active.h ++++ b/drivers/gpu/drm/i915/i915_active.h +@@ -309,7 +309,7 @@ i915_active_request_isset(const struct i + */ + static inline int __must_check + i915_active_request_retire(struct i915_active_request *active, +- struct mutex *mutex) ++ struct mutex *mutex, i915_active_retire_fn retire) + { + struct i915_request *request; + long ret; +@@ -327,7 +327,7 @@ i915_active_request_retire(struct i915_a + list_del_init(&active->link); + RCU_INIT_POINTER(active->request, NULL); + +- active->retire(active, request); ++ retire(active, request); + + return 0; + } diff --git a/queue-5.4/series b/queue-5.4/series index 8d1a17bd6a5..e610ea6aa99 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -37,3 +37,4 @@ bluetooth-rfcomm-fix-odebug-bug-in-rfcomm_dev_ioctl.patch rdma-cm-update-num_paths-in-cma_resolve_iboe_route-error-flow.patch blk-mq-keep-set-nr_hw_queues-and-set-map.nr_queues-in-sync.patch fbcon-fix-null-ptr-deref-in-fbcon_switch.patch +drm-i915-fix-ref-mutex-deadlock-in-i915_active_wait.patch -- 2.47.3