linux/drivers/gpu/drm/i915
Chris Wilson ccc9e67ab2 drm/i915/display: Defer initial modeset until after GGTT is initialised
Prior to sanitizing the GGTT, the only operations allowed in
intel_display_init_nogem() are those to reserve the preallocated (and
active) regions in the GGTT leftover from the BIOS. Trying to allocate a
GGTT vma (such as intel_pin_and_fence_fb_obj during the initial modeset)
may then conflict with other preallocated regions that have not yet been
protected.

Move the initial modesetting from the end of init_nogem to the beginning
of init so that any vma pinning (either framebuffers or DSB, for example),
is after the GGTT is ready to handle it.

This will prevent the DSB object from being destroyed too early:

[   53.449241] BUG: KASAN: use-after-free in i915_init_ggtt+0x324/0x9e0 [i915]
[   53.449309] Read of size 8 at addr ffff88811b1e8070 by task systemd-udevd/345

[   53.449399] CPU: 1 PID: 345 Comm: systemd-udevd Tainted: G        W         5.10.0-rc5+ #12
[   53.449409] Call Trace:
[   53.449418]  dump_stack+0x9a/0xcc
[   53.449558]  ? i915_init_ggtt+0x324/0x9e0 [i915]
[   53.449565]  print_address_description.constprop.0+0x3e/0x60
[   53.449577]  ? _raw_spin_lock_irqsave+0x4e/0x50
[   53.449718]  ? i915_init_ggtt+0x324/0x9e0 [i915]
[   53.449849]  ? i915_init_ggtt+0x324/0x9e0 [i915]
[   53.449857]  kasan_report.cold+0x1f/0x37
[   53.449993]  ? i915_init_ggtt+0x324/0x9e0 [i915]
[   53.450130]  i915_init_ggtt+0x324/0x9e0 [i915]
[   53.450273]  ? i915_ggtt_suspend+0x1f0/0x1f0 [i915]
[   53.450281]  ? static_obj+0x69/0x80
[   53.450289]  ? lockdep_init_map_waits+0xa9/0x310
[   53.450431]  ? intel_wopcm_init+0x96/0x3d0 [i915]
[   53.450581]  ? i915_gem_init+0x75/0x2d0 [i915]
[   53.450720]  i915_gem_init+0x75/0x2d0 [i915]
[   53.450852]  i915_driver_probe+0x8c2/0x1210 [i915]
[   53.450993]  ? i915_pm_prepare+0x630/0x630 [i915]
[   53.451006]  ? check_chain_key+0x1e7/0x2e0
[   53.451025]  ? __pm_runtime_resume+0x58/0xb0
[   53.451157]  i915_pci_probe+0xa6/0x2b0 [i915]
[   53.451285]  ? i915_pci_remove+0x40/0x40 [i915]
[   53.451295]  ? lockdep_hardirqs_on_prepare+0x124/0x230
[   53.451302]  ? _raw_spin_unlock_irqrestore+0x42/0x50
[   53.451309]  ? lockdep_hardirqs_on+0xbf/0x130
[   53.451315]  ? preempt_count_sub+0xf/0xb0
[   53.451321]  ? _raw_spin_unlock_irqrestore+0x2f/0x50
[   53.451335]  pci_device_probe+0xf9/0x190
[   53.451350]  really_probe+0x17f/0x5b0
[   53.451365]  driver_probe_device+0x13a/0x1c0
[   53.451376]  device_driver_attach+0x82/0x90
[   53.451386]  ? device_driver_attach+0x90/0x90
[   53.451391]  __driver_attach+0xab/0x190
[   53.451401]  ? device_driver_attach+0x90/0x90
[   53.451407]  bus_for_each_dev+0xe4/0x140
[   53.451414]  ? subsys_dev_iter_exit+0x10/0x10
[   53.451423]  ? __list_add_valid+0x2b/0xa0
[   53.451440]  bus_add_driver+0x227/0x2e0
[   53.451454]  driver_register+0xd3/0x150
[   53.451585]  i915_init+0x92/0xac [i915]
[   53.451592]  ? 0xffffffffa0a20000
[   53.451598]  do_one_initcall+0xb6/0x3b0
[   53.451606]  ? trace_event_raw_event_initcall_finish+0x150/0x150
[   53.451614]  ? __kasan_kmalloc.constprop.0+0xc2/0xd0
[   53.451627]  ? kmem_cache_alloc_trace+0x4a4/0x8e0
[   53.451634]  ? kasan_unpoison_shadow+0x33/0x40
[   53.451649]  do_init_module+0xf8/0x350
[   53.451662]  load_module+0x43de/0x47f0
[   53.451716]  ? module_frob_arch_sections+0x20/0x20
[   53.451731]  ? rw_verify_area+0x5f/0x130
[   53.451780]  ? __do_sys_finit_module+0x10d/0x1a0
[   53.451785]  __do_sys_finit_module+0x10d/0x1a0
[   53.451792]  ? __ia32_sys_init_module+0x40/0x40
[   53.451800]  ? seccomp_do_user_notification.isra.0+0x5c0/0x5c0
[   53.451829]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   53.451835]  ? mark_held_locks+0x24/0x90
[   53.451856]  do_syscall_64+0x33/0x80
[   53.451863]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   53.451868] RIP: 0033:0x7fde09b4470d
[   53.451875] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 53 f7 0c 00 f7 d8 64 89 01 48
[   53.451880] RSP: 002b:00007ffd6abc1718 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   53.451890] RAX: ffffffffffffffda RBX: 000056444e528150 RCX: 00007fde09b4470d
[   53.451895] RDX: 0000000000000000 RSI: 00007fde09a21ded RDI: 000000000000000f
[   53.451899] RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000000
[   53.451904] R10: 000000000000000f R11: 0000000000000246 R12: 00007fde09a21ded
[   53.451909] R13: 0000000000000000 R14: 000056444e329200 R15: 000056444e528150

[   53.451957] Allocated by task 345:
[   53.451995]  kasan_save_stack+0x1b/0x40
[   53.452001]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   53.452006]  kmem_cache_alloc+0x1cd/0x8d0
[   53.452146]  i915_vma_instance+0x126/0xb70 [i915]
[   53.452304]  i915_gem_object_ggtt_pin_ww+0x222/0x3f0 [i915]
[   53.452446]  intel_dsb_prepare+0x14f/0x230 [i915]
[   53.452588]  intel_atomic_commit+0x183/0x690 [i915]
[   53.452730]  intel_initial_commit+0x2bc/0x2f0 [i915]
[   53.452871]  intel_modeset_init_nogem+0xa02/0x2af0 [i915]
[   53.452995]  i915_driver_probe+0x8af/0x1210 [i915]
[   53.453120]  i915_pci_probe+0xa6/0x2b0 [i915]
[   53.453125]  pci_device_probe+0xf9/0x190
[   53.453131]  really_probe+0x17f/0x5b0
[   53.453136]  driver_probe_device+0x13a/0x1c0
[   53.453142]  device_driver_attach+0x82/0x90
[   53.453148]  __driver_attach+0xab/0x190
[   53.453153]  bus_for_each_dev+0xe4/0x140
[   53.453158]  bus_add_driver+0x227/0x2e0
[   53.453164]  driver_register+0xd3/0x150
[   53.453286]  i915_init+0x92/0xac [i915]
[   53.453292]  do_one_initcall+0xb6/0x3b0
[   53.453297]  do_init_module+0xf8/0x350
[   53.453302]  load_module+0x43de/0x47f0
[   53.453307]  __do_sys_finit_module+0x10d/0x1a0
[   53.453312]  do_syscall_64+0x33/0x80
[   53.453318]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[   53.453345] Freed by task 82:
[   53.453379]  kasan_save_stack+0x1b/0x40
[   53.453384]  kasan_set_track+0x1c/0x30
[   53.453389]  kasan_set_free_info+0x1b/0x30
[   53.453394]  __kasan_slab_free+0x112/0x160
[   53.453399]  kmem_cache_free+0xb2/0x3f0
[   53.453536]  i915_gem_flush_free_objects+0x31a/0x3b0 [i915]
[   53.453542]  process_one_work+0x519/0x9f0
[   53.453547]  worker_thread+0x75/0x5c0
[   53.453552]  kthread+0x1da/0x230
[   53.453557]  ret_from_fork+0x22/0x30

[   53.453584] The buggy address belongs to the object at ffff88811b1e8040
                which belongs to the cache i915_vma of size 968
[   53.453692] The buggy address is located 48 bytes inside of
                968-byte region [ffff88811b1e8040, ffff88811b1e8408)
[   53.453792] The buggy address belongs to the page:
[   53.453842] page:00000000b35f7048 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88811b1ef940 pfn:0x11b1e8
[   53.453847] head:00000000b35f7048 order:3 compound_mapcount:0 compound_pincount:0
[   53.453853] flags: 0x8000000000010200(slab|head)
[   53.453860] raw: 8000000000010200 ffff888115596248 ffff888115596248 ffff8881155b6340
[   53.453866] raw: ffff88811b1ef940 0000000000170001 00000001ffffffff 0000000000000000
[   53.453870] page dumped because: kasan: bad access detected

[   53.453895] Memory state around the buggy address:
[   53.453944]  ffff88811b1e7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.454011]  ffff88811b1e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.454079] >ffff88811b1e8000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   53.454146]                                                              ^
[   53.454211]  ffff88811b1e8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.454279]  ffff88811b1e8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.454347] ==================================================================
[   53.454414] Disabling lock debugging due to kernel taint
[   53.454434] general protection fault, probably for non-canonical address 0xdead0000000000d0: 0000 [#1] PREEMPT SMP KASAN PTI
[   53.454446] CPU: 1 PID: 345 Comm: systemd-udevd Tainted: G    B   W         5.10.0-rc5+ #12
[   53.454592] RIP: 0010:i915_init_ggtt+0x26f/0x9e0 [i915]
[   53.454602] Code: 89 8d 48 ff ff ff 4c 8d 60 d0 49 39 c7 0f 84 37 02 00 00 4c 89 b5 40 ff ff ff 4d 8d bc 24 90 00 00 00 4c 89 ff e8 c1 97 f8 e0 <49> 83 bc 24 90 00 00 00 00 0f 84 0f 02 00 00 49 8d 7c 24 08 e8 a8
[   53.454618] RSP: 0018:ffff88812247f430 EFLAGS: 00010286
[   53.454625] RAX: 0000000000000000 RBX: ffff888136440000 RCX: ffffffffa03fb78f
[   53.454633] RDX: 0000000000000000 RSI: 0000000000000008 RDI: dead000000000160
[   53.454641] RBP: ffff88812247f500 R08: ffffffff8113589f R09: 0000000000000000
[   53.454648] R10: ffffffff83063843 R11: fffffbfff060c708 R12: dead0000000000d0
[   53.454656] R13: ffff888136449ba0 R14: 0000000000002000 R15: dead000000000160
[   53.454664] FS:  00007fde095c4880(0000) GS:ffff88840c880000(0000) knlGS:0000000000000000
[   53.454672] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   53.454679] CR2: 00007fef132b4f28 CR3: 000000012245c002 CR4: 00000000003706e0
[   53.454686] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   53.454693] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   53.454700] Call Trace:
[   53.454833]  ? i915_ggtt_suspend+0x1f0/0x1f0 [i915]

Reported-by: Matthew Auld <matthew.auld@intel.com>
Fixes: afeda4f3b1 ("drm/i915/dsb: Pre allocate and late cleanup of cmd buffer")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Tested-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20201125193032.29282-1-chris@chris-wilson.co.uk
(cherry picked from commit b3bf99daae)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
2020-12-02 17:05:58 -08:00
..
display drm/i915/display: Defer initial modeset until after GGTT is initialised 2020-12-02 17:05:58 -08:00
gem drm/i915/gem: Pull phys pread/pwrite implementations to the backend 2020-11-12 19:47:30 -05:00
gt drm/i915/gt: Limit frequency drop to RPe on parking 2020-12-02 17:05:58 -08:00
gvt drm/i915/gvt: correct a false comment of flag F_UNALIGN 2020-11-24 09:17:41 -08:00
selftests drm/i915/selftests: Fix wrong return value of perf_request_latency() 2020-11-16 18:06:28 -05:00
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
Kconfig drm/i915: use vmap in i915_gem_object_map 2020-10-18 09:27:10 -07:00
Kconfig.debug drm/i915: Exclude low pages (128KiB) of stolen from use 2020-10-21 08:32:28 -04:00
Kconfig.profile drm/i915: Replace the hardcoded I915_FENCE_TIMEOUT 2020-05-09 12:57:57 +01:00
Kconfig.unstable
Makefile drm/i915: Factor out HDCP shim functions from dp for use by dp_mst 2020-09-01 13:02:33 +05:30
i915_active.c drm next for 5.10-rc1 2020-10-15 10:46:16 -07:00
i915_active.h drm/i915: Provide a fastpath for waiting on vma bindings 2020-09-07 13:29:19 +03:00
i915_active_types.h
i915_buddy.c drm/i915/buddy: avoid double list_add 2020-03-06 14:33:08 +00:00
i915_buddy.h
i915_cmd_parser.c drm/i915: Avoid mixing integer types during batch copies 2020-09-30 14:24:54 -04:00
i915_config.c drm/i915: Replace the hardcoded I915_FENCE_TIMEOUT 2020-05-09 12:57:57 +01:00
i915_debugfs.c drm/i915/gem: Serialise debugfs i915_gem_objects with ctx->mutex 2020-09-30 14:24:37 -04:00
i915_debugfs.h drm/i915: have *_debugfs_init() functions return void. 2020-03-18 16:27:22 +01:00
i915_debugfs_params.c drm/i915/params: switch to device specific parameters 2020-06-22 23:26:40 +03:00
i915_debugfs_params.h
i915_drv.c drm/i915: Reduce INTEL_DISPLAY_ENABLED to just removing the outputs 2020-09-15 14:57:13 +03:00
i915_drv.h drm/i915: Force VT'd workarounds when running as a guest OS 2020-10-21 08:32:30 -04:00
i915_fixed.h
i915_gem.c drm/i915/gem: Pull phys pread/pwrite implementations to the backend 2020-11-12 19:47:30 -05:00
i915_gem.h drm/i915: Use per object locking in execbuf, v12. 2020-09-07 14:30:07 +03:00
i915_gem_evict.c drm/i915: Handle idling during i915_gem_evict_something busy loops 2020-05-13 14:39:41 -07:00
i915_gem_gtt.c drm/i915: Update dma-attributes for our sg DMA 2020-07-07 11:00:47 +01:00
i915_gem_gtt.h drm/i915: Remove PIN_UPDATE for i915_vma_pin 2020-05-21 17:33:51 +01:00
i915_getparam.c drm/i915: add syncobj timeline support 2020-08-17 16:16:51 -04:00
i915_globals.c
i915_globals.h
i915_gpu_error.c drm/i915: Use the active reference on the vma while capturing 2020-10-19 13:29:57 -04:00
i915_gpu_error.h drm/i915: Move the engine mask to intel_gt_info 2020-07-08 21:07:11 +01:00
i915_ioc32.c i915 compat ioctl(): just use drm_ioctl_kernel() 2020-05-01 20:35:26 -04:00
i915_ioc32.h drm/i915: add i915_ioc32.h for compat 2020-03-02 13:32:37 +02:00
i915_irq.c drm/i915: Introduce intel_hpd_hotplug_irqs() 2020-09-15 18:01:35 +03:00
i915_irq.h
i915_memcpy.c drm/i915: remove always-defined CONFIG_AS_MOVNTDQA 2020-04-09 00:01:59 +09:00
i915_memcpy.h
i915_mm.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
i915_params.c drm/i915: Initial implementation of PSR2 selective fetch 2020-08-17 16:17:15 -04:00
i915_params.h drm/i915: Initial implementation of PSR2 selective fetch 2020-08-17 16:17:15 -04:00
i915_pci.c drm/i915: Restore ILK-M RPS support 2020-10-29 14:20:20 -04:00
i915_perf.c drm/i915/perf: workaround register corruption in OATAILPTR 2020-11-24 09:17:41 -08:00
i915_perf.h
i915_perf_types.h drm/i915/perf: Schedule oa_config after modifying the contexts 2020-03-30 18:20:34 +01:00
i915_pmu.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
i915_pmu.h drm/i915: significantly reduce the use of <drm/i915_drm.h> 2020-02-27 08:35:09 +02:00
i915_priolist_types.h drm/i915/gt: Prevent timeslicing into unpreemptable requests 2020-06-16 11:34:23 +03:00
i915_pvinfo.h
i915_query.c drm/i915/sseu: Move sseu_info under gt_info 2020-07-08 21:13:09 +01:00
i915_query.h
i915_reg.h drm/i915/perf: workaround register corruption in OATAILPTR 2020-11-24 09:17:41 -08:00
i915_request.c drm/i915: Cancel outstanding work after disabling heartbeats on an engine 2020-09-30 14:24:46 -04:00
i915_request.h drm/i915/gt: Split the breadcrumb spinlock between global and contexts 2020-12-02 17:05:58 -08:00
i915_scatterlist.c
i915_scatterlist.h
i915_scheduler.c drm/i915: Don't set queue-priority hint when supressing the reschedule 2020-05-25 15:40:26 +03:00
i915_scheduler.h drm/i915: Mark concurrent submissions with a weak-dependency 2020-05-11 10:54:04 -07:00
i915_scheduler_types.h drm/i915: Drop no-semaphore boosting 2020-05-14 06:14:33 +01:00
i915_selftest.h drm/i915/gem: Implement legacy MI_STORE_DATA_IMM 2020-05-04 15:15:04 +01:00
i915_suspend.c drm/i915: Nuke CACHE_MODE_0 save/restore 2020-09-14 16:20:57 +03:00
i915_suspend.h
i915_sw_fence.c treewide: Make all debug_obj_descriptors const 2020-09-24 21:56:25 +02:00
i915_sw_fence.h
i915_sw_fence_work.c drm/i915: Immediately execute the fenced work 2020-03-25 13:05:04 +00:00
i915_sw_fence_work.h drm/i915: Immediately execute the fenced work 2020-03-25 13:05:04 +00:00
i915_switcheroo.c drm/i915/switcheroo: use struct drm_device based logging 2020-04-08 13:49:35 +03:00
i915_switcheroo.h
i915_syncmap.c
i915_syncmap.h
i915_sysfs.c drm/i915/gt: Expose engine properties via sysfs 2020-02-28 22:03:19 +00:00
i915_sysfs.h
i915_trace.h drm/i915: Drop i915_request.i915 backpointer 2020-06-03 13:53:39 +01:00
i915_trace_points.c
i915_user_extensions.c
i915_user_extensions.h
i915_utils.c drm/i915: Don't taint when using fault injection 2020-07-06 19:21:07 +01:00
i915_utils.h drm/i915: Remove unused inline function drain_delayed_work() 2020-07-15 10:16:44 +01:00
i915_vgpu.c drm/i915/vgpu: improve vgpu abstractions 2020-03-03 17:46:54 +02:00
i915_vgpu.h drm/i915/vgpu: improve vgpu abstractions 2020-03-03 17:46:54 +02:00
i915_vma.c drm/i915: Hold onto an explicit ref to i915_vma_work.pinned 2020-11-03 19:22:42 -05:00
i915_vma.h drm/i915: Make sure execbuffer always passes ww state to i915_vma_pin. 2020-09-07 14:31:13 +03:00
i915_vma_types.h drm/i915: Export ppgtt_bind_vma 2020-07-03 15:14:35 +01:00
intel_device_info.c drm/i915: disable all display features when no display 2020-09-11 13:16:48 +03:00
intel_device_info.h drm/i915/rkl: Handle HTI 2020-08-17 16:16:07 -04:00
intel_dram.c drm/i915/dram: prefer struct drm_device based logging 2020-04-08 13:49:35 +03:00
intel_dram.h drm/i915: split out intel_dram.[ch] from i915_drv.c 2020-02-27 09:16:01 +02:00
intel_gvt.c drm/i915/params: switch to device specific parameters 2020-06-22 23:26:40 +03:00
intel_gvt.h
intel_memory_region.c drm/i915/region: fix max size calculation 2020-10-29 14:20:17 -04:00
intel_memory_region.h
intel_pch.c drm/i915/dg1: Add fake PCH 2020-07-14 02:47:21 -07:00
intel_pch.h drm/i915/dg1: Add fake PCH 2020-07-14 02:47:21 -07:00
intel_pm.c drm/i915/tgl: Fix Media power gate sequence. 2020-11-16 18:06:21 -05:00
intel_pm.h drm/i915: Fix includes and local vars order 2020-05-22 14:40:35 +01:00
intel_region_lmem.c drm/i915/params: switch to device specific parameters 2020-06-22 23:26:40 +03:00
intel_region_lmem.h
intel_runtime_pm.c Merge drm/drm-next into drm-intel-next-queued 2020-06-25 18:05:03 +03:00
intel_runtime_pm.h
intel_sideband.c drm/i915: Nuke dpio_phy_iosf_port[] 2020-09-11 16:59:49 +03:00
intel_sideband.h
intel_uncore.c drm/i915: Drop runtime-pm assert from vgpu io accessors 2020-10-21 08:32:32 -04:00
intel_uncore.h drm/i915: Use the gt in HAS_ENGINE 2020-07-08 21:07:09 +01:00
intel_wakeref.c drm/i915: Extend intel_wakeref to support delayed puts 2020-03-23 12:51:05 +00:00
intel_wakeref.h drm/i915: Extend intel_wakeref to support delayed puts 2020-03-23 12:51:05 +00:00
intel_wopcm.c drm/i915: Remove cnl pre-prod workarounds 2020-05-04 18:44:52 +03:00
intel_wopcm.h
vlv_suspend.c
vlv_suspend.h