drm/i915: Fix ref->mutex deadlock in i915_active_wait()

kerneltoast · gregkh · commit 04ad505eed58 · 2020-04-13T10:48:15.000+02:00
The following deadlock exists in i915_active_wait() due to a double lock on ref->mutex (call chain listed in order from top to bottom): i915_active_wait(); mutex_lock_interruptible(&ref->mutex); <-- ref->mutex first acquired i915_active_request_retire(); node_retire(); active_retire(); mutex_lock_nested(&ref->mutex, SINGLE_DEPTH_NESTING); <-- DEADLOCK Fix the deadlock by skipping the second ref->mutex lock when active_retire() is called through i915_active_request_retire(). Note that this bug only affects 5.4 and has since been fixed in 5.5. Normally, a backport of the fix from 5.5 would be in order, but the patch set that fixes this deadlock involves massive changes that are neither feasible nor desirable for backporting [1][2][3]. Therefore, this small patch was made to address the deadlock specifically for 5.4. [1] 274cbf2 ("drm/i915: Push the i915_active.retire into a worker") [2] 093b922 ("drm/i915: Split i915_active.mutex into an irq-safe spinlock for the rbtree") [3] 750bde2 ("drm/i915: Serialise with remote retirement") Fixes: 12c255b ("drm/i915: Provide an i915_active.acquire callback") Cc: <stable@vger.kernel.org> # 5.4.x Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/gpu/drm/i915/i915_active.c b/drivers/gpu/drm/i915/i915_active.c
@@ -121,7 +121,7 @@ static inline void debug_active_assert(struct i915_active *ref) { }
 #endif
 
 static void
-__active_retire(struct i915_active *ref)
+__active_retire(struct i915_active *ref, bool lock)
 {
 	struct active_node *it, *n;
 	struct rb_root root;
@@ -138,7 +138,8 @@ __active_retire(struct i915_active *ref)
 		retire = true;
 	}
 
-	mutex_unlock(&ref->mutex);
+	if (likely(lock))
+		mutex_unlock(&ref->mutex);
 	if (!retire)
 		return;
 
@@ -153,21 +154,28 @@ __active_retire(struct i915_active *ref)
 }
 
 static void
-active_retire(struct i915_active *ref)
+active_retire(struct i915_active *ref, bool lock)
 {
 	GEM_BUG_ON(!atomic_read(&ref->count));
 	if (atomic_add_unless(&ref->count, -1, 1))
 		return;
 
 	/* One active may be flushed from inside the acquire of another */
-	mutex_lock_nested(&ref->mutex, SINGLE_DEPTH_NESTING);
-	__active_retire(ref);
+	if (likely(lock))
+		mutex_lock_nested(&ref->mutex, SINGLE_DEPTH_NESTING);
+	__active_retire(ref, lock);
 }
 
 static void
 node_retire(struct i915_active_request *base, struct i915_request *rq)
 {
-	active_retire(node_from_active(base)->ref);
+	active_retire(node_from_active(base)->ref, true);
+}
+
+static void
+node_retire_nolock(struct i915_active_request *base, struct i915_request *rq)
+{
+	active_retire(node_from_active(base)->ref, false);
 }
 
 static struct i915_active_request *
@@ -364,7 +372,7 @@ int i915_active_acquire(struct i915_active *ref)
 void i915_active_release(struct i915_active *ref)
 {
 	debug_active_assert(ref);
-	active_retire(ref);
+	active_retire(ref, true);
 }
 
 static void __active_ungrab(struct i915_active *ref)
@@ -391,7 +399,7 @@ void i915_active_ungrab(struct i915_active *ref)
 {
 	GEM_BUG_ON(!test_bit(I915_ACTIVE_GRAB_BIT, &ref->flags));
 
-	active_retire(ref);
+	active_retire(ref, true);
 	__active_ungrab(ref);
 }
 
@@ -421,12 +429,13 @@ int i915_active_wait(struct i915_active *ref)
 			break;
 		}
 
-		err = i915_active_request_retire(&it->base, BKL(ref));
+		err = i915_active_request_retire(&it->base, BKL(ref),
+						 node_retire_nolock);
 		if (err)
 			break;
 	}
 
-	__active_retire(ref);
+	__active_retire(ref, true);
 	if (err)
 		return err;
 
diff --git a/drivers/gpu/drm/i915/i915_active.h b/drivers/gpu/drm/i915/i915_active.h
@@ -309,7 +309,7 @@ i915_active_request_isset(const struct i915_active_request *active)
  */
 static inline int __must_check
 i915_active_request_retire(struct i915_active_request *active,
-			   struct mutex *mutex)
+			   struct mutex *mutex, i915_active_retire_fn retire)
 {
 	struct i915_request *request;
 	long ret;
@@ -327,7 +327,7 @@ i915_active_request_retire(struct i915_active_request *active,
 	list_del_init(&active->link);
 	RCU_INIT_POINTER(active->request, NULL);
 
-	active->retire(active, request);
+	retire(active, request);
 
 	return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ static inline void debug_active_assert(struct i915_active *ref) { }`
`121`	`121`	`#endif`
`122`	`122`
`123`	`123`	`static void`
`124`		`-__active_retire(struct i915_active *ref)`
	`124`	`+__active_retire(struct i915_active *ref, bool lock)`
`125`	`125`	`{`
`126`	`126`	`struct active_node it, n;`
`127`	`127`	`struct rb_root root;`
`@@ -138,7 +138,8 @@ __active_retire(struct i915_active *ref)`
`138`	`138`	`retire = true;`
`139`	`139`	`}`
`140`	`140`
`141`		`- mutex_unlock(&ref->mutex);`
	`141`	`+ if (likely(lock))`
	`142`	`+ mutex_unlock(&ref->mutex);`
`142`	`143`	`if (!retire)`
`143`	`144`	`return;`
`144`	`145`
`@@ -153,21 +154,28 @@ __active_retire(struct i915_active *ref)`
`153`	`154`	`}`
`154`	`155`
`155`	`156`	`static void`
`156`		`-active_retire(struct i915_active *ref)`
	`157`	`+active_retire(struct i915_active *ref, bool lock)`
`157`	`158`	`{`
`158`	`159`	`GEM_BUG_ON(!atomic_read(&ref->count));`
`159`	`160`	`if (atomic_add_unless(&ref->count, -1, 1))`
`160`	`161`	`return;`
`161`	`162`
`162`	`163`	`/* One active may be flushed from inside the acquire of another */`
`163`		`- mutex_lock_nested(&ref->mutex, SINGLE_DEPTH_NESTING);`
`164`		`- __active_retire(ref);`
	`164`	`+ if (likely(lock))`
	`165`	`+ mutex_lock_nested(&ref->mutex, SINGLE_DEPTH_NESTING);`
	`166`	`+ __active_retire(ref, lock);`
`165`	`167`	`}`
`166`	`168`
`167`	`169`	`static void`
`168`	`170`	`node_retire(struct i915_active_request base, struct i915_request rq)`
`169`	`171`	`{`
`170`		`- active_retire(node_from_active(base)->ref);`
	`172`	`+ active_retire(node_from_active(base)->ref, true);`
	`173`	`+}`
	`174`	`+`
	`175`	`+static void`
	`176`	`+node_retire_nolock(struct i915_active_request base, struct i915_request rq)`
	`177`	`+{`
	`178`	`+ active_retire(node_from_active(base)->ref, false);`
`171`	`179`	`}`
`172`	`180`
`173`	`181`	`static struct i915_active_request *`
`@@ -364,7 +372,7 @@ int i915_active_acquire(struct i915_active *ref)`
`364`	`372`	`void i915_active_release(struct i915_active *ref)`
`365`	`373`	`{`
`366`	`374`	`debug_active_assert(ref);`
`367`		`- active_retire(ref);`
	`375`	`+ active_retire(ref, true);`
`368`	`376`	`}`
`369`	`377`
`370`	`378`	`static void __active_ungrab(struct i915_active *ref)`
`@@ -391,7 +399,7 @@ void i915_active_ungrab(struct i915_active *ref)`
`391`	`399`	`{`
`392`	`400`	`GEM_BUG_ON(!test_bit(I915_ACTIVE_GRAB_BIT, &ref->flags));`
`393`	`401`
`394`		`- active_retire(ref);`
	`402`	`+ active_retire(ref, true);`
`395`	`403`	`__active_ungrab(ref);`
`396`	`404`	`}`
`397`	`405`
`@@ -421,12 +429,13 @@ int i915_active_wait(struct i915_active *ref)`
`421`	`429`	`break;`
`422`	`430`	`}`
`423`	`431`
`424`		`- err = i915_active_request_retire(&it->base, BKL(ref));`
	`432`	`+ err = i915_active_request_retire(&it->base, BKL(ref),`
	`433`	`+ node_retire_nolock);`
`425`	`434`	`if (err)`
`426`	`435`	`break;`
`427`	`436`	`}`
`428`	`437`
`429`		`- __active_retire(ref);`
	`438`	`+ __active_retire(ref, true);`
`430`	`439`	`if (err)`
`431`	`440`	`return err;`
`432`	`441`