Bug 101283 - skylake: page fault accessing address 0
Summary: skylake: page fault accessing address 0
Alias: None
Product: Mesa
Classification: Unclassified
Component: Drivers/Vulkan/intel (show other bugs)
Version: 17.0
Hardware: Other All
: medium normal
Assignee: Intel 3D Bugs Mailing List
QA Contact: Intel 3D Bugs Mailing List
Depends on:
Reported: 2017-06-02 23:37 UTC by Craig Stout
Modified: 2017-09-04 17:35 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Description Craig Stout 2017-06-02 23:37:28 UTC
The function blorp_emit_gen8_hiz_op contains a pipe control operation that has only the WriteImmediateData bit set.  It doesn't specify an address, so this results in a store to address 0.

a) What is this pipe control for?  I don't see the need for it in the docs.

From what I can see, the docs for 3DSTATE_WM_HZ_OP say: "As this command generates an implicit rectangle, SW must make sure any MMIO register writes following WM_HZ_OP must be preceded by PIPE_CONTROL with Command Streamer Stall Enable bit set."

In the code there's a following PIPECONTROL with depth_stall and depth flush bits set, which corresponds to the docs in the section 'Depth Buffer Clear'.

b) How is it not a problem to emit a pipecontrol that writes to address 0?

Comment 1 Kenneth Graunke 2017-06-04 09:33:17 UTC
As for a), the comments in i965 are a bit better:

   /* Emit a PIPE_CONTROL with "Post-Sync Operation" set to "Write Immediate
    * Data", and no other bits set.  This causes 3DSTATE_WM_HZ_OP's state to
    * take effect, and spawns a rectangle primitive.

3DSTATE_WM_HZ_OP is kind of weird - it overrides all the state, and sets up a rectangle primitive that's about ready to fire...but it needs a flush to actually push it over the edge and make it happen.  No idea why they designed it this way.

b) It's absolutely a problem - that code is definitely broken.  Good catch!
Comment 2 Jason Ekstrand 2017-06-04 15:00:56 UTC
Ken, crazy idea but how would you feel about just pinning the workaround BO to address 0?
Comment 3 Craig Stout 2017-06-05 20:59:09 UTC
Fwiw, switching from WriteImmediateData to CommandStreamerStall on skylake appears to work.

How about making the zero page always invalid, to catch inadvertent accesses like this?
Comment 4 Jason Ekstrand 2017-06-06 01:53:59 UTC
There's a patch on the list to fix this:

Comment 5 Emil Velikov 2017-09-04 17:35:50 UTC
Issue should be resolved with the following. Feel free to reopen otherwise.

commit 9cb6ac62fbab86ed914152b40cb1f8f4ee7fdaff
Author: Jason Ekstrand <jason.ekstrand@intel.com>
Date:   Mon Jun 5 14:19:28 2017 -0700

    intel/blorp: Plumb through access to the workaround BO

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.