Created attachment 111627 [details] kernel 3.17.7 log [32697.506023] ------------[ cut here ]------------ [32697.506045] WARNING: CPU: 6 PID: 102 at drivers/gpu/drm/i915/intel_display.c:8977 intel_fb_obj_invalidate+0xe1/0xf0 [i915]() [32697.506046] Modules linked in: rfcomm fuse nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack cfg80211 ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw bnep hid_logitech_dj iTCO_wdt iTCO_vendor_support ppdev btrfs xor x86_pkg_temp_thermal coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel raid6_pq vfat fat snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi serio_raw snd_hda_intel snd_hda_controller snd_emu10k1 snd_hda_codec snd_util_mem snd_hwdep snd_rawmidi [32697.506076] snd_seq i2c_i801 snd_ac97_codec ac97_bus snd_seq_device emu10k1_gp gameport snd_pcm snd_timer mei_me lpc_ich snd mei mfd_core shpchp soundcore btusb bluetooth parport_pc rfkill parport tpm_infineon tpm_tis tpm nfsd auth_rpcgss nfs_acl lockd binfmt_misc sunrpc uas usb_storage i915 i2c_algo_bit drm_kms_helper firewire_ohci firewire_core drm crc_itu_t r8169 mii video [32697.506091] CPU: 6 PID: 102 Comm: kswapd0 Tainted: G W 3.17.7-300.fc21.x86_64+debug #1 [32697.506092] Hardware name: Gigabyte Technology Co., Ltd. Z87M-D3H/Z87M-D3H, BIOS F11 08/12/2014 [32697.506093] 0000000000000000 00000000bef7e54e ffff8807ee55f9e8 ffffffff8183413f [32697.506095] 0000000000000000 ffff8807ee55fa20 ffffffff810a348d ffff8806df3fb200 [32697.506097] ffff8807ee2e6000 ffff8807ec6d0000 0000000000000000 ffff8807ec6d0000 [32697.506099] Call Trace: [32697.506103] [<ffffffff8183413f>] dump_stack+0x4d/0x66 [32697.506106] [<ffffffff810a348d>] warn_slowpath_common+0x7d/0xa0 [32697.506108] [<ffffffff810a35ba>] warn_slowpath_null+0x1a/0x20 [32697.506121] [<ffffffffa012f7b1>] intel_fb_obj_invalidate+0xe1/0xf0 [i915] [32697.506130] [<ffffffffa00f5261>] i915_gem_object_set_to_cpu_domain+0xa1/0x310 [i915] [32697.506138] [<ffffffffa00f5512>] i915_gem_object_put_pages_gtt+0x42/0x200 [i915] [32697.506157] [<ffffffffa00f180c>] ? i915_gem_gtt_finish_object+0xec/0x120 [i915] [32697.506166] [<ffffffffa00f351e>] i915_gem_object_put_pages+0x7e/0x100 [i915] [32697.506175] [<ffffffffa00f7e10>] __i915_gem_shrink+0x280/0x330 [i915] [32697.506183] [<ffffffffa00f8768>] i915_gem_shrinker_scan+0x88/0xc0 [i915] [32697.506185] [<ffffffff811e98ef>] shrink_slab_node+0x11f/0x3f0 [32697.506187] [<ffffffff811e9c3f>] ? shrink_slab+0x3f/0x180 [32697.506189] [<ffffffff811e9c8b>] shrink_slab+0x8b/0x180 [32697.506190] [<ffffffff811ed8da>] kswapd_shrink_zone+0x14a/0x200 [32697.506192] [<ffffffff811ee4fc>] kswapd+0x52c/0xaa0 [32697.506204] [<ffffffff811edfd0>] ? mem_cgroup_shrink_node_zone+0x2e0/0x2e0 [32697.506206] [<ffffffff810c9f68>] kthread+0x108/0x120 [32697.506208] [<ffffffff810ffa3d>] ? trace_hardirqs_on_caller+0x15d/0x200 [32697.506210] [<ffffffff810c9e60>] ? kthread_create_on_node+0x250/0x250 [32697.506212] [<ffffffff8183e33c>] ret_from_fork+0x7c/0xb0 [32697.506224] [<ffffffff810c9e60>] ? kthread_create_on_node+0x250/0x250 [32697.506225] ---[ end trace f5c75bbb4ecd1f19 ]---
That should correspond to: WARN_ON(!mutex_is_locked(&dev->struct_mutex)); which is presumably a race in mutex_is_locked_by(), specifically if we inspect mutex->owner after the atomic_dec(&mutex->count) in mutex_lock() but before mutex_set_owner(). This appears to be an issue for CONFIG_DEBUG_MUTEXES since: void mutex_lock() { #ifndef CONFIG_DEBUG_MUTEXES /* * When debugging is enabled we must not clear the owner before time, * the slow path will always be taken, and that clears the owner field * after verifying that it was indeed current. */ mutex_clear_owner(lock); #endif } So the correct fix is: diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index ad55b06a3cb1..4c14db9587a6 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -5024,7 +5024,7 @@ static bool mutex_is_locked_by(struct mutex *mutex, struct task_struct *task) if (!mutex_is_locked(mutex)) return false; -#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_MUTEXES) +#if defined(CONFIG_SMP) && !defined(CONFIG_DEBUG_MUTEXES) return mutex->owner == task; #else /* Since UP may be pre-empted, we cannot assume that we own the lock */
Actually: diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c index 5cf6731..3ef3736 100644 --- a/kernel/locking/mutex-debug.c +++ b/kernel/locking/mutex-debug.c @@ -80,13 +80,13 @@ void debug_mutex_unlock(struct mutex *lock) DEBUG_LOCKS_WARN_ON(lock->owner != current); DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next); - mutex_clear_owner(lock); } /* * __mutex_slowpath_needs_to_unlock() is explicitly 0 for debug * mutexes so that we can do it here after we've verified state. */ + mutex_clear_owner(lock); atomic_set(&lock->count, 1); }
(And some mb() to serialise the atomic-vs-read)
*** Bug 88000 has been marked as a duplicate of this bug. ***
Fixed by commit e3e6efcd638d3caa18d9e89f235c7d6fc32c1f0b Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Fri Jan 2 09:47:10 2015 +0000 drm/i915: Fix mutex->owner inspection race under DEBUG_MUTEXES in drm-intel-fixes. Thanks for the report, and please reopen if the problem persists with that commit.
Closing >1 year old resolved+fixed.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.