Bug 87955 - WARNING: CPU: 6 PID: 102 at drivers/gpu/drm/i915/intel_display.c:8977 intel_fb_obj_invalidate+0xe1/0xf0 [i915]()
Summary: WARNING: CPU: 6 PID: 102 at drivers/gpu/drm/i915/intel_display.c:8977 intel_f...
Status: CLOSED FIXED
Alias: None
Product: DRI
Classification: Unclassified
Component: DRM/Intel (show other bugs)
Version: DRI git
Hardware: Other All
: medium normal
Assignee: Intel GFX Bugs mailing list
QA Contact: Intel GFX Bugs mailing list
URL:
Whiteboard:
Keywords:
: 88000 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-01-01 23:20 UTC by mikhail.v.gavrilov
Modified: 2017-07-03 13:57 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
kernel 3.17.7 log (140.27 KB, text/plain)
2015-01-01 23:20 UTC, mikhail.v.gavrilov
no flags Details

Description mikhail.v.gavrilov 2015-01-01 23:20:59 UTC
Created attachment 111627 [details]
kernel 3.17.7 log

[32697.506023] ------------[ cut here ]------------
[32697.506045] WARNING: CPU: 6 PID: 102 at drivers/gpu/drm/i915/intel_display.c:8977 intel_fb_obj_invalidate+0xe1/0xf0 [i915]()
[32697.506046] Modules linked in: rfcomm fuse nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack cfg80211 ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw bnep hid_logitech_dj iTCO_wdt iTCO_vendor_support ppdev btrfs xor x86_pkg_temp_thermal coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel raid6_pq vfat fat snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi serio_raw snd_hda_intel snd_hda_controller snd_emu10k1 snd_hda_codec snd_util_mem snd_hwdep snd_rawmidi
[32697.506076]  snd_seq i2c_i801 snd_ac97_codec ac97_bus snd_seq_device emu10k1_gp gameport snd_pcm snd_timer mei_me lpc_ich snd mei mfd_core shpchp soundcore btusb bluetooth parport_pc rfkill parport tpm_infineon tpm_tis tpm nfsd auth_rpcgss nfs_acl lockd binfmt_misc sunrpc uas usb_storage i915 i2c_algo_bit drm_kms_helper firewire_ohci firewire_core drm crc_itu_t r8169 mii video
[32697.506091] CPU: 6 PID: 102 Comm: kswapd0 Tainted: G        W      3.17.7-300.fc21.x86_64+debug #1
[32697.506092] Hardware name: Gigabyte Technology Co., Ltd. Z87M-D3H/Z87M-D3H, BIOS F11 08/12/2014
[32697.506093]  0000000000000000 00000000bef7e54e ffff8807ee55f9e8 ffffffff8183413f
[32697.506095]  0000000000000000 ffff8807ee55fa20 ffffffff810a348d ffff8806df3fb200
[32697.506097]  ffff8807ee2e6000 ffff8807ec6d0000 0000000000000000 ffff8807ec6d0000
[32697.506099] Call Trace:
[32697.506103]  [<ffffffff8183413f>] dump_stack+0x4d/0x66
[32697.506106]  [<ffffffff810a348d>] warn_slowpath_common+0x7d/0xa0
[32697.506108]  [<ffffffff810a35ba>] warn_slowpath_null+0x1a/0x20
[32697.506121]  [<ffffffffa012f7b1>] intel_fb_obj_invalidate+0xe1/0xf0 [i915]
[32697.506130]  [<ffffffffa00f5261>] i915_gem_object_set_to_cpu_domain+0xa1/0x310 [i915]
[32697.506138]  [<ffffffffa00f5512>] i915_gem_object_put_pages_gtt+0x42/0x200 [i915]
[32697.506157]  [<ffffffffa00f180c>] ? i915_gem_gtt_finish_object+0xec/0x120 [i915]
[32697.506166]  [<ffffffffa00f351e>] i915_gem_object_put_pages+0x7e/0x100 [i915]
[32697.506175]  [<ffffffffa00f7e10>] __i915_gem_shrink+0x280/0x330 [i915]
[32697.506183]  [<ffffffffa00f8768>] i915_gem_shrinker_scan+0x88/0xc0 [i915]
[32697.506185]  [<ffffffff811e98ef>] shrink_slab_node+0x11f/0x3f0
[32697.506187]  [<ffffffff811e9c3f>] ? shrink_slab+0x3f/0x180
[32697.506189]  [<ffffffff811e9c8b>] shrink_slab+0x8b/0x180
[32697.506190]  [<ffffffff811ed8da>] kswapd_shrink_zone+0x14a/0x200
[32697.506192]  [<ffffffff811ee4fc>] kswapd+0x52c/0xaa0
[32697.506204]  [<ffffffff811edfd0>] ? mem_cgroup_shrink_node_zone+0x2e0/0x2e0
[32697.506206]  [<ffffffff810c9f68>] kthread+0x108/0x120
[32697.506208]  [<ffffffff810ffa3d>] ? trace_hardirqs_on_caller+0x15d/0x200
[32697.506210]  [<ffffffff810c9e60>] ? kthread_create_on_node+0x250/0x250
[32697.506212]  [<ffffffff8183e33c>] ret_from_fork+0x7c/0xb0
[32697.506224]  [<ffffffff810c9e60>] ? kthread_create_on_node+0x250/0x250
[32697.506225] ---[ end trace f5c75bbb4ecd1f19 ]---
Comment 1 Chris Wilson 2015-01-02 09:17:21 UTC
That should correspond to:

WARN_ON(!mutex_is_locked(&dev->struct_mutex));

which is presumably a race in mutex_is_locked_by(), specifically if we inspect mutex->owner after the atomic_dec(&mutex->count) in mutex_lock() but before mutex_set_owner().

This appears to be an issue for CONFIG_DEBUG_MUTEXES since:

void mutex_lock()
{
#ifndef CONFIG_DEBUG_MUTEXES
        /*
         * When debugging is enabled we must not clear the owner before time,
         * the slow path will always be taken, and that clears the owner field
         * after verifying that it was indeed current.
         */
        mutex_clear_owner(lock);
#endif
}

So the correct fix is:

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index ad55b06a3cb1..4c14db9587a6 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -5024,7 +5024,7 @@ static bool mutex_is_locked_by(struct mutex *mutex, struct task_struct *task)
        if (!mutex_is_locked(mutex))
                return false;
 
-#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_MUTEXES)
+#if defined(CONFIG_SMP) && !defined(CONFIG_DEBUG_MUTEXES)
        return mutex->owner == task;
 #else
        /* Since UP may be pre-empted, we cannot assume that we own the lock */
Comment 2 Chris Wilson 2015-01-02 09:26:01 UTC
Actually:

diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c
index 5cf6731..3ef3736 100644
--- a/kernel/locking/mutex-debug.c
+++ b/kernel/locking/mutex-debug.c
@@ -80,13 +80,13 @@ void debug_mutex_unlock(struct mutex *lock)
                        DEBUG_LOCKS_WARN_ON(lock->owner != current);
 
                DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
-               mutex_clear_owner(lock);
        }
 
        /*
         * __mutex_slowpath_needs_to_unlock() is explicitly 0 for debug
         * mutexes so that we can do it here after we've verified state.
         */
+       mutex_clear_owner(lock);
        atomic_set(&lock->count, 1);
 }
Comment 3 Chris Wilson 2015-01-02 09:27:20 UTC
(And some mb() to serialise the atomic-vs-read)
Comment 4 Chris Wilson 2015-01-03 20:31:20 UTC
*** Bug 88000 has been marked as a duplicate of this bug. ***
Comment 5 Jani Nikula 2015-01-07 12:13:17 UTC
Fixed by

commit e3e6efcd638d3caa18d9e89f235c7d6fc32c1f0b
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri Jan 2 09:47:10 2015 +0000

    drm/i915: Fix mutex->owner inspection race under DEBUG_MUTEXES

in drm-intel-fixes. Thanks for the report, and please reopen if the problem persists with that commit.
Comment 6 Jari Tahvanainen 2017-07-03 13:57:50 UTC
Closing >1 year old resolved+fixed.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.