From: Chris Wilson chris.p.wilson@intel.com
If the ring is nearly full when calling into emit_pte(), we might incorrectly trample the reserved_space when constructing the packet to emit the PTEs. This then triggers the GEM_BUG_ON(rq->reserved_space > ring->space) when later submitting the request, since the request itself doesn't have enough space left in the ring to emit things like workarounds, breadcrumbs etc.
v2: Fix the whitespace errors
Testcase: igt@i915_selftests@live_emit_pte_full_ring Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7535 Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6889 Fixes: cf586021642d ("drm/i915/gt: Pipelined page migration") Signed-off-by: Chris Wilson chris.p.wilson@intel.com Signed-off-by: Matthew Auld matthew.auld@intel.com Cc: Andrzej Hajda andrzej.hajda@intel.com Cc: Andi Shyti andi.shyti@linux.intel.com Cc: Nirmoy Das nirmoy.das@intel.com Cc: stable@vger.kernel.org # v5.15+ Tested-by: Nirmoy Das nirmoy.das@intel.com Reviewed-by: Nirmoy Das nirmoy.das@intel.com --- drivers/gpu/drm/i915/gt/intel_migrate.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gt/intel_migrate.c b/drivers/gpu/drm/i915/gt/intel_migrate.c index b405a04135ca..b783f6f740c8 100644 --- a/drivers/gpu/drm/i915/gt/intel_migrate.c +++ b/drivers/gpu/drm/i915/gt/intel_migrate.c @@ -342,6 +342,16 @@ static int emit_no_arbitration(struct i915_request *rq) return 0; }
+static int max_pte_pkt_size(struct i915_request *rq, int pkt) +{ + struct intel_ring *ring = rq->ring; + + pkt = min_t(int, pkt, (ring->space - rq->reserved_space) / sizeof(u32) + 5); + pkt = min_t(int, pkt, (ring->size - ring->emit) / sizeof(u32) + 5); + + return pkt; +} + static int emit_pte(struct i915_request *rq, struct sgt_dma *it, enum i915_cache_level cache_level, @@ -388,8 +398,7 @@ static int emit_pte(struct i915_request *rq, return PTR_ERR(cs);
/* Pack as many PTE updates as possible into a single MI command */ - pkt = min_t(int, dword_length, ring->space / sizeof(u32) + 5); - pkt = min_t(int, pkt, (ring->size - ring->emit) / sizeof(u32) + 5); + pkt = max_pte_pkt_size(rq, dword_length);
hdr = cs; *cs++ = MI_STORE_DATA_IMM | REG_BIT(21); /* as qword elements */ @@ -422,8 +431,7 @@ static int emit_pte(struct i915_request *rq, } }
- pkt = min_t(int, dword_rem, ring->space / sizeof(u32) + 5); - pkt = min_t(int, pkt, (ring->size - ring->emit) / sizeof(u32) + 5); + pkt = max_pte_pkt_size(rq, dword_rem);
hdr = cs; *cs++ = MI_STORE_DATA_IMM | REG_BIT(21);
Hi,
I messed-up with versions, my prev comment landed in v2, so I put it here to clean things up.
On 02.12.2022 13:28, Matthew Auld wrote:
From: Chris Wilson chris.p.wilson@intel.com
If the ring is nearly full when calling into emit_pte(), we might incorrectly trample the reserved_space when constructing the packet to emit the PTEs. This then triggers the GEM_BUG_ON(rq->reserved_space > ring->space) when later submitting the request, since the request itself doesn't have enough space left in the ring to emit things like workarounds, breadcrumbs etc.
v2: Fix the whitespace errors
Testcase: igt@i915_selftests@live_emit_pte_full_ring Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7535 Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6889 Fixes: cf586021642d ("drm/i915/gt: Pipelined page migration") Signed-off-by: Chris Wilson chris.p.wilson@intel.com Signed-off-by: Matthew Auld matthew.auld@intel.com Cc: Andrzej Hajda andrzej.hajda@intel.com Cc: Andi Shyti andi.shyti@linux.intel.com Cc: Nirmoy Das nirmoy.das@intel.com Cc: stable@vger.kernel.org # v5.15+ Tested-by: Nirmoy Das nirmoy.das@intel.com Reviewed-by: Nirmoy Das nirmoy.das@intel.com
drivers/gpu/drm/i915/gt/intel_migrate.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gt/intel_migrate.c b/drivers/gpu/drm/i915/gt/intel_migrate.c index b405a04135ca..b783f6f740c8 100644 --- a/drivers/gpu/drm/i915/gt/intel_migrate.c +++ b/drivers/gpu/drm/i915/gt/intel_migrate.c @@ -342,6 +342,16 @@ static int emit_no_arbitration(struct i915_request *rq) return 0; } +static int max_pte_pkt_size(struct i915_request *rq, int pkt) +{
- struct intel_ring *ring = rq->ring;
- pkt = min_t(int, pkt, (ring->space - rq->reserved_space) / sizeof(u32) + 5);
- pkt = min_t(int, pkt, (ring->size - ring->emit) / sizeof(u32) + 5);
- return pkt;
+}
I guess, the assumption that subtractions of u32 values do not overflows, is valid. Then I guess more natural would be use u32 for all vars involved, this way we can use min instead of min_t, minor nit.
Anyway: Reviewed-by: Andrzej Hajda andrzej.hajda@intel.com
Regards Andrzej
static int emit_pte(struct i915_request *rq, struct sgt_dma *it, enum i915_cache_level cache_level, @@ -388,8 +398,7 @@ static int emit_pte(struct i915_request *rq, return PTR_ERR(cs); /* Pack as many PTE updates as possible into a single MI command */
- pkt = min_t(int, dword_length, ring->space / sizeof(u32) + 5);
- pkt = min_t(int, pkt, (ring->size - ring->emit) / sizeof(u32) + 5);
- pkt = max_pte_pkt_size(rq, dword_length);
hdr = cs; *cs++ = MI_STORE_DATA_IMM | REG_BIT(21); /* as qword elements */ @@ -422,8 +431,7 @@ static int emit_pte(struct i915_request *rq, } }
pkt = min_t(int, dword_rem, ring->space / sizeof(u32) + 5);pkt = min_t(int, pkt, (ring->size - ring->emit) / sizeof(u32) + 5);
pkt = max_pte_pkt_size(rq, dword_rem);hdr = cs; *cs++ = MI_STORE_DATA_IMM | REG_BIT(21);
Hi Matt,
On Fri, Dec 02, 2022 at 12:28:42PM +0000, Matthew Auld wrote:
From: Chris Wilson chris.p.wilson@intel.com
If the ring is nearly full when calling into emit_pte(), we might incorrectly trample the reserved_space when constructing the packet to emit the PTEs. This then triggers the GEM_BUG_ON(rq->reserved_space > ring->space) when later submitting the request, since the request itself doesn't have enough space left in the ring to emit things like workarounds, breadcrumbs etc.
v2: Fix the whitespace errors
Testcase: igt@i915_selftests@live_emit_pte_full_ring Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7535 Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6889 Fixes: cf586021642d ("drm/i915/gt: Pipelined page migration") Signed-off-by: Chris Wilson chris.p.wilson@intel.com Signed-off-by: Matthew Auld matthew.auld@intel.com Cc: Andrzej Hajda andrzej.hajda@intel.com Cc: Andi Shyti andi.shyti@linux.intel.com Cc: Nirmoy Das nirmoy.das@intel.com Cc: stable@vger.kernel.org # v5.15+ Tested-by: Nirmoy Das nirmoy.das@intel.com Reviewed-by: Nirmoy Das nirmoy.das@intel.com
Reviewed-by: Andi Shyti andi.shyti@linux.intel.com
Thanks, Andi
linux-stable-mirror@lists.linaro.org
-
Andi Shyti -
Andrzej Hajda -
Matthew Auld