Commit 6e068270 authored by Chris Wilson's avatar Chris Wilson Committed by Jani Nikula

drm/i915: Clear breadcrumb node when cancelling signaling

When we call intel_engine_cancel_signaling() to stop reporting when
a request is completed via an asynchronous signal, we remove that request
from the breadcrumb wait queue. However, we may be concurrently
processing that request in the signaler itself, the actual operations on
the request's node itself are serialised but we do not actually clear the
waiter after removing it from the tree allowing both parties to attempt
to do so and corrupting the rbtree. (Previously removing from the
breadcrumb wait queue could only be done on behalf of i915_wait_request,
so this race could not happen).
Reported-by: default avatar"He, Bo" <bo.he@intel.com>
Fixes: 9eb143bb ("drm/i915: Allow a request to be cancelled")
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Cc: "He, Bo" <bo.he@intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Michał Winiarski <michal.winiarski@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171115121458.24655-1-chris@chris-wilson.co.ukReviewed-by: default avatarJoonas Lahtinen <joonas.lahtinen@linux.intel.com>
(cherry picked from commit c534612e)
Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
parent dcd1d830
...@@ -517,6 +517,7 @@ static void __intel_engine_remove_wait(struct intel_engine_cs *engine, ...@@ -517,6 +517,7 @@ static void __intel_engine_remove_wait(struct intel_engine_cs *engine,
GEM_BUG_ON(RB_EMPTY_NODE(&wait->node)); GEM_BUG_ON(RB_EMPTY_NODE(&wait->node));
rb_erase(&wait->node, &b->waiters); rb_erase(&wait->node, &b->waiters);
RB_CLEAR_NODE(&wait->node);
out: out:
GEM_BUG_ON(b->irq_wait == wait); GEM_BUG_ON(b->irq_wait == wait);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment