X freeze on i915_gem.c line 1478
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Seth Forshee | ||
Lucid |
Fix Released
|
Undecided
|
Seth Forshee |
Bug Description
SRU Justification
Impact: The i915 driver is not holding references to DRM objects during eviction. Thus an object could be freed while i915 is still referencing it, which results in a kernel BUG and an xserver freeze.
Fix: Backport of upstream fix to hold references to objects during eviction and a related fix to object cleanup in the error paths.
Test case: Verified on LP #843904.
----
in linux-image-
[ 2319.730128] ------------[ cut here ]------------
[ 2319.730135] kernel BUG at /build/
[ 2319.730138] invalid opcode: 0000 [#1] SMP
[ 2319.730141] last sysfs file: /sys/devices/
[ 2319.730143] CPU 0
[ 2319.730145] Modules linked in: btrfs zlib_deflate crc32c libcrc32c ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat jfs xfs exportfs reiserfs ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 bridge stp sha256_generic cryptd aes_x86_64 aes_generic dm_crypt iptable_filter ip_tables x_tables binfmt_misc ppdev vboxnetadp vboxnetflt vboxdrv joydev snd_hda_
[ 2319.730199] Pid: 2010, comm: compiz Not tainted 2.6.32-34-generic #76-Ubuntu 28477MG
[ 2319.730201] RIP: 0010:[<
[ 2319.730220] RSP: 0018:ffff880120
[ 2319.730222] RAX: 0000000000000000 RBX: ffff8800b396bc00 RCX: 01000000000000c1
[ 2319.730224] RDX: 0000000000000026 RSI: 0000000000000000 RDI: ffff880139671d80
[ 2319.730226] RBP: ffff880120417a58 R08: 0000000000000000 R09: dead000000100100
[ 2319.730228] R10: dead000000200200 R11: dead000000100100 R12: ffff8800b396bc00
[ 2319.730231] R13: ffff880139671d80 R14: 0000000002e31000 R15: ffff880139e3afb0
[ 2319.730234] FS: 00007fb8ea22c76
[ 2319.730236] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 2319.730238] CR2: 00007f9dc57ce000 CR3: 0000000127dc3000 CR4: 00000000000406f0
[ 2319.730240] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2319.730242] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2319.730245] Process compiz (pid: 2010, threadinfo ffff880120416000, task ffff880128b996f0)
[ 2319.730247] Stack:
[ 2319.730248] 0000000000000000 ffff8800b396bc00 ffff880139671d80 ffff880139e0d800
[ 2319.730252] <0> ffff880120417a88 ffffffffa0088921 ffff8800b396bc00 ffff880120417aa8
[ 2319.730256] <0> ffff880120417a78 ffff880120417ab8 ffff880120417af8 ffffffffa008dc81
[ 2319.730260] Call Trace:
[ 2319.730271] [<ffffffffa0088
[ 2319.730281] [<ffffffffa008d
[ 2319.730291] [<ffffffffa0087
[ 2319.730301] [<ffffffffa0089
[ 2319.730311] [<ffffffffa008a
[ 2319.730320] [<ffffffffa008b
[ 2319.730330] [<ffffffffa0084
[ 2319.730335] [<ffffffff8134b
[ 2319.730353] [<ffffffffa0034
[ 2319.730363] [<ffffffffa008c
[ 2319.730373] [<ffffffffa008d
[ 2319.730382] [<ffffffffa002d
[ 2319.730392] [<ffffffffa008a
[ 2319.730402] [<ffffffffa008c
[ 2319.730407] [<ffffffff81112
[ 2319.730411] [<ffffffff81154
[ 2319.730414] [<ffffffff81154
[ 2319.730418] [<ffffffff81545
[ 2319.730421] [<ffffffff81154
[ 2319.730426] [<ffffffff81012
[ 2319.730428] Code: 0a e1 eb de 66 0f 1f 84 00 00 00 00 00 e8 2b 7b 00 00 83 bb c4 00 00 00 01 0f 85 2a ff ff ff c7 43 54 00 00 00 00 e9 1e ff ff ff <0f> 0b eb fe 0f 0b eb fe 66 2e 0f 1f 84 00 00 00 00 00 55 48 89
[ 2319.730460] RIP [<ffffffffa0086
[ 2319.730469] RSP <ffff880120417a38>
[ 2319.730472] ---[ end trace 0b520cfaddb649d0 ]---
This is reproducible, and did not happen in 2.6.32-32-generic.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: linux-image-
Regression: Yes
Reproducible: Yes
ProcVersionSign
Uname: Linux 2.6.32-34-generic x86_64
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.21.
AplayDevices: Error: [Errno 2] No such file or directory
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
CRDA: Error: [Errno 2] No such file or directory
Card0.Amixer.info: Error: [Errno 2] No such file or directory
Card0.Amixer.
Date: Wed Sep 7 15:42:24 2011
EcryptfsInUse: Yes
HibernationDevice: RESUME=
MachineType: LENOVO 28477MG
ProcCmdLine: BOOT_IMAGE=
RelatedPackageV
RfKill:
0: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
SourcePackage: linux
dmi.bios.date: 06/24/2010
dmi.bios.vendor: LENOVO
dmi.bios.version: 6JET81WW (1.39 )
dmi.board.name: 28477MG
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.
dmi.modalias: dmi:bvnLENOVO:
dmi.product.name: 28477MG
dmi.product.
dmi.sys.vendor: LENOVO
Changed in linux (Ubuntu): | |
status: | New → Confirmed |
Changed in linux (Ubuntu): | |
status: | Incomplete → In Progress |
description: | updated |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in linux (Ubuntu Lucid): | |
status: | New → Fix Committed |
assignee: | nobody → Seth Forshee (sforshee) |
It looks like we may need to backport this fix from upstream. I'll look into the backport when I get time.
commit af6261031317f64 6d22f994c0b4675 21e47aa49f
Author: Chris Wilson <email address hidden>
Date: Mon Sep 20 10:31:40 2010 +0100
drm/i915: Hold a reference to the object whilst unbinding the eviction list
During heavy aperture thrashing we may be forced to wait upon several active
objects during eviction. The active list may be the last reference to
these objects and so the action of waiting upon one of them may cause
another to be freed (and itself unbound). To prevent the object
disappearing underneath us, we need to acquire and hold a reference
whilst unbinding.
This should fix the reported page refcount OOPS:
kernel BUG at drivers/ gpu/drm/ i915/i915_ gem.c:1444! ffffffffa009302 6>] [<ffffffffa0093 026>] i915_gem_ object_ put_pages+ 0x25/0 ffffffffa009481 d>] i915_gem_ object_ unbind+ 0xc5/0x1a7 [i915] ffffffffa0098ab 2>] i915_gem_ evict_something +0x3bd/ 0x409 [i915] ffffffffa002792 3>] ? drm_gem_ object_ lookup+ 0x27/0x57 [drm] ffffffffa0093bc 3>] i915_gem_ object_ bind_to_ gtt+0x1d3/ 0x279 [i915] ffffffffa0095b3 0>] i915_gem_ object_ pin+0xa3/ 0x146 [i915] ffffffffa002794 8>] ? drm_gem_ object_ lookup+ 0x4c/0x57 [drm] ffffffffa00961b c>] i915_gem_ do_execbuffer+ 0x50d/0xe32 [i915]
...
RIP: 0010:[<
Call Trace:
[<
[<
[<
[<
[<
[<
[<
Reported-by: Shawn Starr <email address hidden> /bugzilla. kernel. org/show_ bug.cgi? id=18902
Bugzilla: https:/
Signed-off-by: Chris Wilson <email address hidden>