Quoting Joonas Lahtinen (2017-11-16 11:08:18)
> On Wed, 2017-11-15 at 12:14 +0000, Chris Wilson wrote:
> > When we call intel_engine_cancel_signaling() to stop reporting whether
> > or not a request is completed via an asynchronous signal, we remove that
> > request from the breadcrumb wait queue. However, we may be concurrently
> > processing that request in the signaler itself, the actual operations on
> > the request itself are serialised but we do not actually clear the
> > waiter after removing it from the tree allowing both parties to attempt
> > to do so and corrupting the rbtree. (Elsewhere removing from the
> > breadcrumb wait queue could only be done on behalf of i915_wait_request,
> > so this race could not happen).
> >
> > Reported-by: "He, Bo" <bo.he@xxxxxxxxx>
> > Fixes: 9eb143bbec7d ("drm/i915: Allow a request to be cancelled")
> > Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> > Cc: "He, Bo" <bo.he@xxxxxxxxx>
> > Cc: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxx>
> > Cc: Michał Winiarski <michal.winiarski@xxxxxxxxx>
> > Cc: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx>
>
> Reviewed-by: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx>
Ta, I was debating how to wait for a t-b, but this is definitely a race
between canceling and signaling that needs to be fixed regardless.
Pushed,
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
