similar to: PR: nv50 IB-mode DMA crash fixes

Currently, NO_PREFETCH is passed implicitly through drm_nouveau_gem_pushbuf_push::length and drm_nouveau_exec_push::va_len. Since this is a direct representation of how the HW is programmed it isn't really future proof for a uAPI. Hence, fix this up for the new uAPI and split up the va_len field of struct drm_nouveau_exec_push, such that we keep 32bit for va_len and 32bit for flags. For

On Tue, Aug 22, 2023 at 6:41?PM Danilo Krummrich <dakr at redhat.com> wrote: > Currently, NO_PREFETCH is passed implicitly through > drm_nouveau_gem_pushbuf_push::length and drm_nouveau_exec_push::va_len. > > Since this is a direct representation of how the HW is programmed it > isn't really future proof for a uAPI. Hence, fix this up for the new > uAPI and split up

Currently, NO_PREFETCH is passed implicitly through drm_nouveau_gem_pushbuf_push::length and drm_nouveau_exec_push::va_len. Since this is a direct representation of how the HW is programmed it isn't really future proof for a uAPI. Hence, fix this up for the new uAPI and split up the va_len field of struct drm_nouveau_exec_push, such that we keep 32bit for va_len and 32bit for flags. For

On Sun, Dec 3, 2023 at 11:37?AM Monty Montgomery <xiphmont at gmail.com> wrote: > 1) The nv50 DMA code clearly believed push buffers could not (or > should not) exceed NV50_DMA_PUSH_MAX_LENGTH, when my analysis logging > shows that they regularly exceed this maximum by an order of magnitude > or more. Was the assumption originally true? If so, when/why did it > change? Is

nouveau_fence_emit() can fail before and after initializing the dma-fence and hence before and after initializing the dma-fence' kref. In order to avoid nouveau_fence_emit() potentially failing before dma-fence initialization pass the channel to nouveau_fence_new() already and perform the required check before even allocating the fence. While at it, restore the original behavior of

Commit "drm/nouveau: port all engines to new engine module format" changed IB size calculation to be less wasteful, but didn't take into account already existing off-by-one bugs :). So: - ib_max is the last entry, so we need to +1 when calculating number of free entries - nv50_dma_wait already does +1 (for FIRE_RING), so we don't need another +1 on nouveau_gem_ioctl_pushbuf

https://bugs.freedesktop.org/show_bug.cgi?id=100758 Bug ID: 100758 Summary: Kernel Oops when starting X nv50_dma_push Product: xorg Version: unspecified Hardware: x86-64 (AMD64) OS: Linux (All) Status: NEW Severity: normal Priority: medium Component: Driver/nouveau Assignee:

Date: Wed, 5 Apr 2023 18:38:54 +0200 The label ?out_prevalid? was used to jump to another pointer check despite of the detail in the implementation of the function ?nouveau_gem_ioctl_pushbuf? that it was determined already in one case that the corresponding variable contained an error pointer because of a failed call of the function ?u_memcpya?. Thus use an additional label. This issue was

Currently Nouveau will unvalidate all buffers if it is forced to wait on one, and then start revalidating from the beginning. While doing so, it destroys the operation fence, causing nouveau_fence_emit to crash. This patch fixes this bug by taking the fence object out of validate_op and creating it just before emit. The fence pointer is initialized to 0 and unref'ed unconditionally. In

We can't copy_*_user while holding reservations, that will (soon even for nouveau) lead to deadlocks. And it breaks the cross-driver contract around dma_resv. Fix this by adding a slowpath for when we need relocations, and by pushing the writeback of the new presumed offsets to the very end. Aside from "it compiles" entirely untested unfortunately. Signed-off-by: Daniel Vetter

On Wed, Aug 21, 2019 at 11:50:29PM +0200, Daniel Vetter wrote: > We can't copy_*_user while holding reservations, that will (soon even > for nouveau) lead to deadlocks. And it breaks the cross-driver > contract around dma_resv. > > Fix this by adding a slowpath for when we need relocations, and by > pushing the writeback of the new presumed offsets to the very end. >

On Mon, Nov 04, 2019 at 06:38:00PM +0100, Daniel Vetter wrote: > We can't copy_*_user while holding reservations, that will (soon even > for nouveau) lead to deadlocks. And it breaks the cross-driver > contract around dma_resv. > > Fix this by adding a slowpath for when we need relocations, and by > pushing the writeback of the new presumed offsets to the very end. >

We can't copy_*_user while holding reservations, that will (soon even for nouveau) lead to deadlocks. And it breaks the cross-driver contract around dma_resv. Fix this by adding a slowpath for when we need relocations, and by pushing the writeback of the new presumed offsets to the very end. Aside from "it compiles" entirely untested unfortunately. Signed-off-by: Daniel Vetter

We can't copy_*_user while holding reservations, that will (soon even for nouveau) lead to deadlocks. And it breaks the cross-driver contract around dma_resv. Fix this by adding a slowpath for when we need relocations, and by pushing the writeback of the new presumed offsets to the very end. Aside from "it compiles" entirely untested unfortunately. Signed-off-by: Daniel Vetter

We can't copy_*_user while holding reservations, that will (soon even for nouveau) lead to deadlocks. And it breaks the cross-driver contract around dma_resv. Fix this by adding a slowpath for when we need relocations, and by pushing the writeback of the new presumed offsets to the very end. Aside from "it compiles" entirely untested unfortunately. Signed-off-by: Daniel Vetter

Hello all, I am trying to debug an elusive memory corruption bug on my arm64 machine which appears to be in the nouveau driver. I got the following splat from the refcount debugging code: """ refcount_t: underflow; use-after-free. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3366 at lib/refcount.c:128 refcount_sub_and_test+0xe8/0x108 Modules linked in: fuse nouveau

From: Emil Velikov <emil.velikov at collabora.com> The authentication can be circumvented, by design, by using the render node. >From the driver POV there is no distinction between primary and render nodes, thus we can drop the token. Note: the outstanding DRM_AUTH instance is: - legacy DRI1 ioctl, which is already neutered Cc: Ben Skeggs <bskeggs at redhat.com> Cc: nouveau at

On Mon, 27 May 2019 at 09:19, Emil Velikov <emil.l.velikov at gmail.com> wrote: > > From: Emil Velikov <emil.velikov at collabora.com> > > The authentication can be circumvented, by design, by using the render > node. > > From the driver POV there is no distinction between primary and render > nodes, thus we can drop the token. > > Note: the outstanding

Greetings, Box is an aging generic i4790 + GTX-980 desktop. [ 1143.133663] ============================= [ 1143.133666] [ BUG: Invalid wait context ] [ 1143.133671] 5.9.0.g34d4ddd-preempt #2 Tainted: G S E [ 1143.133675] ----------------------------- [ 1143.133678] X/2015 is trying to lock: [ 1143.133682] ffff8d3e9efd63d8 (&zone->lock){..-.}-{3:3}, at:

https://bugs.freedesktop.org/show_bug.cgi?id=100431 Bug ID: 100431 Summary: nv50: memory corruption due to use-after-free of dma_fence Product: xorg Version: unspecified Hardware: ARM OS: Linux (All) Status: NEW Severity: major Priority: medium Component: