From: Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
To: Matthew Brost <matthew.brost@intel.com>
Cc: <intel-xe@lists.freedesktop.org>,
<dri-devel@lists.freedesktop.org>,
<umesh.nerlige.ramappa@intel.com>, <christian.koenig@amd.com>,
<pstanner@redhat.com>, <dakr@kernel.org>
Subject: Re: [PATCH v4 6/8] drm/xe: Do not deregister queues in TDR
Date: Thu, 20 Nov 2025 11:50:32 -0800 [thread overview]
Message-ID: <aR9xCKn3MCEOt1Hl@nvishwa1-desk> (raw)
In-Reply-To: <20251119224106.3733883-7-matthew.brost@intel.com>
On Wed, Nov 19, 2025 at 02:41:04PM -0800, Matthew Brost wrote:
>Deregistering queues in the TDR introduces unnecessary complexity,
>requiring reference-counting techniques to function correctly,
>particularly to prevent use-after-free (UAF) issues while a
>deregistration initiated from the TDR is in progress.
>
>All that's needed in the TDR is to kick the queue off the hardware,
>which is achieved by disabling scheduling. Queue deregistration should
>be handled in a single, well-defined point in the cleanup path, tied to
>the queue's reference count.
>
>v4:
> - Explain why extra ref were needed prior to this patch (Niranjana)
>
>Signed-off-by: Matthew Brost <matthew.brost@intel.com>
>---
> drivers/gpu/drm/xe/xe_guc_submit.c | 65 +++++-------------------------
> 1 file changed, 9 insertions(+), 56 deletions(-)
>
>diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c
>index 648c9ea06749..5de300b66767 100644
>--- a/drivers/gpu/drm/xe/xe_guc_submit.c
>+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
>@@ -69,9 +69,8 @@ exec_queue_to_guc(struct xe_exec_queue *q)
> #define EXEC_QUEUE_STATE_WEDGED (1 << 8)
> #define EXEC_QUEUE_STATE_BANNED (1 << 9)
> #define EXEC_QUEUE_STATE_CHECK_TIMEOUT (1 << 10)
>-#define EXEC_QUEUE_STATE_EXTRA_REF (1 << 11)
>-#define EXEC_QUEUE_STATE_PENDING_RESUME (1 << 12)
>-#define EXEC_QUEUE_STATE_PENDING_TDR_EXIT (1 << 13)
>+#define EXEC_QUEUE_STATE_PENDING_RESUME (1 << 11)
>+#define EXEC_QUEUE_STATE_PENDING_TDR_EXIT (1 << 12)
>
> static bool exec_queue_registered(struct xe_exec_queue *q)
> {
>@@ -218,21 +217,6 @@ static void clear_exec_queue_check_timeout(struct xe_exec_queue *q)
> atomic_and(~EXEC_QUEUE_STATE_CHECK_TIMEOUT, &q->guc->state);
> }
>
>-static bool exec_queue_extra_ref(struct xe_exec_queue *q)
>-{
>- return atomic_read(&q->guc->state) & EXEC_QUEUE_STATE_EXTRA_REF;
>-}
>-
>-static void set_exec_queue_extra_ref(struct xe_exec_queue *q)
>-{
>- atomic_or(EXEC_QUEUE_STATE_EXTRA_REF, &q->guc->state);
>-}
>-
>-static void clear_exec_queue_extra_ref(struct xe_exec_queue *q)
>-{
>- atomic_and(~EXEC_QUEUE_STATE_EXTRA_REF, &q->guc->state);
>-}
>-
> static bool exec_queue_pending_resume(struct xe_exec_queue *q)
> {
> return atomic_read(&q->guc->state) & EXEC_QUEUE_STATE_PENDING_RESUME;
>@@ -1190,25 +1174,6 @@ static void disable_scheduling(struct xe_exec_queue *q, bool immediate)
> G2H_LEN_DW_SCHED_CONTEXT_MODE_SET, 1);
> }
>
>-static void __deregister_exec_queue(struct xe_guc *guc, struct xe_exec_queue *q)
>-{
>- u32 action[] = {
>- XE_GUC_ACTION_DEREGISTER_CONTEXT,
>- q->guc->id,
>- };
>-
>- xe_gt_assert(guc_to_gt(guc), !exec_queue_destroyed(q));
>- xe_gt_assert(guc_to_gt(guc), exec_queue_registered(q));
>- xe_gt_assert(guc_to_gt(guc), !exec_queue_pending_enable(q));
>- xe_gt_assert(guc_to_gt(guc), !exec_queue_pending_disable(q));
>-
>- set_exec_queue_destroyed(q);
>- trace_xe_exec_queue_deregister(q);
>-
>- xe_guc_ct_send(&guc->ct, action, ARRAY_SIZE(action),
>- G2H_LEN_DW_DEREGISTER_CONTEXT, 1);
>-}
>-
> static enum drm_gpu_sched_stat
> guc_exec_queue_timedout_job(struct drm_sched_job *drm_job)
> {
>@@ -1225,6 +1190,7 @@ guc_exec_queue_timedout_job(struct drm_sched_job *drm_job)
> bool wedged = false, skip_timeout_check;
>
> xe_gt_assert(guc_to_gt(guc), !xe_exec_queue_is_lr(q));
>+ xe_gt_assert(guc_to_gt(guc), !exec_queue_destroyed(q));
Is it always guaranteed? What if we get here because TDR is triggered
by some error notification from the GuC and befor we get here, the
exec_queue gets destroyed in the CLEANUP message handler? I am not
sure we can we be sure here that it will be race proof.
Niranjana
>
> /*
> * TDR has fired before free job worker. Common if exec queue
>@@ -1241,8 +1207,7 @@ guc_exec_queue_timedout_job(struct drm_sched_job *drm_job)
>
> /* Must check all state after stopping scheduler */
> skip_timeout_check = exec_queue_reset(q) ||
>- exec_queue_killed_or_banned_or_wedged(q) ||
>- exec_queue_destroyed(q);
>+ exec_queue_killed_or_banned_or_wedged(q);
>
> /*
> * If devcoredump not captured and GuC capture for the job is not ready
>@@ -1271,13 +1236,13 @@ guc_exec_queue_timedout_job(struct drm_sched_job *drm_job)
> wedged = guc_submit_hint_wedged(exec_queue_to_guc(q));
>
> /* Engine state now stable, disable scheduling to check timestamp */
>- if (!wedged && exec_queue_registered(q)) {
>+ if (!wedged && (exec_queue_enabled(q) || exec_queue_pending_disable(q))) {
> int ret;
>
> if (exec_queue_reset(q))
> err = -EIO;
>
>- if (!exec_queue_destroyed(q) && xe_uc_fw_is_running(&guc->fw)) {
>+ if (xe_uc_fw_is_running(&guc->fw)) {
> /*
> * Wait for any pending G2H to flush out before
> * modifying state
>@@ -1327,8 +1292,6 @@ guc_exec_queue_timedout_job(struct drm_sched_job *drm_job)
> xe_devcoredump(q, job,
> "Schedule disable failed to respond, guc_id=%d, ret=%d, guc_read=%d",
> q->guc->id, ret, xe_guc_read_stopped(guc));
>- set_exec_queue_extra_ref(q);
>- xe_exec_queue_get(q); /* GT reset owns this */
> set_exec_queue_banned(q);
> xe_gt_reset_async(q->gt);
> xe_sched_tdr_queue_imm(sched);
>@@ -1381,13 +1344,7 @@ guc_exec_queue_timedout_job(struct drm_sched_job *drm_job)
> }
> }
>
>- /* Finish cleaning up exec queue via deregister */
> set_exec_queue_banned(q);
>- if (!wedged && exec_queue_registered(q) && !exec_queue_destroyed(q)) {
>- set_exec_queue_extra_ref(q);
>- xe_exec_queue_get(q);
>- __deregister_exec_queue(guc, q);
>- }
>
> /* Mark all outstanding jobs as bad, thus completing them */
> xe_sched_job_set_error(job, err);
>@@ -1933,7 +1890,7 @@ static void guc_exec_queue_stop(struct xe_guc *guc, struct xe_exec_queue *q)
>
> /* Clean up lost G2H + reset engine state */
> if (exec_queue_registered(q)) {
>- if (exec_queue_extra_ref(q) || xe_exec_queue_is_lr(q))
>+ if (xe_exec_queue_is_lr(q))
> xe_exec_queue_put(q);
> else if (exec_queue_destroyed(q))
> __guc_exec_queue_destroy(guc, q);
>@@ -2067,11 +2024,7 @@ static void guc_exec_queue_revert_pending_state_change(struct xe_guc *guc,
>
> if (exec_queue_destroyed(q) && exec_queue_registered(q)) {
> clear_exec_queue_destroyed(q);
>- if (exec_queue_extra_ref(q))
>- xe_exec_queue_put(q);
>- else
>- q->guc->needs_cleanup = true;
>- clear_exec_queue_extra_ref(q);
>+ q->guc->needs_cleanup = true;
> xe_gt_dbg(guc_to_gt(guc), "Replay CLEANUP - guc_id=%d",
> q->guc->id);
> }
>@@ -2488,7 +2441,7 @@ static void handle_deregister_done(struct xe_guc *guc, struct xe_exec_queue *q)
>
> clear_exec_queue_registered(q);
>
>- if (exec_queue_extra_ref(q) || xe_exec_queue_is_lr(q))
>+ if (xe_exec_queue_is_lr(q))
> xe_exec_queue_put(q);
> else
> __guc_exec_queue_destroy(guc, q);
>--
>2.34.1
>
next prev parent reply other threads:[~2025-11-20 19:50 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-19 22:40 [PATCH v4 0/8] Fix DRM scheduler layering violations in Xe Matthew Brost
2025-11-19 22:40 ` [PATCH v4 1/8] drm/sched: Add several job helpers to avoid drivers touching scheduler state Matthew Brost
2025-11-20 17:20 ` Niranjana Vishwanathapura
2025-11-19 22:41 ` [PATCH v4 2/8] drm/sched: Add pending job list iterator Matthew Brost
2025-11-20 17:21 ` Niranjana Vishwanathapura
2025-11-19 22:41 ` [PATCH v4 3/8] drm/xe: Add dedicated message lock Matthew Brost
2025-11-19 22:41 ` [PATCH v4 4/8] drm/xe: Stop abusing DRM scheduler internals Matthew Brost
2025-11-20 17:26 ` Niranjana Vishwanathapura
2025-11-19 22:41 ` [PATCH v4 5/8] drm/xe: Only toggle scheduling in TDR if GuC is running Matthew Brost
2025-11-20 19:48 ` Niranjana Vishwanathapura
2025-11-21 22:06 ` Matthew Brost
2025-11-21 23:52 ` Niranjana Vishwanathapura
2025-11-19 22:41 ` [PATCH v4 6/8] drm/xe: Do not deregister queues in TDR Matthew Brost
2025-11-20 19:50 ` Niranjana Vishwanathapura [this message]
2025-11-21 21:25 ` Matthew Brost
2025-11-21 23:51 ` Niranjana Vishwanathapura
2025-11-19 22:41 ` [PATCH v4 7/8] drm/xe: Remove special casing for LR queues in submission Matthew Brost
2025-11-20 18:53 ` Niranjana Vishwanathapura
2025-11-19 22:41 ` [PATCH v4 8/8] drm/xe: Avoid toggling schedule state to check LRC timestamp in TDR Matthew Brost
2025-11-20 20:33 ` Umesh Nerlige Ramappa
2025-11-21 21:33 ` Matthew Brost
2025-11-25 1:06 ` Umesh Nerlige Ramappa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aR9xCKn3MCEOt1Hl@nvishwa1-desk \
--to=niranjana.vishwanathapura@intel.com \
--cc=christian.koenig@amd.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=matthew.brost@intel.com \
--cc=pstanner@redhat.com \
--cc=umesh.nerlige.ramappa@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox