few tests - abort/dmesg-warn - BUG kmalloc-* Poison overwritten

added BAT_BUG feature: GEM platform: ADL_P platform: ATS-M1 platform: DG2 platform: LNL platform: PVC labels

A CI Bug Log filter associated to this bug has been updated by Vinay.

Description: ADL_P ATS_M DG2 LNL PVC: few tests - abort/dmesg-warn - BUG kmalloc-* Poison overwritten

Equivalent query: runconfig_tag IS IN ["xe"] AND machine_tag IS IN ["DG2", "ATSM-HW", "PVC", "256EU", "LNL", "ADL-P"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@xe_exec_threads@threads-mixed-shared-vm-userptr-invalidate-race", "igt@kms_color@invalid-gamma-lut-sizes", "igt@xe_exec_threads@threads-hang-fd-userptr-rebind", "igt@kms_flip@flip-vs-blocking-wf-vblank", "igt@kms_vblank@crtc-id@pipe-a-edp-1", "igt@kms_big_fb@y-tiled-max-hw-stride-32bpp-rotate-0-async-flip", "igt@kms_atomic_transition@plane-all-transition-fencing@pipe-a-edp-1", "igt@kms_cursor_crc@cursor-onscreen-64x21@pipe-d-hdmi-a-1", "igt@xe_exec_threads@threads-mixed-userptr-invalidate", "igt@kms_cursor_crc@cursor-offscreen-64x64@pipe-a-hdmi-a-6", "igt@kms_flip@flip-vs-wf_vblank-interruptible@b-hdmi-a6", "igt@xe_exec_threads@threads-bal-shared-vm-rebind", "igt@kms_frontbuffer_tracking@fbc-tiling-linear", "igt@kms_universal_plane@universal-plane-functional@pipe-a-hdmi-a-6", "igt@kms_frontbuffer_tracking@psr-1p-primscrn-spr-indfb-move", "igt@kms_color@invalid-gamma-lut-sizes@pipe-a", "igt@kms_cursor_crc@cursor-dpms@pipe-a-hdmi-a-6", "igt@xe_ccs@suspend-resume", "igt@kms_psr@fbc-psr2-sprite-plane-move", "igt@kms_cursor_crc@cursor-dpms", "igt@xe_exec_threads@threads-bal-mixed-fd-basic", "igt@kms_async_flips@async-flip-with-page-flip-events", "igt@xe_exec_basic@many-execqueues-many-vm-userptr-invalidate", "igt@xe_exec_fault_mode@many-execqueues-basic-prefetch", "igt@kms_vblank@crtc-id", "igt@kms_mmap_write_crc@main@pipe-a-hdmi-a-6", "igt@kms_atomic_transition@plane-all-transition-fencing", "igt@kms_lease@setcrtc-implicit-plane", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-pri-indfb-draw-blt", "igt@xe_ccs@suspend-resume@linear-compressed-compfmt0-system-vram01", "igt@kms_cursor_crc@cursor-offscreen-64x64", "igt@kms_async_flips@crc", "igt@kms_hdr@bpc-switch-suspend@pipe-a-hdmi-a-6", "igt@kms_async_flips@async-flip-with-page-flip-events@pipe-a-hdmi-a-6-4-mc-ccs", "igt@kms_color@invalid-gamma-lut-sizes@pipe-c", "igt@kms_async_flips@crc@pipe-a-hdmi-a-6", "igt@xe_exec_basic@many-execqueues-bindexecqueue-userptr-rebind", "igt@kms_mmap_write_crc@main@pipe-a-edp-1", "igt@kms_cursor_crc@cursor-random-128x128@pipe-a-hdmi-a-1", "igt@kms_psr@fbc-psr2-sprite-plane-move@edp-1", "igt@kms_cursor_crc@cursor-random-128x128", "igt@xe_exec_threads@threads-mixed-fd-basic", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-draw-blt", "igt@kms_flip@busy-flip@a-edp1", "igt@kms_universal_plane@universal-plane-functional", "igt@xe_pm@s4-vm-bind-unbind-all", "igt@kms_hdr@bpc-switch-suspend", "igt@kms_frontbuffer_tracking@fbc-1p-pri-indfb-multidraw", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-shrfb-msflip-blt", "igt@kms_vblank@query-idle-hang@pipe-a-edp-1", "igt@kms_color@ctm-negative@pipe-a", "igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-shrfb-plflip-blt", "igt@kms_color@ctm-negative@pipe-b", "igt@kms_flip@flip-vs-blocking-wf-vblank@a-hdmi-a6", "igt@kms_frontbuffer_tracking@fbc-rgb101010-draw-mmap-wc", "igt@kms_flip@2x-dpms-vs-vblank-race", "igt@xe_exec_basic@multigpu-many-execqueues-many-vm-rebind", "igt@kms_universal_plane@universal-plane-functional@pipe-a-hdmi-a-1", "igt@xe_exec_balancer@once-cm-virtual-userptr", "igt@kms_frontbuffer_tracking@fbc-2p-primscrn-spr-indfb-draw-blt", "igt@kms_universal_plane@universal-plane-functional@pipe-b-dp-4", "igt@kms_force_connector_basic@force-connector-state", "igt@kms_universal_plane@universal-plane-pageflip-windowed@pipe-a-hdmi-a-6", "igt@kms_vblank@query-idle-hang", "igt@xe_exec_compute_mode@twice-bindexecqueue-userptr", "igt@kms_lease@setcrtc-implicit-plane@pipe-a-hdmi-a-6", "igt@xe_exec_threads@threads-userptr", "igt@kms_mmap_write_crc@main", "igt@kms_flip@busy-flip", "igt@xe_exec_threads@threads-shared-vm-userptr-rebind", "igt@kms_frontbuffer_tracking@fbc-1p-offscren-pri-indfb-draw-blt", "igt@xe_pm_residency@toggle-gt-c6", "igt@kms_async_flips@async-flip-with-page-flip-events@pipe-a-edp-1-4", "igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-pri-indfb-draw-mmap-wc", "igt@xe_exec_store@basic-store", "igt@xe_exec_balancer@many-cm-parallel-userptr", "igt@kms_cursor_crc@cursor-onscreen-64x21", "igt@xe_compute@ccs-mode-basic", "igt@kms_flip@flip-vs-wf_vblank-interruptible", "igt@xe_exec_compute_mode@twice-rebind", "igt@kms_async_flips@crc@pipe-a-edp-1", "igt@kms_universal_plane@universal-plane-pageflip-windowed", "igt@xe_exec_fault_mode@twice-userptr-invalidate-prefetch", "igt@kms_color@gamma", "igt@kms_color@gamma@pipe-b", "igt@kms_color@ctm-negative"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort", "dmesg-warn"])) AND dmesg ~= 'BUG kmalloc-.* Poison overwritten'

New failures caught by the filter:

A CI Bug Log filter associated to this bug has been updated by Vinay.

Description: ADL_P ATS_M DG2 LNL PVC: few tests - abort/dmesg-warn - BUG kmalloc-* Poison overwritten

Equivalent query: runconfig_tag IS IN ["xe"] AND machine_tag IS IN ["DG2", "ATSM-HW", "PVC", "256EU", "LNL", "ADL-P"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@xe_exec_threads@threads-mixed-shared-vm-userptr-invalidate-race", "igt@kms_color@invalid-gamma-lut-sizes", "igt@xe_exec_threads@threads-hang-fd-userptr-rebind", "igt@kms_flip@flip-vs-blocking-wf-vblank", "igt@kms_vblank@crtc-id@pipe-a-edp-1", "igt@kms_big_fb@y-tiled-max-hw-stride-32bpp-rotate-0-async-flip", "igt@kms_atomic_transition@plane-all-transition-fencing@pipe-a-edp-1", "igt@kms_cursor_crc@cursor-onscreen-64x21@pipe-d-hdmi-a-1", "igt@xe_exec_threads@threads-mixed-userptr-invalidate", "igt@kms_cursor_crc@cursor-offscreen-64x64@pipe-a-hdmi-a-6", "igt@kms_flip@flip-vs-wf_vblank-interruptible@b-hdmi-a6", "igt@xe_exec_threads@threads-bal-shared-vm-rebind", "igt@kms_frontbuffer_tracking@fbc-tiling-linear", "igt@kms_universal_plane@universal-plane-functional@pipe-a-hdmi-a-6", "igt@xe_exec_threads@threads-mixed-shared-vm-basic", "igt@kms_frontbuffer_tracking@psr-1p-primscrn-spr-indfb-move", "igt@kms_color@invalid-gamma-lut-sizes@pipe-a", "igt@kms_cursor_crc@cursor-dpms@pipe-a-hdmi-a-6", "igt@xe_ccs@suspend-resume", "igt@kms_psr@fbc-psr2-sprite-plane-move", "igt@kms_cursor_crc@cursor-dpms", "igt@xe_exec_threads@threads-bal-mixed-fd-basic", "igt@kms_async_flips@async-flip-with-page-flip-events", "igt@xe_exec_basic@many-execqueues-many-vm-userptr-invalidate", "igt@xe_exec_fault_mode@many-execqueues-basic-prefetch", "igt@kms_vblank@crtc-id", "igt@kms_mmap_write_crc@main@pipe-a-hdmi-a-6", "igt@kms_atomic_transition@plane-all-transition-fencing", "igt@kms_lease@setcrtc-implicit-plane", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-pri-indfb-draw-blt", "igt@xe_ccs@suspend-resume@linear-compressed-compfmt0-system-vram01", "igt@kms_cursor_crc@cursor-offscreen-64x64", "igt@kms_async_flips@crc", "igt@kms_hdr@bpc-switch-suspend@pipe-a-hdmi-a-6", "igt@kms_async_flips@async-flip-with-page-flip-events@pipe-a-hdmi-a-6-4-mc-ccs", "igt@kms_color@invalid-gamma-lut-sizes@pipe-c", "igt@kms_async_flips@crc@pipe-a-hdmi-a-6", "igt@xe_exec_basic@many-execqueues-bindexecqueue-userptr-rebind", "igt@kms_mmap_write_crc@main@pipe-a-edp-1", "igt@kms_cursor_crc@cursor-random-128x128@pipe-a-hdmi-a-1", "igt@kms_psr@fbc-psr2-sprite-plane-move@edp-1", "igt@kms_cursor_crc@cursor-random-128x128", "igt@xe_exec_threads@threads-mixed-fd-basic", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-draw-blt", "igt@kms_flip@busy-flip@a-edp1", "igt@kms_universal_plane@universal-plane-functional", "igt@xe_pm@s4-vm-bind-unbind-all", "igt@kms_hdr@bpc-switch-suspend", "igt@kms_frontbuffer_tracking@fbc-1p-pri-indfb-multidraw", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-shrfb-msflip-blt", "igt@kms_vblank@query-idle-hang@pipe-a-edp-1", "igt@kms_color@ctm-negative@pipe-a", "igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-shrfb-plflip-blt", "igt@kms_color@ctm-negative@pipe-b", "igt@kms_flip@flip-vs-blocking-wf-vblank@a-hdmi-a6", "igt@kms_frontbuffer_tracking@fbc-rgb101010-draw-mmap-wc", "igt@kms_flip@2x-dpms-vs-vblank-race", "igt@xe_exec_basic@multigpu-many-execqueues-many-vm-rebind", "igt@kms_universal_plane@universal-plane-functional@pipe-a-hdmi-a-1", "igt@xe_exec_balancer@once-cm-virtual-userptr", "igt@kms_frontbuffer_tracking@fbc-2p-primscrn-spr-indfb-draw-blt", "igt@kms_universal_plane@universal-plane-functional@pipe-b-dp-4", "igt@kms_force_connector_basic@force-connector-state", "igt@kms_universal_plane@universal-plane-pageflip-windowed@pipe-a-hdmi-a-6", "igt@kms_vblank@query-idle-hang", "igt@xe_exec_compute_mode@twice-bindexecqueue-userptr", "igt@kms_lease@setcrtc-implicit-plane@pipe-a-hdmi-a-6", "igt@xe_exec_threads@threads-userptr", "igt@kms_mmap_write_crc@main", "igt@kms_flip@busy-flip", "igt@xe_exec_threads@threads-shared-vm-userptr-rebind", "igt@kms_frontbuffer_tracking@fbc-1p-offscren-pri-indfb-draw-blt", "igt@xe_pm_residency@toggle-gt-c6", "igt@kms_async_flips@async-flip-with-page-flip-events@pipe-a-edp-1-4", "igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-pri-indfb-draw-mmap-wc", "igt@xe_exec_store@basic-store", "igt@xe_exec_balancer@many-cm-parallel-userptr", "igt@kms_cursor_crc@cursor-onscreen-64x21", "igt@xe_compute@ccs-mode-basic", "igt@kms_flip@flip-vs-wf_vblank-interruptible", "igt@xe_exec_compute_mode@twice-rebind", "igt@kms_async_flips@crc@pipe-a-edp-1", "igt@kms_universal_plane@universal-plane-pageflip-windowed", "igt@xe_exec_fault_mode@twice-userptr-invalidate-prefetch", "igt@kms_color@gamma", "igt@kms_color@gamma@pipe-b", "igt@kms_color@ctm-negative"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort", "dmesg-warn"])) AND dmesg ~= 'BUG kmalloc-.* Poison overwritten'

New failures caught by the filter:

https://intel-gfx-ci.01.org/tree/intel-xe/xe-1324-e6f323721ccff14f9043937533c2b76d712b40c8/bat-lnl-1/igt@xe_exec_threads@threads-mixed-shared-vm-basic.html

A CI Bug Log filter associated to this bug has been updated by Vinay.

Description: ADL_P ATS_M DG2 LNL PVC: few tests - abort/dmesg-warn - BUG kmalloc-* Poison overwritten

Equivalent query: runconfig_tag IS IN ["xe"] AND machine_tag IS IN ["DG2", "ATSM-HW", "PVC", "256EU", "LNL", "ADL-P"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@xe_exec_threads@threads-mixed-shared-vm-userptr-invalidate-race", "igt@kms_color@invalid-gamma-lut-sizes", "igt@xe_exec_threads@threads-hang-fd-userptr-rebind", "igt@kms_flip@flip-vs-blocking-wf-vblank", "igt@kms_vblank@crtc-id@pipe-a-edp-1", "igt@kms_big_fb@y-tiled-max-hw-stride-32bpp-rotate-0-async-flip", "igt@kms_atomic_transition@plane-all-transition-fencing@pipe-a-edp-1", "igt@kms_cursor_crc@cursor-onscreen-64x21@pipe-d-hdmi-a-1", "igt@xe_exec_threads@threads-mixed-userptr-invalidate", "igt@kms_cursor_crc@cursor-offscreen-64x64@pipe-a-hdmi-a-6", "igt@kms_flip@flip-vs-wf_vblank-interruptible@b-hdmi-a6", "igt@xe_exec_threads@threads-bal-shared-vm-rebind", "igt@kms_frontbuffer_tracking@fbc-tiling-linear", "igt@kms_universal_plane@universal-plane-functional@pipe-a-hdmi-a-6", "igt@xe_exec_threads@threads-mixed-shared-vm-basic", "igt@kms_frontbuffer_tracking@psr-1p-primscrn-spr-indfb-move", "igt@kms_color@invalid-gamma-lut-sizes@pipe-a", "igt@xe_exec_compute_mode@twice-basic", "igt@kms_cursor_crc@cursor-dpms@pipe-a-hdmi-a-6", "igt@xe_ccs@suspend-resume", "igt@kms_psr@fbc-psr2-sprite-plane-move", "igt@kms_cursor_crc@cursor-dpms", "igt@xe_exec_threads@threads-bal-mixed-fd-basic", "igt@kms_cursor_crc@cursor-dpms", "igt@kms_async_flips@async-flip-with-page-flip-events", "igt@xe_exec_basic@many-execqueues-many-vm-userptr-invalidate", "igt@xe_exec_fault_mode@many-execqueues-basic-prefetch", "igt@kms_vblank@crtc-id", "igt@kms_mmap_write_crc@main@pipe-a-hdmi-a-6", "igt@kms_atomic_transition@plane-all-transition-fencing", "igt@kms_lease@setcrtc-implicit-plane", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-pri-indfb-draw-blt", "igt@xe_ccs@suspend-resume@linear-compressed-compfmt0-system-vram01", "igt@kms_cursor_crc@cursor-offscreen-64x64", "igt@kms_async_flips@crc", "igt@kms_hdr@bpc-switch-suspend@pipe-a-hdmi-a-6", "igt@kms_async_flips@async-flip-with-page-flip-events@pipe-a-hdmi-a-6-4-mc-ccs", "igt@kms_color@invalid-gamma-lut-sizes@pipe-c", "igt@kms_async_flips@crc@pipe-a-hdmi-a-6", "igt@xe_exec_basic@many-execqueues-bindexecqueue-userptr-rebind", "igt@kms_mmap_write_crc@main@pipe-a-edp-1", "igt@kms_cursor_crc@cursor-random-128x128@pipe-a-hdmi-a-1", "igt@kms_psr@fbc-psr2-sprite-plane-move@edp-1", "igt@kms_cursor_crc@cursor-random-128x128", "igt@xe_exec_threads@threads-mixed-fd-basic", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-cur-indfb-draw-blt", "igt@kms_flip@busy-flip@a-edp1", "igt@kms_universal_plane@universal-plane-functional", "igt@xe_pm@s4-vm-bind-unbind-all", "igt@kms_hdr@bpc-switch-suspend", "igt@kms_frontbuffer_tracking@fbc-1p-pri-indfb-multidraw", "igt@kms_frontbuffer_tracking@fbc-1p-primscrn-shrfb-msflip-blt", "igt@kms_vblank@query-idle-hang@pipe-a-edp-1", "igt@kms_color@ctm-negative@pipe-a", "igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-shrfb-plflip-blt", "igt@kms_color@ctm-negative@pipe-b", "igt@kms_flip@flip-vs-blocking-wf-vblank@a-hdmi-a6", "igt@kms_frontbuffer_tracking@fbc-rgb101010-draw-mmap-wc", "igt@kms_flip@2x-dpms-vs-vblank-race", "igt@xe_exec_basic@multigpu-many-execqueues-many-vm-rebind", "igt@kms_universal_plane@universal-plane-functional@pipe-a-hdmi-a-1", "igt@xe_exec_balancer@once-cm-virtual-userptr", "igt@kms_frontbuffer_tracking@fbc-2p-primscrn-spr-indfb-draw-blt", "igt@kms_universal_plane@universal-plane-functional@pipe-b-dp-4", "igt@kms_force_connector_basic@force-connector-state", "igt@kms_universal_plane@universal-plane-pageflip-windowed@pipe-a-hdmi-a-6", "igt@kms_vblank@query-idle-hang", "igt@xe_exec_compute_mode@twice-bindexecqueue-userptr", "igt@kms_lease@setcrtc-implicit-plane@pipe-a-hdmi-a-6", "igt@xe_exec_threads@threads-userptr", "igt@kms_mmap_write_crc@main", "igt@kms_flip@busy-flip", "igt@xe_exec_threads@threads-shared-vm-userptr-rebind", "igt@kms_frontbuffer_tracking@fbc-1p-offscren-pri-indfb-draw-blt", "igt@xe_pm_residency@toggle-gt-c6", "igt@kms_async_flips@async-flip-with-page-flip-events@pipe-a-edp-1-4", "igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-pri-indfb-draw-mmap-wc", "igt@xe_exec_store@basic-store", "igt@xe_exec_balancer@many-cm-parallel-userptr", "igt@kms_cursor_crc@cursor-onscreen-64x21", "igt@xe_compute@ccs-mode-basic", "igt@kms_flip@flip-vs-wf_vblank-interruptible", "igt@xe_exec_compute_mode@twice-rebind", "igt@kms_async_flips@crc@pipe-a-edp-1", "igt@kms_universal_plane@universal-plane-pageflip-windowed", "igt@xe_exec_fault_mode@twice-userptr-invalidate-prefetch", "igt@kms_color@gamma", "igt@kms_color@gamma@pipe-b", "igt@kms_color@ctm-negative"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort", "dmesg-warn"])) AND dmesg ~= 'BUG kmalloc-.* Poison overwritten'

New failures caught by the filter:

https://intel-gfx-ci.01.org/tree/intel-xe/xe-1329-42b9a14c5932c577019bf2f5d5ff25d208c1f921/bat-atsm-2/igt@xe_exec_compute_mode@twice-basic.html

Likely culprit is: https://patchwork.freedesktop.org/patch/594577/?series=132477&rev=5

AFAICT you can also see the same failure signature in the pre-merge results for that series.

The patch extends the xef structure with a new field, so likely we are accessing that new field after the xef structure is freed. Most likely the guc_exec_queue_free_job can race with xe_file_close.

assigned to @demarchi

assigned to @unerlige and unassigned @demarchi

@unerlige could you please help in this UAF regression? I could confirm that @mwa is absolutely right... a simple

--- a/drivers/gpu/drm/xe/xe_guc_submit.c
+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
@@ -762,8 +762,13 @@ guc_exec_queue_run_job(struct drm_sched_job *drm_job)
 static void guc_exec_queue_free_job(struct drm_sched_job *drm_job)
 {
        struct xe_sched_job *job = to_xe_sched_job(drm_job);
+       struct xe_device *xe = gt_to_xe(job->q->gt);
 
-       xe_exec_queue_update_runtime(job->q);
+       /* Do not update exec_queue runtime info if the client is already gone */
+       spin_lock(&xe->clients.lock);
+       if (xe->clients.count)
+               xe_exec_queue_update_runtime(job->q);
+       spin_unlock(&xe->clients.lock);

could do the trick and avoid the UAF reported above. However I got confused on the whole flow. should this check be inside xe_exec_queue_update_runtime() itself to avoid other races? but then if inside, what's the relation with if (!q->vm || !q->vm->xef) Was that an attempt to solve/mask exactly this behavior here? Is it still needed if we we are checking the clients.count?

Also, is there a better name for this thing? runtime what?! "update runtime", "save runtime", "runtime in ticks" runtime what? ticks of what? Isn't there a better name that really has some meaning?

AFAICT clients.count is just the count of all clients. Here we would need some kind synchronisation for a single client going away. Similar to your idea, it looks like we could in theory update the vm->xef pointer to NULL under the lock in xe_file_close() somewhere and then in xe_exec_queue_update_runtime() you grab the lock before checking if the vm->xef pointer is NULL and then keep it held until you are done touching the pointer.

Also chatted to @mbrost about this who said that @dceraolo was also facing a similar type of issue and a possible fix there was to make the queue kill callback accept a flag to forcefully ensure we finish calling the free_job for all jobs on that queue before it returns, which we could then make use of in the xe_file_close() case.

Looking into it

fwiu, the suggestion is to wait in xe_exec_queue_kill() for guc_exec_queue_free_job() to complete. @mwa What condition should I wait on to ensure that? Any thoughts?

From the above analysis, it looks like the race is occurring in the xe_file_close flow because queue is killed a as a scheduled work and then xef is closed in parallel. If so, I would just do this:

--- a/drivers/gpu/drm/xe/xe_guc_submit.c
+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
@@ -763,7 +763,8 @@ static void guc_exec_queue_free_job(struct drm_sched_job *drm_job)
 {
        struct xe_sched_job *job = to_xe_sched_job(drm_job);

-       xe_exec_queue_update_runtime(job->q);
+       if (!exec_queue_killed(job->q))
+               xe_exec_queue_update_runtime(job->q);

        trace_xe_sched_job_free(job);
        xe_sched_job_put(job);

You could potentially get an interrupt or be pre-empted after checking queue_killed, and during that time you can race with xe_file_close killing the queue and freeing the xef pointer. Or is that somehow not possible?

I'm not really sure how to do the "wait in xe_exec_queue_kill() for guc_exec_queue_free_job() to complete".

marked #1939 (closed) as a duplicate of this issue

marked this issue as related to #1939 (closed)

Posted a fix here - https://patchwork.freedesktop.org/series/134030/. Waiting for CI

Final patch is posted here - https://patchwork.freedesktop.org/patch/595493/?series=134037, but I have skipped CI on this one since it has only a rename.

Waiting for the FULL CI run here - https://patchwork.freedesktop.org/series/134033/.

It looks like the CI shards queue is stuck or taking too long. I will not be able to merge this without results from CI.FULL since that was the run affected by this regression. I will continue to monitor the CI results.

closed with commit ce62827b

mentioned in commit ce62827b

The CI Bug Log issue associated to this bug has been updated by adelaryb.

New filters associated

ATS_M PVC ADL_P DG2 LNL: few tests - abort/incomplete - BUG kmalloc-1k*Poison overwritten (No new failures associated)

The CI Bug Log issue associated to this bug has been archived.

New failures matching the above filters will not be associated to this bug anymore.

few tests - abort/dmesg-warn - BUG kmalloc-* Poison overwritten

Designs

Child items ...

Activity

New filters associated

Admin message

Admin message

few tests - abort/dmesg-warn - BUG kmalloc-* Poison overwritten

Activity

New filters associated