dma-buf/resv: fix exclusive fence get

Message ID	20190922074900.853-1-yuq825@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=0MZG=XR=lists.freedesktop.org=dri-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 689FC21D7E From: Qiang Yu <yuq825@gmail.com> To: dri-devel@lists.freedesktop.org Subject: [PATCH] dma-buf/resv: fix exclusive fence get Date: Sun, 22 Sep 2019 15:49:00 +0800 Message-Id: <20190922074900.853-1-yuq825@gmail.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/P04TVQeG2TqtKqnh5NeUjgcAZkp2eeIEEO+pcLFimI=; b=M/xx3S0fObzJAC7Q0yLbKqcZqa5MoT9YYx9XUcR4V8ItKFBQYE/QwdqzrWkmKANvGN MYuC9n+WDjYmQIm1JImn4++yj8Nv/FD2I2Atm4bEw2L//p4BP0BpQ3Z4PEnPc8wdWjCi SR8sH/6I6+5o+r/u6MOnsKtg1ZDUEUBX8HyJpspkTtzOgGSXFCqPgWU60BrMRpv5185L wKDtpTgqYgr3MJU3/3M2EIDNSvivtVl7CJOxESGXrBB2xDua2+wbM2fFC8YLYVflWWbV SqsQwDPN1muzH+wMK7WSP0UiVhamJaM6a82sSoFobxf9cjeuaZtsT7HdkC2gA3JtVsqp 1J3g== Precedence: list Cc: lima@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, Qiang Yu <yuq825@gmail.com>, =?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>, linux-media@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	dma-buf/resv: fix exclusive fence get \| expand dma-buf/resv: fix exclusive fence get

Qiang Yu Sept. 22, 2019, 7:49 a.m. UTC

This causes kernel crash when testing lima driver.

Cc: Christian König <christian.koenig@amd.com>
Fixes: b8c036dfc66f ("dma-buf: simplify reservation_object_get_fences_rcu a bit")
Signed-off-by: Qiang Yu <yuq825@gmail.com>
---
 drivers/dma-buf/dma-resv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Chris Wilson Sept. 22, 2019, 12:17 p.m. UTC | #1

Quoting Qiang Yu (2019-09-22 08:49:00)
> This causes kernel crash when testing lima driver.
> 
> Cc: Christian König <christian.koenig@amd.com>
> Fixes: b8c036dfc66f ("dma-buf: simplify reservation_object_get_fences_rcu a bit")
> Signed-off-by: Qiang Yu <yuq825@gmail.com>
> ---
>  drivers/dma-buf/dma-resv.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> index 42a8f3f11681..709002515550 100644
> --- a/drivers/dma-buf/dma-resv.c
> +++ b/drivers/dma-buf/dma-resv.c
> @@ -471,7 +471,7 @@ int dma_resv_get_fences_rcu(struct dma_resv *obj,
>         if (pfence_excl)
>                 *pfence_excl = fence_excl;
>         else if (fence_excl)
> -               shared[++shared_count] = fence_excl;
> +               shared[shared_count++] = fence_excl;

Oops.

Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris

Chris Wilson Sept. 22, 2019, 12:50 p.m. UTC | #2

Quoting Chris Wilson (2019-09-22 13:17:19)
> Quoting Qiang Yu (2019-09-22 08:49:00)
> > This causes kernel crash when testing lima driver.
> > 
> > Cc: Christian König <christian.koenig@amd.com>
> > Fixes: b8c036dfc66f ("dma-buf: simplify reservation_object_get_fences_rcu a bit")
> > Signed-off-by: Qiang Yu <yuq825@gmail.com>
> > ---
> >  drivers/dma-buf/dma-resv.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> > index 42a8f3f11681..709002515550 100644
> > --- a/drivers/dma-buf/dma-resv.c
> > +++ b/drivers/dma-buf/dma-resv.c
> > @@ -471,7 +471,7 @@ int dma_resv_get_fences_rcu(struct dma_resv *obj,
> >         if (pfence_excl)
> >                 *pfence_excl = fence_excl;
> >         else if (fence_excl)
> > -               shared[++shared_count] = fence_excl;
> > +               shared[shared_count++] = fence_excl;
> 
> Oops.
> 
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>

Applied, thanks for the fix.
-Chris

Daniel Vetter Sept. 30, 2019, 7:22 a.m. UTC | #3

On Sun, Sep 22, 2019 at 2:08 PM Qiang Yu <yuq825@gmail.com> wrote:
>
> This causes kernel crash when testing lima driver.
>
> Cc: Christian König <christian.koenig@amd.com>
> Fixes: b8c036dfc66f ("dma-buf: simplify reservation_object_get_fences_rcu a bit")
> Signed-off-by: Qiang Yu <yuq825@gmail.com>

Selftest for this would be lovely, now that the basic infrastructure
is in place ...
-Daniel

> ---
>  drivers/dma-buf/dma-resv.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> index 42a8f3f11681..709002515550 100644
> --- a/drivers/dma-buf/dma-resv.c
> +++ b/drivers/dma-buf/dma-resv.c
> @@ -471,7 +471,7 @@ int dma_resv_get_fences_rcu(struct dma_resv *obj,
>         if (pfence_excl)
>                 *pfence_excl = fence_excl;
>         else if (fence_excl)
> -               shared[++shared_count] = fence_excl;
> +               shared[shared_count++] = fence_excl;
>
>         if (!shared_count) {
>                 kfree(shared);
> --
> 2.17.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

Christian König Sept. 30, 2019, 8:57 a.m. UTC | #4

Am 30.09.19 um 09:22 schrieb Daniel Vetter:
> On Sun, Sep 22, 2019 at 2:08 PM Qiang Yu <yuq825@gmail.com> wrote:
>> This causes kernel crash when testing lima driver.
>>
>> Cc: Christian König <christian.koenig@amd.com>
>> Fixes: b8c036dfc66f ("dma-buf: simplify reservation_object_get_fences_rcu a bit")
>> Signed-off-by: Qiang Yu <yuq825@gmail.com>
> Selftest for this would be lovely, now that the basic infrastructure
> is in place ...

What do you have in mind? I wouldn't even know where to start to write 
an unit test for this.

Christian.

> -Daniel
>
>> ---
>>   drivers/dma-buf/dma-resv.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
>> index 42a8f3f11681..709002515550 100644
>> --- a/drivers/dma-buf/dma-resv.c
>> +++ b/drivers/dma-buf/dma-resv.c
>> @@ -471,7 +471,7 @@ int dma_resv_get_fences_rcu(struct dma_resv *obj,
>>          if (pfence_excl)
>>                  *pfence_excl = fence_excl;
>>          else if (fence_excl)
>> -               shared[++shared_count] = fence_excl;
>> +               shared[shared_count++] = fence_excl;
>>
>>          if (!shared_count) {
>>                  kfree(shared);
>> --
>> 2.17.1
>>
>> _______________________________________________
>> dri-devel mailing list
>> dri-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/dri-devel
>
>

Daniel Vetter Oct. 8, 2019, 4:43 p.m. UTC | #5

On Mon, Sep 30, 2019 at 08:57:32AM +0000, Koenig, Christian wrote:
> Am 30.09.19 um 09:22 schrieb Daniel Vetter:
> > On Sun, Sep 22, 2019 at 2:08 PM Qiang Yu <yuq825@gmail.com> wrote:
> >> This causes kernel crash when testing lima driver.
> >>
> >> Cc: Christian König <christian.koenig@amd.com>
> >> Fixes: b8c036dfc66f ("dma-buf: simplify reservation_object_get_fences_rcu a bit")
> >> Signed-off-by: Qiang Yu <yuq825@gmail.com>
> > Selftest for this would be lovely, now that the basic infrastructure
> > is in place ...
> 
> What do you have in mind? I wouldn't even know where to start to write 
> an unit test for this.

1. set a few fences (both excl + shared) in a dma_resv
2. get them
3. check that we got them all
4. notice that the exlusive fence isn't actually in the array (because we
increment the index before storing, so the exclusive fence ended past the
array). For robustness the test should check that the fences are listed in
any order, not just the one the current implementation gives you.

I guess the actual crash happens when we're unlucky and overflow the
allocation, which is probably more rare. But KASAN should help catch that
too (run that in your CI if you don't do that yet, it's pretty
impressive).

Or am I totally misunderstanding what's going wrong here?
-Daniel
> 
> Christian.
> 
> > -Daniel
> >
> >> ---
> >>   drivers/dma-buf/dma-resv.c | 2 +-
> >>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> >> index 42a8f3f11681..709002515550 100644
> >> --- a/drivers/dma-buf/dma-resv.c
> >> +++ b/drivers/dma-buf/dma-resv.c
> >> @@ -471,7 +471,7 @@ int dma_resv_get_fences_rcu(struct dma_resv *obj,
> >>          if (pfence_excl)
> >>                  *pfence_excl = fence_excl;
> >>          else if (fence_excl)
> >> -               shared[++shared_count] = fence_excl;
> >> +               shared[shared_count++] = fence_excl;
> >>
> >>          if (!shared_count) {
> >>                  kfree(shared);
> >> --
> >> 2.17.1
> >>
> >> _______________________________________________
> >> dri-devel mailing list
> >> dri-devel@lists.freedesktop.org
> >> https://lists.freedesktop.org/mailman/listinfo/dri-devel
> >
> >
>

Qiang Yu Oct. 10, 2019, 2:27 p.m. UTC | #6

Hi Chris,

This fix has been pushed to drm-misc-next for a while. But Linux
5.4-rc kernels still does not have this fix.
Should it be also pushed to drm-misc-fixes?

Thanks,
Qiang


On Sun, Sep 22, 2019 at 8:50 PM Chris Wilson <chris@chris-wilson.co.uk> wrote:
>
> Quoting Chris Wilson (2019-09-22 13:17:19)
> > Quoting Qiang Yu (2019-09-22 08:49:00)
> > > This causes kernel crash when testing lima driver.
> > >
> > > Cc: Christian König <christian.koenig@amd.com>
> > > Fixes: b8c036dfc66f ("dma-buf: simplify reservation_object_get_fences_rcu a bit")
> > > Signed-off-by: Qiang Yu <yuq825@gmail.com>
> > > ---
> > >  drivers/dma-buf/dma-resv.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
> > > index 42a8f3f11681..709002515550 100644
> > > --- a/drivers/dma-buf/dma-resv.c
> > > +++ b/drivers/dma-buf/dma-resv.c
> > > @@ -471,7 +471,7 @@ int dma_resv_get_fences_rcu(struct dma_resv *obj,
> > >         if (pfence_excl)
> > >                 *pfence_excl = fence_excl;
> > >         else if (fence_excl)
> > > -               shared[++shared_count] = fence_excl;
> > > +               shared[shared_count++] = fence_excl;
> >
> > Oops.
> >
> > Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
>
> Applied, thanks for the fix.
> -Chris

Christian König Oct. 10, 2019, 2:33 p.m. UTC | #7

Hi Qiang,

oh, good point. Yes it certainly should.

Looks like I accidentally pushed it to the wrong branch.

Thanks,
Christian.

Am 10.10.19 um 16:27 schrieb Qiang Yu:
> Hi Chris,
>
> This fix has been pushed to drm-misc-next for a while. But Linux
> 5.4-rc kernels still does not have this fix.
> Should it be also pushed to drm-misc-fixes?
>
> Thanks,
> Qiang
>
>
> On Sun, Sep 22, 2019 at 8:50 PM Chris Wilson <chris@chris-wilson.co.uk> wrote:
>> Quoting Chris Wilson (2019-09-22 13:17:19)
>>> Quoting Qiang Yu (2019-09-22 08:49:00)
>>>> This causes kernel crash when testing lima driver.
>>>>
>>>> Cc: Christian König <christian.koenig@amd.com>
>>>> Fixes: b8c036dfc66f ("dma-buf: simplify reservation_object_get_fences_rcu a bit")
>>>> Signed-off-by: Qiang Yu <yuq825@gmail.com>
>>>> ---
>>>>   drivers/dma-buf/dma-resv.c | 2 +-
>>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
>>>> index 42a8f3f11681..709002515550 100644
>>>> --- a/drivers/dma-buf/dma-resv.c
>>>> +++ b/drivers/dma-buf/dma-resv.c
>>>> @@ -471,7 +471,7 @@ int dma_resv_get_fences_rcu(struct dma_resv *obj,
>>>>          if (pfence_excl)
>>>>                  *pfence_excl = fence_excl;
>>>>          else if (fence_excl)
>>>> -               shared[++shared_count] = fence_excl;
>>>> +               shared[shared_count++] = fence_excl;
>>> Oops.
>>>
>>> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
>> Applied, thanks for the fix.
>> -Chris

dma-buf/resv: fix exclusive fence get

Commit Message

Comments

Patch