drm: Add the mutex protection in drm_do_vm_fault.

Message ID	1381506450.7844.4.camel@chenjun-workstation (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org> Subject: [PATCH] drm: Add the mutex protection in drm_do_vm_fault. From: Jun Chen <jun.d.chen@intel.com> To: airlied@linux.ie, viro@zeniv.linux.org.uk, airlied@redhat.com Date: Fri, 11 Oct 2013 11:47:30 -0400 Message-ID: <1381506450.7844.4.camel@chenjun-workstation> Mime-Version: 1.0 Cc: Jun Chen <jun.d.chen@intel.com>, Linux Kernel <linux-kernel@vger.kernel.org>, dri-devel@lists.freedesktop.org Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org

Message ID

1381506450.7844.4.camel@chenjun-workstation (mailing list archive)

State

New, archived

Headers

Subject: [PATCH] drm: Add the mutex protection in drm_do_vm_fault.
From: Jun Chen <jun.d.chen@intel.com>
To: airlied@linux.ie, viro@zeniv.linux.org.uk, airlied@redhat.com
Date: Fri, 11 Oct 2013 11:47:30 -0400
Message-ID: <1381506450.7844.4.camel@chenjun-workstation>
Mime-Version: 1.0
Cc: Jun Chen <jun.d.chen@intel.com>,
	Linux Kernel <linux-kernel@vger.kernel.org>,
	dri-devel@lists.freedesktop.org
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org

Commit Message

Jun Chen Oct. 11, 2013, 3:47 p.m. UTC

There are no mutex protection for the dev->map_hash while calling
the drm_ht_find_item in the function drm_do_vm_fault. So try to
mutex firstly and then find the list for using to avoid this race
condition.

Signed-off-by: Chen Jun <jun.d.chen@intel.com>
---
 drivers/gpu/drm/drm_vm.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

Comments

Dave Airlie Nov. 6, 2013, 3:33 a.m. UTC | #1

On Sat, Oct 12, 2013 at 1:47 AM, Jun Chen <jun.d.chen@intel.com> wrote:
>
> There are no mutex protection for the dev->map_hash while calling
> the drm_ht_find_item in the function drm_do_vm_fault. So try to
> mutex firstly and then find the list for using to avoid this race
> condition.

Can I ask how or why you found this? from what I can see we really
shouldn't be executing this code on modern drivers.

this is the sort of thing I'd really like to have tested on real hw,
which means someone booting it on AGP using UMS drivers I think.

Dave.

diff --git a/drivers/gpu/drm/drm_vm.c b/drivers/gpu/drm/drm_vm.c
index b5c5af7..1d95221 100644
--- a/drivers/gpu/drm/drm_vm.c
+++ b/drivers/gpu/drm/drm_vm.c
@@ -107,8 +107,11 @@  static int drm_do_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 	if (!dev->agp || !dev->agp->cant_use_aperture)
 		goto vm_fault_error;
 
-	if (drm_ht_find_item(&dev->map_hash, vma->vm_pgoff, &hash))
+	mutex_lock(&dev->struct_mutex);
+	if (drm_ht_find_item(&dev->map_hash, vma->vm_pgoff, &hash)) {
+		mutex_unlock(&dev->struct_mutex);
 		goto vm_fault_error;
+	}
 
 	r_list = drm_hash_entry(hash, struct drm_map_list, hash);
 	map = r_list->map;
@@ -140,8 +143,10 @@  static int drm_do_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 				break;
 		}
 
-		if (&agpmem->head == &dev->agp->memory)
+		if (&agpmem->head == &dev->agp->memory) {
+			mutex_unlock(&dev->struct_mutex);
 			goto vm_fault_error;
+		}
 
 		/*
 		 * Get the page, inc the use count, and return it
@@ -151,6 +156,7 @@  static int drm_do_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 		get_page(page);
 		vmf->page = page;
 
+		mutex_unlock(&dev->struct_mutex);
 		DRM_DEBUG
 		    ("baddr = 0x%llx page = 0x%p, offset = 0x%llx, count=%d\n",
 		     (unsigned long long)baddr,
@@ -159,6 +165,7 @@  static int drm_do_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 		     page_count(page));
 		return 0;
 	}
+	mutex_unlock(&dev->struct_mutex);
 vm_fault_error:
 	return VM_FAULT_SIGBUS;	/* Disallow mremap */
 }

drm: Add the mutex protection in drm_do_vm_fault.

Commit Message

Comments

Patch