From patchwork Mon Nov 7 16:54:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Auld X-Patchwork-Id: 13034898 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7D663C4332F for ; Mon, 7 Nov 2022 16:54:57 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id A6DDE10E43E; Mon, 7 Nov 2022 16:54:56 +0000 (UTC) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by gabe.freedesktop.org (Postfix) with ESMTPS id 37B0810E43E for ; Mon, 7 Nov 2022 16:54:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1667840089; x=1699376089; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=g6mQDaj+OnxLQp8cNHKC73uPqcVmPmqfnCifJhqkR9g=; b=akVeQYBDpEcbxQBHNrFlTbOTwX9s7iRSbTlh5d4crthKpEOlRkGdYOTk bdv3XQ89x/un9TN+cdpg28r0R/S4UJWn/Z2z5CYlnQtMSYITARboi/mb9 Xo/Jn78l0ygscM2DctdLlWa92Gs8yVSRQXcvffCZePbYJyFiuC9+pMWOw 38N7jneBriAD3FioOa2Yr4HcZUYamR8pPXPW+RxQBPrxKiEYCwt1LiisG oT0Ap/RfnMwt9X2FTWyxS+gfMeR6K/K5G94fqNq6xN5jP7sUibRJ4nvEO Xjs+92nKIkbgBcoknDzdtrQh/8+Nkyzaf+0ap0McYN+jAlP2UjMOqOriI w==; X-IronPort-AV: E=McAfee;i="6500,9779,10524"; a="297957305" X-IronPort-AV: E=Sophos;i="5.96,145,1665471600"; d="scan'208";a="297957305" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2022 08:54:35 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10524"; a="778559355" X-IronPort-AV: E=Sophos;i="5.96,145,1665471600"; d="scan'208";a="778559355" Received: from pmesquit-mobl.ger.corp.intel.com (HELO mwauld-desk1.intel.com) ([10.252.15.49]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2022 08:54:33 -0800 From: Matthew Auld To: intel-gfx@lists.freedesktop.org Date: Mon, 7 Nov 2022 16:54:14 +0000 Message-Id: <20221107165414.56970-2-matthew.auld@intel.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221107165414.56970-1-matthew.auld@intel.com> References: <20221107165414.56970-1-matthew.auld@intel.com> MIME-Version: 1.0 Subject: [Intel-gfx] [PATCH 2/2] drm/i915/ttm: add some sanity checks for lmem_userfault_list X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nirmoy Das , Andrzej Hajda , Rodrigo Vivi Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" Rather than getting some hard to debug uaf, add some warns to hopefully catch issues with userfault_count being non-zero when destroying the object. Also if we somehow add an object to lmem_userfault_list that somehow doesn't map lmem. References: https://gitlab.freedesktop.org/drm/intel/-/issues/7469 Signed-off-by: Matthew Auld Cc: Anshuman Gupta Cc: Rodrigo Vivi Cc: Andrzej Hajda Cc: Nirmoy Das Reviewed-by: Andrzej Hajda --- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c index 9421dc4dc98f..2c8b2d5ae903 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c @@ -1098,6 +1098,8 @@ static vm_fault_t vm_fault_ttm(struct vm_fault *vmf) spin_lock(&to_i915(obj->base.dev)->runtime_pm.lmem_userfault_lock); list_add(&obj->userfault_link, &to_i915(obj->base.dev)->runtime_pm.lmem_userfault_list); spin_unlock(&to_i915(obj->base.dev)->runtime_pm.lmem_userfault_lock); + + GEM_WARN_ON(!i915_ttm_cpu_maps_iomem(bo->resource)); } if (wakeref & CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND) @@ -1180,6 +1182,8 @@ static void i915_ttm_unmap_virtual(struct drm_i915_gem_object *obj) } } + GEM_WARN_ON(obj->userfault_count); + ttm_bo_unmap_virtual(i915_gem_to_ttm(obj)); if (wakeref)