Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1322361imm; Fri, 28 Sep 2018 16:24:05 -0700 (PDT) X-Google-Smtp-Source: ACcGV62j5Vo70zH2raJkhZkK2lwfLvCX3Jg1J33y/N/K7sT2RbhH9LjE+QRs9GJKGDcrmG5OnVoO X-Received: by 2002:a63:e001:: with SMTP id e1-v6mr719783pgh.380.1538177044958; Fri, 28 Sep 2018 16:24:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538177044; cv=none; d=google.com; s=arc-20160816; b=tVq8iYIZM1JIkeTnQphwUh+8Gir2dC21bxjRCa5SJNDUdJZtrWxwAZUlwhggoLzzmB Q3MjdnK4CDowZRNA3GlDCqwDqjrbjVmXlygVo291Wx0i5am3ueGBw7P6oZLjEURhT8qQ qZiIUkay5dKuiO/5qQrFy+pFZwDmB+Cdy5gqXuzr8hmWp4dNJhHJko0UnSTOAH5MP3kN k/Z1LWepiNkrnMJibAN0nLFAFO/Y6tnih2RPovHFCUcORfPyReWNeGjG36aE7KL+bhZ6 T2OouxC0/pENWjscouj+KkiYwhwslO2ldQbX6a7jJn/EALi4hUXaS75/FZ08uP3v2vt/ SHnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=sJofIX9MvPvD36yNqVuQ324gkqU6mav5VSby8Rnh/mw=; b=VWzLRTdXW2KgdM1e4z4FWG5GLuGZr7ccTgj9yZO+8QgFcX53kNDWOrWLmJUbazZfLq 0MYbDhpzPIn9MReYJs0Tqc4nH7ho5MQea8YPV/c3b1x+RZwanZodDhFxrN88DeLds/uq DtLUTnjI4X5duyrmMfyyuiSSuie6QGnCamH8wSU3cSQbLt+nBJoJ9n67Wup6pF+vxdie q1Klf5lnbPe3UC2wKRoRS7kLW3vb+q2VsBt4GsiC00MycLXFiwSZ2rfXylWdihfLitP2 zNM9TalV6XqxWm4f8yHYlyXHtzWBOQb0as4pdRMX/ZMITbPbvLa8hPW+Pz1qAkDIGjwn LcSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z11-v6si5561780pgf.66.2018.09.28.16.23.50; Fri, 28 Sep 2018 16:24:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727526AbeI2Frb (ORCPT + 99 others); Sat, 29 Sep 2018 01:47:31 -0400 Received: from anholt.net ([50.246.234.109]:45446 "EHLO anholt.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726492AbeI2Frb (ORCPT ); Sat, 29 Sep 2018 01:47:31 -0400 Received: from localhost (localhost [127.0.0.1]) by anholt.net (Postfix) with ESMTP id 1427D10A1AF1; Fri, 28 Sep 2018 16:21:30 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at anholt.net Received: from anholt.net ([127.0.0.1]) by localhost (kingsolver.anholt.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id DkX1X_iNQ64i; Fri, 28 Sep 2018 16:21:28 -0700 (PDT) Received: from eliezer.anholt.net (localhost [127.0.0.1]) by anholt.net (Postfix) with ESMTP id 0253310A1504; Fri, 28 Sep 2018 16:21:27 -0700 (PDT) Received: by eliezer.anholt.net (Postfix, from userid 1000) id DDF462FE1B40; Fri, 28 Sep 2018 16:21:26 -0700 (PDT) From: Eric Anholt To: dri-devel@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org, boris.brezillon@bootlin.com, Eric Anholt Subject: [PATCH 1/4] drm/v3d: Fix a use-after-free race accessing the scheduler's fences. Date: Fri, 28 Sep 2018 16:21:23 -0700 Message-Id: <20180928232126.4332-1-eric@anholt.net> X-Mailer: git-send-email 2.18.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Once we push the job, the scheduler could run it and free it. So, if we want to reference their fences, we need to grab them before then. I haven't seen this happen in many days of conformance test runtime, but let's still close the race. Signed-off-by: Eric Anholt Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") --- drivers/gpu/drm/v3d/v3d_drv.h | 5 +++++ drivers/gpu/drm/v3d/v3d_gem.c | 8 ++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h index 5042573e97f4..83c55ab6e1c0 100644 --- a/drivers/gpu/drm/v3d/v3d_drv.h +++ b/drivers/gpu/drm/v3d/v3d_drv.h @@ -204,6 +204,11 @@ struct v3d_exec_info { */ struct dma_fence *bin_done_fence; + /* Fence for when the scheduler considers the render to be + * done, for when the BOs reservations should be complete. + */ + struct dma_fence *render_done_fence; + struct kref refcount; /* This is the array of BOs that were looked up at the start of exec. */ diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c index e1fcbb4cd0ae..c98fbfbdb68e 100644 --- a/drivers/gpu/drm/v3d/v3d_gem.c +++ b/drivers/gpu/drm/v3d/v3d_gem.c @@ -209,7 +209,7 @@ v3d_flush_caches(struct v3d_dev *v3d) static void v3d_attach_object_fences(struct v3d_exec_info *exec) { - struct dma_fence *out_fence = &exec->render.base.s_fence->finished; + struct dma_fence *out_fence = exec->render_done_fence; struct v3d_bo *bo; int i; @@ -409,6 +409,7 @@ v3d_exec_cleanup(struct kref *ref) dma_fence_put(exec->render.done_fence); dma_fence_put(exec->bin_done_fence); + dma_fence_put(exec->render_done_fence); for (i = 0; i < exec->bo_count; i++) drm_gem_object_put_unlocked(&exec->bo[i]->base); @@ -574,6 +575,9 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data, if (ret) goto fail_unreserve; + exec->render_done_fence = + dma_fence_get(&exec->render.base.s_fence->finished); + kref_get(&exec->refcount); /* put by scheduler job completion */ drm_sched_entity_push_job(&exec->render.base, &v3d_priv->sched_entity[V3D_RENDER]); @@ -587,7 +591,7 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data, sync_out = drm_syncobj_find(file_priv, args->out_sync); if (sync_out) { drm_syncobj_replace_fence(sync_out, - &exec->render.base.s_fence->finished); + exec->render_done_fence); drm_syncobj_put(sync_out); } -- 2.18.0