Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp976795ybe; Fri, 6 Sep 2019 10:01:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqyipBWb2DIrcw/cBASIbcKRNgFbxkUbcDFjKdYSE/SUpqt8CtvfmJZ+0pL5R+twxJC/Kb3U X-Received: by 2002:a17:90a:5d0d:: with SMTP id s13mr10771045pji.133.1567789307473; Fri, 06 Sep 2019 10:01:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567789307; cv=none; d=google.com; s=arc-20160816; b=K6yCN6ueRGW08UWFJ4EeZNJ+mJXeeA5wVvWt8DKFVmY9ErSg9mhg/P7eOrhIyuaqm6 quxfnVH96EWDy0DizRfOLbr0I6nX9EoWfZvFLVfUg2D6xJ8yztkmGBRLFs1pUSZP5KqC eYDjnvbq91Z1GNU1gG3nFGYxUW6s04QRgvcnvqjPYqqvvCv/HEXZwfRu01L3l9HieMQh yXex8EkkmicGJJntEhFD5coduGp2qzftVCFl+T2EoX8v2TAVPzFaBSoWdFTChwDFwUU2 p5RYrShrt1pVtnl8nUCwxiNVKmXafYe9uwFXC4rstlSaLgPDxl11GzvzeK+QhFMTWv9e 6tEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=8J7vhVPmmaH9VUTrqUcBmnghWw79eGkl8RkGxlSWzfo=; b=HKMEau3ejwGJsH0jcEwz5eh62x07jlC3JCn/+YKGBSMZGhnCHKWlWL3++cqpkWqTme Q/uThCwjIwoINycijGj6amw1WcR7vV9tU/vI0su1WRFtTCDRDefov7PApR4lGWnnHQqo 1rI8CE/Hb9s3qAYkECnGN08wERq0R2FG/rtjw3wH9cf2DPjq5CJ7zBFcOXUBW3pnJKkU 1eKTu7HTnnUgUTuHfDSN4Fgl6ywTWnLyLIIouMiCTtcHwiBGzNcdpGye/sp/p/xxlqtQ 0z8z2rkZgPynZ5ym8AJVtto+rLNR3IEYhej5H/5quIeQjuYLtAZe9jd+BRcx3CSJbM9H hspQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2tH17ab0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g2si5281049plt.26.2019.09.06.10.01.30; Fri, 06 Sep 2019 10:01:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2tH17ab0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387993AbfIFLKy (ORCPT + 99 others); Fri, 6 Sep 2019 07:10:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:50658 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727816AbfIFLKy (ORCPT ); Fri, 6 Sep 2019 07:10:54 -0400 Received: from mail-qt1-f169.google.com (mail-qt1-f169.google.com [209.85.160.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 24E3721670 for ; Fri, 6 Sep 2019 11:10:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1567768253; bh=8J7vhVPmmaH9VUTrqUcBmnghWw79eGkl8RkGxlSWzfo=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=2tH17ab0r7UVbqybsCAzXSFz8s8fx7N0RDZLd3K3qEf2t1BWCGA/kbbgRnRvE2I0R CsWBkREnQKOV+3gBw5jsQUirVldIY5NrEkrZsOv2D9bJo7AMBBw5dl0x4aG7tHd5F4 hUPkkn/5KWLiZrnEQsQNjA+iXd1wJTbzI67l+YmE= Received: by mail-qt1-f169.google.com with SMTP id l22so6508177qtp.10 for ; Fri, 06 Sep 2019 04:10:53 -0700 (PDT) X-Gm-Message-State: APjAAAXuNe8D/Jjs6KK/rAN/WKM9c9uz7H+SuolVx1hhGtove05YIxyP pZVBZ/DRW7EXKbOM0pLl/cJjL2l4lme19GeIjg== X-Received: by 2002:a0c:f70c:: with SMTP id w12mr4284929qvn.200.1567768252224; Fri, 06 Sep 2019 04:10:52 -0700 (PDT) MIME-Version: 1.0 References: <20190905121141.42820-1-steven.price@arm.com> In-Reply-To: <20190905121141.42820-1-steven.price@arm.com> From: Rob Herring Date: Fri, 6 Sep 2019 12:10:41 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] drm/panfrost: Prevent race when handling page fault To: Steven Price Cc: Tomeu Vizoso , Daniel Vetter , David Airlie , Alyssa Rosenzweig , dri-devel , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 5, 2019 at 1:11 PM Steven Price wrote: > > When handling a GPU page fault addr_to_drm_mm_node() is used to > translate the GPU address to a buffer object. However it is possible for > the buffer object to be freed after the function has returned resulting > in a use-after-free of the BO. > > Change addr_to_drm_mm_node to return the panfrost_gem_object with an > extra reference on it, preventing the BO from being freed until after > the page fault has been handled. > > Signed-off-by: Steven Price > --- > > I've managed to trigger this, generating the following stack trace. Humm, the assumption was that a fault could only happen during a job and so a reference would already be held. Otherwise, couldn't the GPU also be accessing the BO after it is freed? Also, looking at this again, I think we need to hold the mm_lock around the drm_mm_for_each_node(). Rob