Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
MIME-Version: 1.0
References: <M0lxN5AUlPvzBKULfIBe5BZRwfQGXeMQCdWItYcQ-9P79y32WzExYK2Y0DwyNVtyGelqbvV07_lFk1oeT4cApbT-P_oH0bnxQbMmFsJv_xg=@protonmail.com>
 <ba078fb0-0dbc-df06-cfe9-f9537883f82a@amd.com> <e2f55480-c24f-6c85-08d3-21131a22d0bf@amd.com>
 <3b7e3e50-2ff7-eff3-2ffc-abaa4b36ce7f@amd.com> <CAKMK7uHCu02P4tvhF4LQbtYeNciU61ONC9EZRmQ-0wEGFPzZgg@mail.gmail.com>
 <Fnx2lsAReNccvQbyMYBgghvef4ekiQ_ZWL0m5BwF-2h48gvnNLghI4zkIWhQwy-H6CiytTXaxEtZ83dYRlzAXeKHujBRLc_tffmcJVWjwuo=@protonmail.com>
In-Reply-To: <Fnx2lsAReNccvQbyMYBgghvef4ekiQ_ZWL0m5BwF-2h48gvnNLghI4zkIWhQwy-H6CiytTXaxEtZ83dYRlzAXeKHujBRLc_tffmcJVWjwuo=@protonmail.com>
From:   Daniel Vetter <daniel@ffwll.ch>
Date:   Mon, 27 Jul 2020 23:32:03 +0200
Message-ID: <CAKMK7uFAnedLTp6LJYum6gYj3xaWkuuXJr70UJ48Pxxr-4dA7w@mail.gmail.com>
Subject: Re: [PATCH] drm/amd/display: Clear dm_state for fast updates
To:     Mazin Rezk <mnrzk@protonmail.com>
Cc:     =?UTF-8?Q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>,
        "Kazlauskas, Nicholas" <nicholas.kazlauskas@amd.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "amd-gfx@lists.freedesktop.org" <amd-gfx@lists.freedesktop.org>,
        "dri-devel@lists.freedesktop.org" <dri-devel@lists.freedesktop.org>,
        Paul Menzel <pmenzel@molgen.mpg.de>,
        "anthony.ruhier@gmail.com" <anthony.ruhier@gmail.com>,
        Duncan <1i5t5.duncan@cox.net>, Kees Cook <keescook@chromium.org>,
        "sunpeng.li@amd.com" <sunpeng.li@amd.com>,
        "regressions@leemhuis.info" <regressions@leemhuis.info>,
        Alexander Deucher <Alexander.Deucher@amd.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        "mphantomx@yahoo.com.br" <mphantomx@yahoo.com.br>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Mon, Jul 27, 2020 at 11:11 PM Mazin Rezk <mnrzk@protonmail.com> wrote:
>
> On Monday, July 27, 2020 4:29 PM, Daniel Vetter <daniel@ffwll.ch> wrote:
>
> > On Mon, Jul 27, 2020 at 9:28 PM Christian K=C3=B6nig
> > <christian.koenig@amd.com> wrote:
> > >
> > > Am 27.07.20 um 16:05 schrieb Kazlauskas, Nicholas:
> > > > On 2020-07-27 9:39 a.m., Christian K=C3=B6nig wrote:
> > > >> Am 27.07.20 um 07:40 schrieb Mazin Rezk:
> > > >>> This patch fixes a race condition that causes a use-after-free du=
ring
> > > >>> amdgpu_dm_atomic_commit_tail. This can occur when 2 non-blocking
> > > >>> commits
> > > >>> are requested and the second one finishes before the first.
> > > >>> Essentially,
> > > >>> this bug occurs when the following sequence of events happens:
> > > >>>
> > > >>> 1. Non-blocking commit #1 is requested w/ a new dm_state #1 and i=
s
> > > >>> deferred to the workqueue.
> > > >>>
> > > >>> 2. Non-blocking commit #2 is requested w/ a new dm_state #2 and i=
s
> > > >>> deferred to the workqueue.
> > > >>>
> > > >>> 3. Commit #2 starts before commit #1, dm_state #1 is used in the
> > > >>> commit_tail and commit #2 completes, freeing dm_state #1.
> > > >>>
> > > >>> 4. Commit #1 starts after commit #2 completes, uses the freed dm_=
state
> > > >>> 1 and dereferences a freelist pointer while setting the context.
> > > >>
> > > >> Well I only have a one mile high view on this, but why don't you l=
et
> > > >> the work items execute in order?
> > > >>
> > > >> That would be better anyway cause this way we don't trigger a cach=
e
> > > >> line ping pong between CPUs.
> > > >>
> > > >> Christian.
> > > >
> > > > We use the DRM helpers for managing drm_atomic_commit_state and tho=
se
> > > > helpers internally push non-blocking commit work into the system
> > > > unbound work queue.
> > >
> > > Mhm, well if you send those helper atomic commits in the order A,B an=
d
> > > they execute it in the order B,A I would call that a bug :)
> >
> > The way it works is it pushes all commits into unbound work queue, but
> > then forces serialization as needed. We do _not_ want e.g. updates on
> > different CRTC to be serialized, that would result in lots of judder.
> > And hw is funny enough that there's all kinds of dependencies.
> >
> > The way you force synchronization is by adding other CRTC state
> > objects. So if DC is busted and can only handle a single update per
> > work item, then I guess you always need all CRTC states and everything
> > will be run in order. But that also totally kills modern multi-screen
> > compositors. Xorg isn't modern, just in case that's not clear :-)
> >
> > Lucking at the code it seems like you indeed have only a single dm
> > state, so yeah global sync is what you'll need as immediate fix, and
> > then maybe fix up DM to not be quite so silly ... or at least only do
> > the dm state stuff when really needed.
> >
> > We could also sprinkle the drm_crtc_commit structure around a bit
> > (it's the glue that provides the synchronization across commits), but
> > since your dm state is global just grabbing all crtc states
> > unconditionally as part of that is probably best.
> >
> > > > While we could duplicate a copy of that code with nothing but the
> > > > workqueue changed that isn't something I'd really like to maintain
> > > > going forward.
> > >
> > > I'm not talking about duplicating the code, I'm talking about fixing =
the
> > > helpers. I don't know that code well, but from the outside it sounds
> > > like a bug there.
> > >
> > > And executing work items in the order they are submitted is trivial.
> > >
> > > Had anybody pinged Daniel or other people familiar with the helper co=
de
> > > about it?
> >
> > Yeah something is wrong here, and the fix looks horrible :-)
> >
> > Aside, I've also seen some recent discussion flare up about
> > drm_atomic_state_get/put used to paper over some other use-after-free,
> > but this time related to interrupt handlers. Maybe a few rules about
> > that:
> > - dont
> > - especially not when it's interrupt handlers, because you can't call
> > drm_atomic_state_put from interrupt handlers.
> >
> > Instead have an spin_lock_irq to protect the shared date with your
> > interrupt handler, and _copy_ the date over. This is e.g. what
> > drm_crtc_arm_vblank_event does.
>
> Nicholas wrote a patch that attempted to resolve the issue by adding ever=
y
> CRTC into the commit to use use the stall checks. [1] While this forces
> synchronisation on commits, it's kind of a hacky method that may take a
> toll on performance.
>
> Is it possible to have a DRM helper that forces synchronisation on some
> commits without having to add every CRTC into the commit?
>
> Also, is synchronisation really necessary for fast updates in amdgpu?
> I'll admit, the idea of eliminating the use-after-free bug by eliminating
> the use entirely doesn't seem ideal; but is forcing synchronisation on
> these updates that much better?

Well clearing the dc_state pointer here and then allocating another
one in atomic_commit_tail also looks fishy. The proper fix is probably
a lot more involved, but yeah interim fix is to grab all crtc states
iff you also grabbed the dm_atomic_state structure. Real fix is to
only do this when necessary, which pretty much means the dc_state
needs to be somehow split up, or there needs to be some guarantees
about when it's necessary and when not. Otherwise parallel commits on
different CRTC are not possible with the current dc backend code.

See also my dma-fence annotation fixup patch, there dc_state also gets
in the way:

https://lore.kernel.org/dri-devel/20200707201229.472834-21-daniel.vetter@ff=
wll.ch/

Nicholas, btw I'm still waiting for some dc feedback on that entire
series, and what/if there's plans to fix these issues properly.

Maybe even going back to the subclassed drm_atomic_state might be
better than what we currently have.
-Daniel
>
> [1] https://bugzilla.kernel.org/show_bug.cgi?id=3D207383#c96
>
> Thanks,
> Mazin Rezk
>
> >
> > Cheers, Daniel
> >
> > >
> > > Regards,
> > > Christian.
> > >
> > > >
> > > > Regards,
> > > > Nicholas Kazlauskas
> > > >
> > > >>
> > > >>>
> > > >>> Since this bug has only been spotted with fast commits, this patc=
h
> > > >>> fixes
> > > >>> the bug by clearing the dm_state instead of using the old dc_stat=
e for
> > > >>> fast updates. In addition, since dm_state is only used for its dc=
_state
> > > >>> and amdgpu_dm_atomic_commit_tail will retain the dc_state if none=
 is
> > > >>> found,
> > > >>> removing the dm_state should not have any consequences in fast up=
dates.
> > > >>>
> > > >>> This use-after-free bug has existed for a while now, but only cau=
sed a
> > > >>> noticeable issue starting from 5.7-rc1 due to 3202fa62f ("slub:
> > > >>> relocate
> > > >>> freelist pointer to middle of object") moving the freelist pointe=
r from
> > > >>> dm_state->base (which was unused) to dm_state->context (which is
> > > >>> dereferenced).
> > > >>>
> > > >>> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=3D207383
> > > >>> Fixes: bd200d190f45 ("drm/amd/display: Don't replace the dc_state
> > > >>> for fast updates")
> > > >>> Reported-by: Duncan <1i5t5.duncan@cox.net>
> > > >>> Signed-off-by: Mazin Rezk <mnrzk@protonmail.com>
> > > >>> ---
> > > >>>   .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36
> > > >>> ++++++++++++++-----
> > > >>>   1 file changed, 27 insertions(+), 9 deletions(-)
> > > >>>
> > > >>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> > > >>> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> > > >>> index 86ffa0c2880f..710edc70e37e 100644
> > > >>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> > > >>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> > > >>> @@ -8717,20 +8717,38 @@ static int amdgpu_dm_atomic_check(struct
> > > >>> drm_device *dev,
> > > >>>            * the same resource. If we have a new DC context as pa=
rt of
> > > >>>            * the DM atomic state from validation we need to free =
it and
> > > >>>            * retain the existing one instead.
> > > >>> +         *
> > > >>> +         * Furthermore, since the DM atomic state only contains =
the DC
> > > >>> +         * context and can safely be annulled, we can free the s=
tate
> > > >>> +         * and clear the associated private object now to free
> > > >>> +         * some memory and avoid a possible use-after-free later=
.
> > > >>>            */
> > > >>> -        struct dm_atomic_state *new_dm_state, *old_dm_state;
> > > >>>
> > > >>> -        new_dm_state =3D dm_atomic_get_new_state(state);
> > > >>> -        old_dm_state =3D dm_atomic_get_old_state(state);
> > > >>> +        for (i =3D 0; i < state->num_private_objs; i++) {
> > > >>> +            struct drm_private_obj *obj =3D state->private_objs[=
i].ptr;
> > > >>>
> > > >>> -        if (new_dm_state && old_dm_state) {
> > > >>> -            if (new_dm_state->context)
> > > >>> -                dc_release_state(new_dm_state->context);
> > > >>> +            if (obj->funcs =3D=3D adev->dm.atomic_obj.funcs) {
> > > >>> +                int j =3D state->num_private_objs-1;
> > > >>>
> > > >>> -            new_dm_state->context =3D old_dm_state->context;
> > > >>> +                dm_atomic_destroy_state(obj,
> > > >>> +                        state->private_objs[i].state);
> > > >>> +
> > > >>> +                /* If i is not at the end of the array then the
> > > >>> +                 * last element needs to be moved to where i was
> > > >>> +                 * before the array can safely be truncated.
> > > >>> +                 */
> > > >>> +                if (i !=3D j)
> > > >>> +                    state->private_objs[i] =3D
> > > >>> +                        state->private_objs[j];
> > > >>>
> > > >>> -            if (old_dm_state->context)
> > > >>> -                dc_retain_state(old_dm_state->context);
> > > >>> +                state->private_objs[j].ptr =3D NULL;
> > > >>> +                state->private_objs[j].state =3D NULL;
> > > >>> +                state->private_objs[j].old_state =3D NULL;
> > > >>> +                state->private_objs[j].new_state =3D NULL;
> > > >>> +
> > > >>> +                state->num_private_objs =3D j;
> > > >>> +                break;
> > > >>> +            }
> > > >>>           }
> > > >>>       }
> > > >>>
> > > >>> --
> > > >>> 2.27.0
> > > >>>
> > > >>
> > > >
> > >
> > > _______________________________________________
> > > dri-devel mailing list
> > > dri-devel@lists.freedesktop.org
> > > https://lists.freedesktop.org/mailman/listinfo/dri-devel
> >
> >
> >
> > --
> > Daniel Vetter
> > Software Engineer, Intel Corporation
> > http://blog.ffwll.ch


--=20
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch