Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp120035pxu; Wed, 25 Nov 2020 15:00:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJz6JTuPKHOOeOcuVMXqyxkQ6xQkHUajjbAs5kjrvPj5AECOnj9l7EJt9X8pb/yGdN3G31Oz X-Received: by 2002:a17:907:2631:: with SMTP id aq17mr168637ejc.497.1606345222283; Wed, 25 Nov 2020 15:00:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606345222; cv=none; d=google.com; s=arc-20160816; b=PgHOE4J/BOyTOb0g4hQQyY3WxfMj6mIChNwnsv6SSToERnKdXBJNEVY98zvDN6mSBs gjQjn5mrT0VfDJFx91owPCLLEMpxh8C3oU0NMJp6+9kraW7AfsXDvjMuEUBkzp3Y4BDh wn5YSEWNlVlE7zm+49uZis2jxLm8bADwybKxGh77EeiFKCHj/N6A/Z/FyKvKnidqhwMB 1kDoL2e7oWrljFLdllFExYwQuTvXoiXS/zWFo/e8oQS8kk6rQpjpWB+pUA+nSvl0tbaG L8xI15OVD+5wuiOhOb7460n+qXx+W8We7EHXHv5qCGD3F/7dQtXHaFsBieNT6Jk3WcfL bSXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=mHKnvKojNg07maTXpdLc7opl7LeH8NxJHEW+j33de5M=; b=F7Mt1RTPr0pGwxthAFSVdRSYN/FHtGVQTXXuyNsrTBfAf0/0eyBSNtVpcXxpdJA5uw lz7Cz5lSGFuqHzvaIJL3ADKP+DnKcuL3Uxp25+1FKnWq+R/KXqMFX8WAfy2LjbZNO4mW mnBxGEjsQ/Ovp8jXcvzrWUkBC+0eM/PXqeeQICtVX4Fadwf3ZFJ+JDb2hmjwJDIqDA3M XtQfwWWMc3xnlfe7/rghGFabcEl52g9HYo2cfRwYuQb6S15v9RpWHDk4MLBVwIjt9V29 XAW+cUBLb8BvmLXxZY6l90cUKEwvWlm+OUpF/V774JEoEvj2ZuWRTWYC5KbUM2D1KKRd GnKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CB56Mnrn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j10si2033462edt.142.2020.11.25.14.59.58; Wed, 25 Nov 2020 15:00:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CB56Mnrn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729802AbgKYU1W (ORCPT + 99 others); Wed, 25 Nov 2020 15:27:22 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:44831 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729608AbgKYU1V (ORCPT ); Wed, 25 Nov 2020 15:27:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606336039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mHKnvKojNg07maTXpdLc7opl7LeH8NxJHEW+j33de5M=; b=CB56MnrnevGHNYbgCF7FzdCvuMe7yXFArMIo6e9TaAElTHnDG+UYOFVEMNsfpw/ePoKsLD edYaOFbWDdxLr1IMUlDLReO2vbVXgQqhj3nzwp/FswBvj4fOcRnE8dD06bVPApzs0DDVXq Q37Q26Rug1CKL/H7WXaI+D5/pxvN2i8= Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-293-mLlJSEeLPzKiRA9ca0TV8A-1; Wed, 25 Nov 2020 15:27:16 -0500 X-MC-Unique: mLlJSEeLPzKiRA9ca0TV8A-1 Received: by mail-qv1-f72.google.com with SMTP id y21so3236329qve.7 for ; Wed, 25 Nov 2020 12:27:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mHKnvKojNg07maTXpdLc7opl7LeH8NxJHEW+j33de5M=; b=Y4k57B7aQB6/R6QK4R6AO4SRNV0E6LvNJ+eEY5dJUMDq8+xTlJE7J8cxCfhcMPvHl7 v2X4QjgoZcpy2jFfBibGH/FADA3B8U78lYB613izHrnsmCm02jlYhGGNyb1lYmAhXa+M xRUV+uHGTQ86VnpT1Bf1gLprEdz8NmuMJ0TkoBHA+Lo7SM67fNVHiMYWNA3TPh87PjIm /64Gcgn72QUkIbAG+tdkM2XYIfErDUtMGp1P9rWMsLXRV7tRBzgaxaMvPzrc8Pl9Dt6A U8SunolCtQxWog5EFhtAmhCCmYuKbF8DXwaoWUF+eoVQLmZY4NEjAgvHNRj24bBM5XUa Nl2w== X-Gm-Message-State: AOAM532Vv73qJQZo0Cu1HtSJOceF3t78T7b4qjfWiGSATejbf2yP1EaY fpymQRaAlZRQyR2IiY9aJT6obNN+9p8Ulx0iussFW7qKkAFsZJJHhysAd0KrHw9/StrsybKltJJ iWfZ35QNU6o5Gbqy4Y+bKFO2B X-Received: by 2002:a37:6f07:: with SMTP id k7mr645809qkc.423.1606336036382; Wed, 25 Nov 2020 12:27:16 -0800 (PST) X-Received: by 2002:a37:6f07:: with SMTP id k7mr645781qkc.423.1606336036152; Wed, 25 Nov 2020 12:27:16 -0800 (PST) Received: from dev.jcline.org ([2605:a601:a638:b301:9966:d978:493:6a3d]) by smtp.gmail.com with ESMTPSA id o187sm431772qkb.120.2020.11.25.12.27.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Nov 2020 12:27:15 -0800 (PST) From: Jeremy Cline To: Ben Skeggs Cc: Lyude Paul , Karol Herbst , David Airlie , nouveau@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Jeremy Cline , stable@vger.kernel.org Subject: [PATCH v2 3/3] drm/nouveau: clean up all clients on device removal Date: Wed, 25 Nov 2020 15:26:48 -0500 Message-Id: <20201125202648.5220-4-jcline@redhat.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201125202648.5220-1-jcline@redhat.com> References: <20201103194912.184413-1-jcline@redhat.com> <20201125202648.5220-1-jcline@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The postclose handler can run after the device has been removed (or the driver has been unbound) since userspace clients are free to hold the file open as long as they want. Because the device removal callback frees the entire nouveau_drm structure, any reference to it in the postclose handler will result in a use-after-free. To reproduce this, one must simply open the device file, unbind the driver (or physically remove the device), and then close the device file. This was found and can be reproduced easily with the IGT core_hotunplug tests. To avoid this, all clients are cleaned up in the device finalization rather than deferring it to the postclose handler, and the postclose handler is protected by a critical section which ensures the drm_dev_unplug() and the postclose handler won't race. This is not an ideal fix, since as I understand the proposed plan for the kernel<->userspace interface for hotplug support, destroying the client before the file is closed will cause problems. However, I believe to properly fix this issue, the lifetime of the nouveau_drm structure needs to be extended to match the drm_device, and this proved to be a rather invasive change. Thus, I've broken this out so the fix can be easily backported. Cc: stable@vger.kernel.org Signed-off-by: Jeremy Cline --- drivers/gpu/drm/nouveau/nouveau_drm.c | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c index 6ee1adc9bd40..afaf1774ee35 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c @@ -628,6 +628,7 @@ nouveau_drm_device_init(struct drm_device *dev) static void nouveau_drm_device_fini(struct drm_device *dev) { + struct nouveau_cli *cli, *temp_cli; struct nouveau_drm *drm = nouveau_drm(dev); if (nouveau_pmops_runtime()) { @@ -652,6 +653,24 @@ nouveau_drm_device_fini(struct drm_device *dev) nouveau_ttm_fini(drm); nouveau_vga_fini(drm); + /* + * There may be existing clients from as-yet unclosed files. For now, + * clean them up here rather than deferring until the file is closed, + * but this likely not correct if we want to support hot-unplugging + * properly. + */ + mutex_lock(&drm->clients_lock); + list_for_each_entry_safe(cli, temp_cli, &drm->clients, head) { + list_del(&cli->head); + mutex_lock(&cli->mutex); + if (cli->abi16) + nouveau_abi16_fini(cli->abi16); + mutex_unlock(&cli->mutex); + nouveau_cli_fini(cli); + kfree(cli); + } + mutex_unlock(&drm->clients_lock); + nouveau_cli_fini(&drm->client); nouveau_cli_fini(&drm->master); nvif_parent_dtor(&drm->parent); @@ -1111,6 +1130,16 @@ nouveau_drm_postclose(struct drm_device *dev, struct drm_file *fpriv) { struct nouveau_cli *cli = nouveau_cli(fpriv); struct nouveau_drm *drm = nouveau_drm(dev); + int dev_index; + + /* + * The device is gone, and as it currently stands all clients are + * cleaned up in the removal codepath. In the future this may change + * so that we can support hot-unplugging, but for now we immediately + * return to avoid a double-free situation. + */ + if (!drm_dev_enter(dev, &dev_index)) + return; pm_runtime_get_sync(dev->dev); @@ -1127,6 +1156,7 @@ nouveau_drm_postclose(struct drm_device *dev, struct drm_file *fpriv) kfree(cli); pm_runtime_mark_last_busy(dev->dev); pm_runtime_put_autosuspend(dev->dev); + drm_dev_exit(dev_index); } static const struct drm_ioctl_desc -- 2.28.0