Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp5671283rwb;
        Tue, 9 Aug 2022 01:59:17 -0700 (PDT)
X-Google-Smtp-Source: AA6agR4jP1T9GccnFsi2de6QaSH8oP03F1Urhu4W43cC1aplut55JaFZ23RM0qIUppZ0GKLvL0Ko
X-Received: by 2002:a17:907:2854:b0:731:3c34:b5ed with SMTP id el20-20020a170907285400b007313c34b5edmr8630528ejc.437.1660035557461;
        Tue, 09 Aug 2022 01:59:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660035557; cv=none;
        d=google.com; s=arc-20160816;
        b=pk7JXOM6g0Ti3TJQZ0dhxtmG7ZHQHrOMPVQFHYwZO6ibuyCIZBBZS+U1wdR1OmGRyQ
         dtGzSCMwOwZBAVwj/jvlFNnBo1HnwrKvEyKXFYskbbdbYK01B2zupLEou0mGGLJRBvcD
         ocNWqWRXMyMEGXrvz9Ou5JXuNe4wVAHlY6Pkoa2KbKRi+UbDE+X9+vTwiSk810mFebt5
         D5m6jGYED9QR4AiULyW0DylA+9bLuTYpwpLTbkOk7OTj67W/CS3dIOWmOhYTgDWsdD+i
         e+shXuUa660YETSXKyHfRVMBxJqRrQMPr/heGVp8Lcl7j4s7yKOusDXVNrZ7/tSaswMV
         Sjew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=nTM3Ua3j9kpHyDNWCV8b92gWM4QBMBvKvI9FLUDYoyQ=;
        b=qLpaFd03wQ/5JZA8miew+haDwVxd9t8pH1U+hIG9/99q21imDnjhhh5s64aHAVAC4P
         cAsSrsrnAuBA7nuHuxn+KlzaeBJ2ObHOgwv/ZobCSw1cqeGKVbXa8jooBHB1ro3qXqaf
         MKNToHxaqJb/aN+MGpmowtQPER+NLiKrRwtIiDyO2PGntbzHoix/kfox4axAfAItgjUz
         9yZ1/vTAHzdPpTW5m5wiPpSCOslEKDsgNthynmZISl2GSTWA+Bs6RM/Zh+GxcSpJ+NVU
         G/gukGE/d7BcvCvSwtq71FtoiqohhcPH7vM1/LbSQf42mY+0T9qj982xc0zvBJyPq6p9
         KBeQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=rock-chips.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id sc28-20020a1709078a1c00b0072b68ed1a49si1743512ejc.870.2022.08.09.01.58.50;
        Tue, 09 Aug 2022 01:59:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=rock-chips.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241253AbiHIIyj (ORCPT <rfc822;andreacani85to@gmail.com>
        + 99 others); Tue, 9 Aug 2022 04:54:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54950 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241174AbiHIIyb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Aug 2022 04:54:31 -0400
Received: from mail-m11885.qiye.163.com (mail-m11885.qiye.163.com [115.236.118.85])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A72D8222B8;
        Tue,  9 Aug 2022 01:54:28 -0700 (PDT)
Received: from [192.168.111.100] (unknown [58.22.7.114])
        by mail-m11885.qiye.163.com (Hmail) with ESMTPA id 14A394C09F8;
        Tue,  9 Aug 2022 16:54:26 +0800 (CST)
Message-ID: <571973c5-02bd-5a18-834b-20c69f82e342@rock-chips.com>
Date:   Tue, 9 Aug 2022 16:54:24 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.1.1
Subject: Re: [PATCH v2] drm/gem: Fix GEM handle release errors
Content-Language: en-US
To:     =?UTF-8?Q?Christian_K=c3=b6nig?= <christian.koenig@amd.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>
Cc:     Andy Yan <andy.yan@rock-chips.com>,
        Jianqun Xu <jay.xu@rock-chips.com>,
        Maxime Ripard <mripard@kernel.org>,
        Sumit Semwal <sumit.semwal@linaro.org>,
        Thomas Zimmermann <tzimmermann@suse.de>,
        linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
        linaro-mm-sig@lists.linaro.org, David Airlie <airlied@linux.ie>,
        Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
        linux-media@vger.kernel.org, Daniel Vetter <daniel@ffwll.ch>
References: <20220803083237.3701-1-jeffy.chen@rock-chips.com>
 <c7cb225b-7f21-8d9a-773b-efc655e6332c@amd.com>
 <7cd16264-fa84-7b50-f3ed-64f7f22dcef2@rock-chips.com>
 <64bf4e4b-4e22-0ff0-5f92-76f603c04ec0@amd.com>
 <cd806954-e94e-aec8-2b0c-4047da9a92ec@rock-chips.com>
 <0e284f57-e03c-f128-f6e7-52a58edbcd54@amd.com>
From:   Chen Jeffy <jeffy.chen@rock-chips.com>
In-Reply-To: <0e284f57-e03c-f128-f6e7-52a58edbcd54@amd.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly
        tZV1koWUFJSktLSjdXWS1ZQUlXWQ8JGhUIEh9ZQVkaGkhOVhpLT0kZGElLHkhJGVUTARMWGhIXJB
        QOD1lXWRgSC1lBWU5DVUlJVUxVSkpPWVdZFhoPEhUdFFlBWU9LSFVKSktITUpVS1kG
X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NCo6Lio*Iz0yKy4oNT0INE4T
        Pz4KCk9VSlVKTU1LS0hOSU1NQklKVTMWGhIXVREeHR0CVRgTHhU7CRQYEFYYExILCFUYFBZFWVdZ
        EgtZQVlOQ1VJSVVMVUpKT1lXWQgBWUFKSExMSTcG
X-HM-Tid: 0a8281cff79a2eb9kusn14a394c09f8
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_WEB,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Christian,

On 8/9 星期二 15:55, Christian König wrote:
> Am 09.08.22 um 03:28 schrieb Chen Jeffy:
>> Hi Christian,
>>
>> On 8/9 星期二 2:03, Christian König wrote:
>>> Hi Jeffy,
>>>
>>> Am 08.08.22 um 05:51 schrieb Chen Jeffy:
>>>> Hi Christian,
>>>>
>>>> Thanks for your reply, and sorry i didn't make it clear.
>>>>
>>>> On 8/8 星期一 0:52, Christian König wrote:
>>>>> Am 03.08.22 um 10:32 schrieb Jeffy Chen:
>>>>>> Currently we are assuming a one to one mapping between dmabuf and 
>>>>>> handle
>>>>>> when releasing GEM handles.
>>>>>>
>>>>>> But that is not always true, since we would create extra handles 
>>>>>> for the
>>>>>> GEM obj in cases like gem_open() and getfb{,2}().
>>>>>>
>>>>>> A similar issue was reported at:
>>>>>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F20211105083308.392156-1-jay.xu%40rock-chips.com%2F&amp;data=05%7C01%7Cchristian.koenig%40amd.com%7C52cd6ca16a3a415b92a708da79a67dec%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637956053232922419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=hIuH18B10sbVAyS0D4iK6R6WYc%2BZ7mlxGcKdUae%2BW6Y%3D&amp;reserved=0
>>>>>>
>>>>>> Another problem is that the drm_gem_remove_prime_handles() now only
>>>>>> remove handle to the exported dmabuf (gem_obj->dma_buf), so the 
>>>>>> imported
>>>>>> ones would leak:
>>>>>> WARNING: CPU: 2 PID: 236 at drivers/gpu/drm/drm_prime.c:228 
>>>>>> drm_prime_destroy_file_private+0x18/0x24
>>>>>>
>>>>>> Let's fix these by using handle to find the exact map to remove.
>>>>>
>>>>> Well we are clearly something missing here. As far as I can see the 
>>>>> current code is correct.
>>>>>
>>>>> Creating multiple GEM handles for the same DMA-buf is possible, but 
>>>>> illegal. >
>>>>> In other words when a GEM handle is exported as DMA-buf and 
>>>>> imported again you should intentionally always get the same handle.
>>>>
>>>> These issue are not about having handles for importing an exported 
>>>> dma-buf case, but for having multiple handles to a GEM object(which 
>>>> means having multiple handles to a dma-buf).
>>>>
>>>> I know the drm-prime is trying to make dma-buf and handle maps one 
>>>> to one, but the drm-gem is allowing to create extra handles for a 
>>>> GEM object, for example:
>>>> drm_gem_open_ioctl -> drm_gem_handle_create_tail
>>>> drm_mode_getfb2_ioctl -> drm_gem_handle_create
>>>> drm_mode_getfb -> fb->funcs->create_handle
>>>
>>> Yes, so far that's correct.
>>>
>>>>
>>>>
>>>> So we are allowing GEM object to have multiple handles, and GEM 
>>>> object could have at most one dma-buf, doesn't that means that 
>>>> dma-buf could map to multiple handles?
>>>
>>> No, at least not for the same GEM file private. That's the reason why 
>>> the rb is indexed by the dma_buf object and not the handle.
>>>
>>> In other words the rb is so that you have exactly one handle for each 
>>> dma_buf in each file private.
>>
>> I don't think so, because if user get multiple handles for the same 
>> GEM obj and use drm_gem_prime_handle_to_fd() for those handles
> 
> Mhm, that works? This is illegal and should have been prevented somehow.
> 
> Let me double check the code.
> 
> Thanks for pointing that out,
> Christian.
> 

Thanks for checking it, my test case is a preload library which hooks 
the drmModeSetCrtc(and other APIs) then use drmModeGetFB to extract 
dmafd from fb_id.

> 
>> , the current code would try to add multiple maps to rb:
>> drm_prime_add_buf_handle(buf_1, hdl_1)
>> drm_prime_add_buf_handle(buf_1, hdl_2)
>> ...
>> drm_prime_add_buf_handle(buf_1, hdl_n)
>>
>>>
>>>>
>>>> Or should we rewrite the GEM framework to limit GEM object with uniq 
>>>> handle?
>>>
>>> No, the extra handles are expected because when you call 
>>> drm_mode_getfb*() and drm_gem_open_ioctl() the caller now owns the 
>>> returned GEM handle.
>>>
>>>>
>>>> The other issue is that we are leaking dma-buf <-> handle map for 
>>>> the imported dma-buf, since the drm_gem_remove_prime_handles doesn't 
>>>> take care of obj->import_attach->dmabuf.
>>>
>>> No, that's correct as well. obj->dma_buf is set even for imported 
>>> DMA-buf objects. See drm_gem_prime_fd_to_handle().
>>
>> Well, that obj->dma_buf would be set in 
>> drm_gem_prime_fd_to_handle(create new handle), and cleared when 
>> releasing the latest handle(release handle).
>>
>> So it doesn't cover other handle creating path.
>>
>> For example, a imported dma buf:
>> drm_gem_prime_fd_to_handle <-- we got a handle and obj->dma_buf and 
>> obj->import_attach->dmabuf
>> drm_gem_handle_delete <-- we lost that handle and obj->dma_buf cleared
>> drm_gem_open_ioctl/or getfb* <-- we got a new handle and 
>> obj->import_attach->dmabuf
>> drm_gem_handle_delete <-- we lost that handle and obj->dma_buf is 
>> null, which means rb leaks.

Another way to solve this would be set this obj->dma_buf again in 
drm_gem_prime_handle_to_fd(), which would make sure obj->dma_buf is 
valid in all current paths lead to drm_prime_add_buf_handle().

>>
>>>
>>> Regards,
>>> Christian.
>>>
>>>>
>>>> But of cause this can be fixed in other way:
>>>> +++ b/drivers/gpu/drm/drm_gem.c
>>>> @@ -180,6 +180,9 @@ drm_gem_remove_prime_handles(struct 
>>>> drm_gem_object *obj, struct drm_file *filp)
>>>> drm_prime_remove_buf_handle_locked(&filp->prime,
>>>> obj->dma_buf);
>>>>         }
>>>> +       if (obj->import_attach)
>>>> + drm_prime_remove_buf_handle_locked(&filp->prime,
>>>> + obj->import_attach->dmabuf);
>>>>         mutex_unlock(&filp->prime.lock);
>>>>  }
>>>>
>>>>
>>>>> So this is pretty much a clear NAK to this patch since it shouldn't 
>>>>> be necessary or something is seriously broken somewhere else.
>>>>>
>>>>> Regards,
>>>>> Christian.
>>>>>
>>>>>>
>>>>>> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
>>>>>> ---
>>>>>>
>>>>>> Changes in v2:
>>>>>> Fix a typo of rbtree.
>>>>>>
>>>>>>   drivers/gpu/drm/drm_gem.c      | 17 +----------------
>>>>>>   drivers/gpu/drm/drm_internal.h |  4 ++--
>>>>>>   drivers/gpu/drm/drm_prime.c    | 20 ++++++++++++--------
>>>>>>   3 files changed, 15 insertions(+), 26 deletions(-)
>>>>>>
>>>>>> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
>>>>>> index eb0c2d041f13..ed39da383570 100644
>>>>>> --- a/drivers/gpu/drm/drm_gem.c
>>>>>> +++ b/drivers/gpu/drm/drm_gem.c
>>>>>> @@ -168,21 +168,6 @@ void drm_gem_private_object_init(struct 
>>>>>> drm_device *dev,
>>>>>>   }
>>>>>>   EXPORT_SYMBOL(drm_gem_private_object_init);
>>>>>> -static void
>>>>>> -drm_gem_remove_prime_handles(struct drm_gem_object *obj, struct 
>>>>>> drm_file *filp)
>>>>>> -{
>>>>>> -    /*
>>>>>> -     * Note: obj->dma_buf can't disappear as long as we still hold a
>>>>>> -     * handle reference in obj->handle_count.
>>>>>> -     */
>>>>>> -    mutex_lock(&filp->prime.lock);
>>>>>> -    if (obj->dma_buf) {
>>>>>> - drm_prime_remove_buf_handle_locked(&filp->prime,
>>>>>> -                           obj->dma_buf);
>>>>>> -    }
>>>>>> -    mutex_unlock(&filp->prime.lock);
>>>>>> -}
>>>>>> -
>>>>>>   /**
>>>>>>    * drm_gem_object_handle_free - release resources bound to 
>>>>>> userspace handles
>>>>>>    * @obj: GEM object to clean up.
>>>>>> @@ -253,7 +238,7 @@ drm_gem_object_release_handle(int id, void 
>>>>>> *ptr, void *data)
>>>>>>       if (obj->funcs->close)
>>>>>>           obj->funcs->close(obj, file_priv);
>>>>>> -    drm_gem_remove_prime_handles(obj, file_priv);
>>>>>> +    drm_prime_remove_buf_handle(&file_priv->prime, id);
>>>>>>       drm_vma_node_revoke(&obj->vma_node, file_priv);
>>>>>>       drm_gem_object_handle_put_unlocked(obj);
>>>>>> diff --git a/drivers/gpu/drm/drm_internal.h 
>>>>>> b/drivers/gpu/drm/drm_internal.h
>>>>>> index 1fbbc19f1ac0..7bb98e6a446d 100644
>>>>>> --- a/drivers/gpu/drm/drm_internal.h
>>>>>> +++ b/drivers/gpu/drm/drm_internal.h
>>>>>> @@ -74,8 +74,8 @@ int drm_prime_fd_to_handle_ioctl(struct 
>>>>>> drm_device *dev, void *data,
>>>>>>   void drm_prime_init_file_private(struct drm_prime_file_private 
>>>>>> *prime_fpriv);
>>>>>>   void drm_prime_destroy_file_private(struct 
>>>>>> drm_prime_file_private *prime_fpriv);
>>>>>> -void drm_prime_remove_buf_handle_locked(struct 
>>>>>> drm_prime_file_private *prime_fpriv,
>>>>>> -                    struct dma_buf *dma_buf);
>>>>>> +void drm_prime_remove_buf_handle(struct drm_prime_file_private 
>>>>>> *prime_fpriv,
>>>>>> +                 uint32_t handle);
>>>>>>   /* drm_drv.c */
>>>>>>   struct drm_minor *drm_minor_acquire(unsigned int minor_id);
>>>>>> diff --git a/drivers/gpu/drm/drm_prime.c 
>>>>>> b/drivers/gpu/drm/drm_prime.c
>>>>>> index e3f09f18110c..bd5366b16381 100644
>>>>>> --- a/drivers/gpu/drm/drm_prime.c
>>>>>> +++ b/drivers/gpu/drm/drm_prime.c
>>>>>> @@ -190,29 +190,33 @@ static int 
>>>>>> drm_prime_lookup_buf_handle(struct drm_prime_file_private *prime_fpri
>>>>>>       return -ENOENT;
>>>>>>   }
>>>>>> -void drm_prime_remove_buf_handle_locked(struct 
>>>>>> drm_prime_file_private *prime_fpriv,
>>>>>> -                    struct dma_buf *dma_buf)
>>>>>> +void drm_prime_remove_buf_handle(struct drm_prime_file_private 
>>>>>> *prime_fpriv,
>>>>>> +                 uint32_t handle)
>>>>>>   {
>>>>>>       struct rb_node *rb;
>>>>>> -    rb = prime_fpriv->dmabufs.rb_node;
>>>>>> +    mutex_lock(&prime_fpriv->lock);
>>>>>> +
>>>>>> +    rb = prime_fpriv->handles.rb_node;
>>>>>>       while (rb) {
>>>>>>           struct drm_prime_member *member;
>>>>>> -        member = rb_entry(rb, struct drm_prime_member, dmabuf_rb);
>>>>>> -        if (member->dma_buf == dma_buf) {
>>>>>> +        member = rb_entry(rb, struct drm_prime_member, handle_rb);
>>>>>> +        if (member->handle == handle) {
>>>>>>               rb_erase(&member->handle_rb, &prime_fpriv->handles);
>>>>>>               rb_erase(&member->dmabuf_rb, &prime_fpriv->dmabufs);
>>>>>> -            dma_buf_put(dma_buf);
>>>>>> +            dma_buf_put(member->dma_buf);
>>>>>>               kfree(member);
>>>>>> -            return;
>>>>>> -        } else if (member->dma_buf < dma_buf) {
>>>>>> +            break;
>>>>>> +        } else if (member->handle < handle) {
>>>>>>               rb = rb->rb_right;
>>>>>>           } else {
>>>>>>               rb = rb->rb_left;
>>>>>>           }
>>>>>>       }
>>>>>> +
>>>>>> +    mutex_unlock(&prime_fpriv->lock);
>>>>>>   }
>>>>>>   void drm_prime_init_file_private(struct drm_prime_file_private 
>>>>>> *prime_fpriv)
>>>>>
>>>>>
>>>>
>>>
>>>
>>
> 
>