lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6fb8becf-9e6b-f59e-9c22-2b20069241a7@amd.com>
Date:   Thu, 5 Mar 2020 14:06:16 +0100
From:   Christian König <christian.koenig@....com>
To:     Jason Ekstrand <jason@...kstrand.net>
Cc:     Bas Nieuwenhuizen <bas@...nieuwenhuizen.nl>,
        Dave Airlie <airlied@...hat.com>,
        Jesse Hall <jessehall@...gle.com>,
        James Jones <jajones@...dia.com>,
        Daniel Stone <daniels@...labora.com>,
        Kristian Høgsberg <hoegsberg@...gle.com>,
        Sumit Semwal <sumit.semwal@...aro.org>,
        Chenbo Feng <fengc@...gle.com>,
        Greg Hackmann <ghackmann@...gle.com>,
        linux-media@...r.kernel.org,
        Maling list - DRI developers 
        <dri-devel@...ts.freedesktop.org>, linaro-mm-sig@...ts.linaro.org,
        LKML <linux-kernel@...r.kernel.org>,
        Daniel Vetter <daniel.vetter@...ll.ch>
Subject: Re: [PATCH] RFC: dma-buf: Add an API for importing and exporting sync
 files

Am 04.03.20 um 17:41 schrieb Jason Ekstrand:
> On Wed, Mar 4, 2020 at 10:27 AM Jason Ekstrand <jason@...kstrand.net> wrote:
>> On Wed, Mar 4, 2020 at 2:34 AM Christian König <christian.koenig@....com> wrote:
>>> Am 03.03.20 um 20:10 schrieb Jason Ekstrand:
>>>> On Thu, Feb 27, 2020 at 2:28 AM Christian König
>>>> <christian.koenig@....com> wrote:
>>>> [SNIP]
>>> For reference see what dance is necessary in the dma_fence_chain_release
>>> function to avoid that:
>>>>          /* Manually unlink the chain as much as possible to avoid
>>>> recursion
>>>>           * and potential stack overflow.
>>>>           */
>>>>          while ((prev = rcu_dereference_protected(chain->prev, true))) {
>>> ....
>>>
>>> It took me quite a while to figure out how to do this without causing
>>> issues. But I don't see how this would be possible for dma_fence_array.
>> Ah, I see the issue now!  It hadn't even occurred to me that userspace
>> could use this to build up an infinite recursion chain.  That's nasty!

Yeah, when I first stumbled over it it was like why the heck is my code 
crashing in an interrupt handler?

Realizing that this is stack corruption because of the long chain we 
constructed was quite an enlightenment.

And then it took me even longer to fix it :)

>>   I'll give this some more thought and see if can come up with
>> something clever.
>>
>> Here's one thought:  We could make dma_fence_array automatically
>> collapse any arrays it references and instead directly reference their
>> fences.  This way, no matter how much the client chains things, they
>> will never get more than one dma_fence_array.  Of course, the
>> difficulty here (answering my own question) comes if they ping-pong
>> back-and-forth between something which constructs a dma_fence_array
>> and something which constructs a dma_fence_chain to get
>> array-of-chain-of-array-of-chain-of-...  More thought needed.

Condensing the fences into a larger array can certainly work, yes.

> Answering my own questions again...  I think the
> array-of-chain-of-array case is also solvable.
>
> For array-of-chain, we can simply add all unsignaled dma_fences in the
> chain to the array.  The array won't signal until all of them have
> which is exactly the same behavior as if we'd added the chain itself.

Yeah, that should work. Probably best to implement something like a 
cursor to walk all fences in the data structure.

> For chain-of-array, we can add all unsignaled dma_fences in the array
> to the same point in the chain.  There may be some fiddling with the
> chain numbering required here but I think we can get it so the chain
> won't signal until everything in the array has signaled and we get the
> same behavior as if we'd added the dma_fence_array to the chain.

Well as far as I can see this won't work because it would break the 
semantics of the timeline sync.

But I think I know a different way which should work: A dma_fence_chain 
can still contain a dma_fence_array, only the other way around is 
forbidden. Then we create the cursor functionality in such a way that it 
allows us to deep dive into the data structure and return all containing 
fences one by one.

I can prototype that if you want, shouldn't be more than a few hours of 
hacking anyway.

Regards,
Christian.

>
> In both cases, we end up with either a single array or a single and
> destruction doesn't require recursion.  Thoughts?
>
> --Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ