| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <88dd5d67-7dd5-2f58-5254-adaa941deb0f@gmail.com>
Date: Wed, 27 Apr 2022 10:31:15 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: Andrey Grodzovsky <andrey.grodzovsky@....com>, yuq825@...il.com,
airlied@...ux.ie, daniel@...ll.ch
Cc: dri-devel@...ts.freedesktop.org, lima@...ts.freedesktop.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] gpu: drm: remove redundant dma_fence_put() when
drm_sched_job_add_dependency() fails
On 2022/4/26 22:55, Andrey Grodzovsky wrote:
>
> On 2022-04-25 22:54, Hangyu Hua wrote:
>> On 2022/4/25 23:42, Andrey Grodzovsky wrote:
>>> On 2022-04-25 04:36, Hangyu Hua wrote:
>>>
>>>> When drm_sched_job_add_dependency() fails, dma_fence_put() will be
>>>> called
>>>> internally. Calling it again after drm_sched_job_add_dependency()
>>>> finishes
>>>> may result in a dangling pointer.
>>>>
>>>> Fix this by removing redundant dma_fence_put().
>>>>
>>>> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
>>>> ---
>>>> drivers/gpu/drm/lima/lima_gem.c | 1 -
>>>> drivers/gpu/drm/scheduler/sched_main.c | 1 -
>>>> 2 files changed, 2 deletions(-)
>>>>
>>>> diff --git a/drivers/gpu/drm/lima/lima_gem.c
>>>> b/drivers/gpu/drm/lima/lima_gem.c
>>>> index 55bb1ec3c4f7..99c8e7f6bb1c 100644
>>>> --- a/drivers/gpu/drm/lima/lima_gem.c
>>>> +++ b/drivers/gpu/drm/lima/lima_gem.c
>>>> @@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file
>>>> *file, struct lima_submit *submit)
>>>> err = drm_sched_job_add_dependency(&submit->task->base,
>>>> fence);
>>>> if (err) {
>>>> - dma_fence_put(fence);
>>>> return err;
>>>
>>>
>>> Makes sense here
>>>
>>>
>>>> }
>>>> }
>>>> diff --git a/drivers/gpu/drm/scheduler/sched_main.c
>>>> b/drivers/gpu/drm/scheduler/sched_main.c
>>>> index b81fceb0b8a2..ebab9eca37a8 100644
>>>> --- a/drivers/gpu/drm/scheduler/sched_main.c
>>>> +++ b/drivers/gpu/drm/scheduler/sched_main.c
>>>> @@ -708,7 +708,6 @@ int
>>>> drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
>>>> dma_fence_get(fence);
>>>> ret = drm_sched_job_add_dependency(job, fence);
>>>> if (ret) {
>>>> - dma_fence_put(fence);
>>>
>>>
>>>
>>> Not sure about this one since if you look at the relevant commits -
>>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies' and
>>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder'
>>> You will see that the dma_fence_put here balances the extra
>>> dma_fence_get
>>> above
>>>
>>> Andrey
>>>
>>
>> I don't think so. I checked the call chain and found no additional
>> dma_fence_get(). But dma_fence_get() needs to be called before
>> drm_sched_job_add_dependency() to keep the counter balanced.
>
>
> I don't say there is an additional get, I just say that
> drm_sched_job_add_dependency doesn't grab an extra reference to the
> fences it stores so this needs to be done outside and for that
> drm_sched_job_add_implicit_dependencies->dma_fence_get is called and, if
> this addition fails you just call dma_fence_put to keep the counter
> balanced.
>
drm_sched_job_add_implicit_dependencies() will call
drm_sched_job_add_dependency(). And drm_sched_job_add_dependency()
already call dma_fence_put() when it fails. Calling dma_fence_put()
twice doesn't make sense.
dma_fence_get() is in [2]. But dma_fence_put() will be called in [1] and
[3] when xa_alloc() fails.
int drm_sched_job_add_dependency(struct drm_sched_job *job,
struct dma_fence *fence)
{
...
ret = xa_alloc(&job->dependencies, &id, fence, xa_limit_32b, GFP_KERNEL);
if (ret != 0)
dma_fence_put(fence); <--- [1]
return ret;
}
EXPORT_SYMBOL(drm_sched_job_add_dependency);
int drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
struct drm_gem_object *obj,
bool write)
{
struct dma_resv_iter cursor;
struct dma_fence *fence;
int ret;
dma_resv_for_each_fence(&cursor, obj->resv, write, fence) {
/* Make sure to grab an additional ref on the added fence */
dma_fence_get(fence); <--- [2]
ret = drm_sched_job_add_dependency(job, fence);
if (ret) {
dma_fence_put(fence); <--- [3]
return ret;
}
}
return 0;
}
>
>> On the other hand, dma_fence_get() and dma_fence_put() are meaningless
>> here if threre is an extra dma_fence_get() beacause counter will not
>> decrease to 0 during drm_sched_job_add_dependency().
>>
>> I check the call chain as follows:
>>
>> msm_ioctl_gem_submit()
>> -> submit_fence_sync()
>> -> drm_sched_job_add_implicit_dependencies()
>
>
> Can you maybe trace or print one such example of problematic refcount
> that you are trying to fix ? I still don't see where is the problem.
>
> Andrey
>
I also wish I could. System logs can make this easy. But i don't have a
corresponding GPU physical device.
drm_sched_job_add_implicit_dependencies is only used in a few devices.
Thanks.
>
>>
>> Thanks,
>> Hangyu
>>
>>>
>>>> return ret;
>>>> }
>>>> }
Powered by blists - more mailing lists