1. 30 11月, 2021 1 次提交
  2. 11 11月, 2021 1 次提交
  3. 11 10月, 2021 1 次提交
    • T
      dma-resv: Fix dma_resv_get_fences and dma_resv_copy_fences after conversion · 5e51cc00
      Tvrtko Ursulin 提交于
      Cache the count of shared fences in the iterator to avoid dereferencing
      the dma_resv_object outside the RCU protection. Otherwise iterator and its
      users can observe an incosistent state which makes it impossible to use
      safely. Such as:
      
      <6> [187.517041] [IGT] gem_sync: executing
      <7> [187.536343] i915 0000:00:02.0: [drm:i915_gem_context_create_ioctl [i915]] HW context 1 created
      <7> [187.536793] i915 0000:00:02.0: [drm:i915_gem_context_create_ioctl [i915]] HW context 1 created
      <6> [187.551235] [IGT] gem_sync: starting subtest basic-many-each
      <1> [188.935462] BUG: kernel NULL pointer dereference, address: 0000000000000010
      <1> [188.935485] #PF: supervisor write access in kernel mode
      <1> [188.935495] #PF: error_code(0x0002) - not-present page
      <6> [188.935504] PGD 0 P4D 0
      <4> [188.935512] Oops: 0002 [#1] PREEMPT SMP NOPTI
      <4> [188.935521] CPU: 2 PID: 1467 Comm: gem_sync Not tainted 5.15.0-rc4-CI-Patchwork_21264+ #1
      <4> [188.935535] Hardware name:  /NUC6CAYB, BIOS AYAPLCEL.86A.0049.2018.0508.1356 05/08/2018
      <4> [188.935546] RIP: 0010:dma_resv_get_fences+0x116/0x2d0
      <4> [188.935560] Code: 10 85 c0 7f c9 be 03 00 00 00 e8 15 8b df ff eb bd e8 8e c6 ff ff eb b6 41 8b 04 24 49 8b 55 00 48 89 e7 8d 48 01 41 89 0c 24 <4c> 89 34 c2 e8 41 f2 ff ff 49 89 c6 48 85 c0 75 8c 48 8b 44 24 10
      <4> [188.935583] RSP: 0018:ffffc900011dbcc8 EFLAGS: 00010202
      <4> [188.935593] RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000001
      <4> [188.935603] RDX: 0000000000000010 RSI: ffffffff822e343c RDI: ffffc900011dbcc8
      <4> [188.935613] RBP: ffffc900011dbd48 R08: ffff88812d255bb8 R09: 00000000fffffffe
      <4> [188.935623] R10: 0000000000000001 R11: 0000000000000000 R12: ffffc900011dbd44
      <4> [188.935633] R13: ffffc900011dbd50 R14: ffff888113d29cc0 R15: 0000000000000000
      <4> [188.935643] FS:  00007f68d17e9700(0000) GS:ffff888277900000(0000) knlGS:0000000000000000
      <4> [188.935655] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      <4> [188.935665] CR2: 0000000000000010 CR3: 000000012d0a4000 CR4: 00000000003506e0
      <4> [188.935676] Call Trace:
      <4> [188.935685]  i915_gem_object_wait+0x1ff/0x410 [i915]
      <4> [188.935988]  i915_gem_wait_ioctl+0xf2/0x2a0 [i915]
      <4> [188.936272]  ? i915_gem_object_wait+0x410/0x410 [i915]
      <4> [188.936533]  drm_ioctl_kernel+0xae/0x140
      <4> [188.936546]  drm_ioctl+0x201/0x3d0
      <4> [188.936555]  ? i915_gem_object_wait+0x410/0x410 [i915]
      <4> [188.936820]  ? __fget_files+0xc2/0x1c0
      <4> [188.936830]  ? __fget_files+0xda/0x1c0
      <4> [188.936839]  __x64_sys_ioctl+0x6d/0xa0
      <4> [188.936848]  do_syscall_64+0x3a/0xb0
      <4> [188.936859]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      
      If the shared object has changed during the RCU unlocked period
      callers will correctly handle the restart on the next iteration.
      Signed-off-by: NTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Fixes: 96601e8a ("dma-buf: use new iterator in dma_resv_copy_fences")
      Fixes: d3c80698 ("dma-buf: use new iterator in dma_resv_get_fences v3")
      Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/4274
      Cc: Christian König <christian.koenig@amd.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Cc: linux-media@vger.kernel.org
      Cc: dri-devel@lists.freedesktop.org
      Cc: linaro-mm-sig@lists.linaro.org
      Link: https://patchwork.freedesktop.org/patch/msgid/20211008095007.972693-1-tvrtko.ursulin@linux.intel.comReviewed-by: NChristian König <christian.koenig@amd.com>
      Signed-off-by: NChristian König <christian.koenig@amd.com>
      5e51cc00
  4. 07 10月, 2021 1 次提交
  5. 06 10月, 2021 5 次提交
  6. 31 8月, 2021 1 次提交
    • D
      dma-resv: Give the docs a do-over · d9edf92d
      Daniel Vetter 提交于
      Specifically document the new/clarified rules around how the shared
      fences do not have any ordering requirements against the exclusive
      fence.
      
      But also document all the things a bit better, given how central
      struct dma_resv to dynamic buffer management the docs have been very
      inadequat.
      
      - Lots more links to other pieces of the puzzle. Unfortunately
        ttm_buffer_object has no docs, so no links :-(
      
      - Explain/complain a bit about dma_resv_locking_ctx(). I still don't
        like that one, but fixing the ttm call chains is going to be
        horrible. Plus we want to plug in real slowpath locking when we do
        that anyway.
      
      - Main part of the patch is some actual docs for struct dma_resv.
      
      Overall I think we still have a lot of bad naming in this area (e.g.
      dma_resv.fence is singular, but contains the multiple shared fences),
      but I think that's more indicative of how the semantics and rules are
      just not great.
      
      Another thing that's real awkard is how chaining exclusive fences
      right now means direct dma_resv.exclusive_fence pointer access with an
      rcu_assign_pointer. Not so great either.
      
      v2:
      - Fix a pile of typos (Matt, Jason)
      - Hammer it in that breaking the rules leads to use-after-free issues
        around dma-buf sharing (Christian)
      Reviewed-by: NChristian König <christian.koenig@amd.com>
      Cc: Jason Ekstrand <jason@jlekstrand.net>
      Cc: Matthew Auld <matthew.auld@intel.com>
      Reviewed-by: NMatthew Auld <matthew.auld@intel.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@intel.com>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Cc: "Christian König" <christian.koenig@amd.com>
      Cc: linux-media@vger.kernel.org
      Cc: linaro-mm-sig@lists.linaro.org
      Link: https://patchwork.freedesktop.org/patch/msgid/20210805104705.862416-21-daniel.vetter@ffwll.ch
      d9edf92d
  7. 08 7月, 2021 1 次提交
  8. 06 6月, 2021 3 次提交
  9. 05 6月, 2021 1 次提交
  10. 04 6月, 2021 2 次提交
  11. 25 11月, 2020 1 次提交
  12. 08 10月, 2020 1 次提交
  13. 17 9月, 2020 1 次提交
  14. 29 7月, 2020 2 次提交
  15. 21 7月, 2020 1 次提交
    • D
      dma-fence: prime lockdep annotations · d0b9a9ae
      Daniel Vetter 提交于
      Two in one go:
      - it is allowed to call dma_fence_wait() while holding a
        dma_resv_lock(). This is fundamental to how eviction works with ttm,
        so required.
      
      - it is allowed to call dma_fence_wait() from memory reclaim contexts,
        specifically from shrinker callbacks (which i915 does), and from mmu
        notifier callbacks (which amdgpu does, and which i915 sometimes also
        does, and probably always should, but that's kinda a debate). Also
        for stuff like HMM we really need to be able to do this, or things
        get real dicey.
      
      Consequence is that any critical path necessary to get to a
      dma_fence_signal for a fence must never a) call dma_resv_lock nor b)
      allocate memory with GFP_KERNEL. Also by implication of
      dma_resv_lock(), no userspace faulting allowed. That's some supremely
      obnoxious limitations, which is why we need to sprinkle the right
      annotations to all relevant paths.
      
      The one big locking context we're leaving out here is mmu notifiers,
      added in
      
      commit 23b68395
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Mon Aug 26 22:14:21 2019 +0200
      
          mm/mmu_notifiers: add a lockdep map for invalidate_range_start/end
      
      that one covers a lot of other callsites, and it's also allowed to
      wait on dma-fences from mmu notifiers. But there's no ready-made
      functions exposed to prime this, so I've left it out for now.
      
      v2: Also track against mmu notifier context.
      
      v3: kerneldoc to spec the cross-driver contract. Note that currently
      i915 throws in a hard-coded 10s timeout on foreign fences (not sure
      why that was done, but it's there), which is why that rule is worded
      with SHOULD instead of MUST.
      
      Also some of the mmu_notifier/shrinker rules might surprise SoC
      drivers, I haven't fully audited them all. Which is infeasible anyway,
      we'll need to run them with lockdep and dma-fence annotations and see
      what goes boom.
      
      v4: A spelling fix from Mika
      
      v5: #ifdef for CONFIG_MMU_NOTIFIER. Reported by 0day. Unfortunately
      this means lockdep enforcement is slightly inconsistent, it won't spot
      GFP_NOIO and GFP_NOFS allocations in the wrong spot if
      CONFIG_MMU_NOTIFIER is disabled in the kernel config. Oh well.
      
      v5: Note that only drivers/gpu has a reasonable (or at least
      historical) excuse to use dma_fence_wait() from shrinker and mmu
      notifier callbacks. Everyone else should either have a better memory
      manager model, or better hardware. This reflects discussions with
      Jason Gunthorpe.
      
      Cc: Jason Gunthorpe <jgg@mellanox.com>
      Cc: Felix Kuehling <Felix.Kuehling@amd.com>
      Cc: kernel test robot <lkp@intel.com>
      Acked-by: NChristian König <christian.koenig@amd.com>
      Acked-by: NDave Airlie <airlied@redhat.com>
      Reviewed-by: NMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Reviewed-by: Thomas Hellström <thomas.hellstrom@intel.com> (v4)
      Cc: Mika Kuoppala <mika.kuoppala@intel.com>
      Cc: Thomas Hellstrom <thomas.hellstrom@intel.com>
      Cc: linux-media@vger.kernel.org
      Cc: linaro-mm-sig@lists.linaro.org
      Cc: linux-rdma@vger.kernel.org
      Cc: amd-gfx@lists.freedesktop.org
      Cc: intel-gfx@lists.freedesktop.org
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Cc: Christian König <christian.koenig@amd.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200707201229.472834-3-daniel.vetter@ffwll.ch
      d0b9a9ae
  16. 10 6月, 2020 1 次提交
  17. 21 11月, 2019 1 次提交
    • D
      dma-resv: Also prime acquire ctx for lockdep · fedf7a44
      Daniel Vetter 提交于
      Semnatically it really doesn't matter where we grab the ticket. But
      since the ticket is a fake lockdep lock, it matters for lockdep
      validation purposes.
      
      This means stuff like grabbing a ticket and then doing
      copy_from/to_user isn't allowed anymore. This is a changed compared to
      the current ttm fault handler, which doesn't bother with having a full
      reservation. Since I'm looking into fixing the TODO entry in
      ttm_mem_evict_wait_busy() I think that'll have to change sooner or
      later anyway, better get started. A bit more context on why I'm
      looking into this: For backwards compat with existing i915 gem code I
      think we'll have to do full slowpath locking in the i915 equivalent of
      the eviction code. And with dynamic dma-buf that will leak across
      drivers, so another thing we need to standardize and make sure it's
      done the same way everyway.
      
      Unfortunately this means another full audit of all drivers:
      
      - gem helpers: acquire_init is done right before taking locks, so no
        problem. Same for acquire_fini and unlocking, which means nothing
        that's not already covered by the dma_resv_lock rules will be caught
        with this extension here to the acquire_ctx.
      
      - etnaviv: An absolute massive amount of code is run between the
        acquire_init and the first lock acquisition in submit_lock_objects.
        But nothing that would touch user memory and could cause a fault.
        Furthermore nothing that uses the ticket, so even if I missed
        something, it would be easy to fix by pushing the acquire_init right
        before the first use. Similar on the unlock/acquire_fini side.
      
      - i915: Right now (and this will likely change a lot rsn) the acquire
        ctx and actual locks are right next to each another. No problem.
      
      - msm has a problem: submit_create calls acquire_init, but then
        submit_lookup_objects() has a bunch of copy_from_user to do the
        object lookups. That's the only thing before submit_lock_objects
        call dma_resv_lock(). Despite all the copypasta to etnaviv, etnaviv
        does not have this issue since it copies all the userspace structs
        earlier. submit_cleanup does not have any such issues.
      
        With the prep patch to pull out the acquire_ctx and reorder it msm
        is going to be safe too.
      
      - nouveau: acquire_init is right next to ttm_bo_reserve, so all good.
        Similar on the acquire_fini/ttm_bo_unreserve side.
      
      - ttm execbuf utils: acquire context and locking are even in the same
        functions here (one function to reserve everything, the other to
        unreserve), so all good.
      
      - vc4: Another case where acquire context and locking are handled in
        the same functions (one function to lock everything, the other to
        unlock).
      
      Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Christian König <christian.koenig@amd.com>
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Cc: linux-media@vger.kernel.org
      Cc: linaro-mm-sig@lists.linaro.org
      Cc: Huang Rui <ray.huang@amd.com>
      Cc: Eric Anholt <eric@anholt.net>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Cc: Rob Herring <robh@kernel.org>
      Cc: Lucas Stach <l.stach@pengutronix.de>
      Cc: Russell King <linux+etnaviv@armlinux.org.uk>
      Cc: Christian Gmeiner <christian.gmeiner@gmail.com>
      Cc: Rob Clark <robdclark@gmail.com>
      Cc: Sean Paul <sean@poorly.run>
      Acked-by: NChristian König <christian.koenig@amd.com>
      Reviewed-by: NMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20191119210844.16947-3-daniel.vetter@ffwll.ch
      fedf7a44
  18. 20 11月, 2019 1 次提交
  19. 06 11月, 2019 1 次提交
    • D
      dma_resv: prime lockdep annotations · b2a8116e
      Daniel Vetter 提交于
      Full audit of everyone:
      
      - i915, radeon, amdgpu should be clean per their maintainers.
      
      - vram helpers should be fine, they don't do command submission, so
        really no business holding struct_mutex while doing copy_*_user. But
        I haven't checked them all.
      
      - panfrost seems to dma_resv_lock only in panfrost_job_push, which
        looks clean.
      
      - v3d holds dma_resv locks in the tail of its v3d_submit_cl_ioctl(),
        copying from/to userspace happens all in v3d_lookup_bos which is
        outside of the critical section.
      
      - vmwgfx has a bunch of ioctls that do their own copy_*_user:
        - vmw_execbuf_process: First this does some copies in
          vmw_execbuf_cmdbuf() and also in the vmw_execbuf_process() itself.
          Then comes the usual ttm reserve/validate sequence, then actual
          submission/fencing, then unreserving, and finally some more
          copy_to_user in vmw_execbuf_copy_fence_user. Glossing over tons of
          details, but looks all safe.
        - vmw_fence_event_ioctl: No ttm_reserve/dma_resv_lock anywhere to be
          seen, seems to only create a fence and copy it out.
        - a pile of smaller ioctl in vmwgfx_ioctl.c, no reservations to be
          found there.
        Summary: vmwgfx seems to be fine too.
      
      - virtio: There's virtio_gpu_execbuffer_ioctl, which does all the
        copying from userspace before even looking up objects through their
        handles, so safe. Plus the getparam/getcaps ioctl, also both safe.
      
      - qxl only has qxl_execbuffer_ioctl, which calls into
        qxl_process_single_command. There's a lovely comment before the
        __copy_from_user_inatomic that the slowpath should be copied from
        i915, but I guess that never happened. Try not to be unlucky and get
        your CS data evicted between when it's written and the kernel tries
        to read it. The only other copy_from_user is for relocs, but those
        are done before qxl_release_reserve_list(), which seems to be the
        only thing reserving buffers (in the ttm/dma_resv sense) in that
        code. So looks safe.
      
      - A debugfs file in nouveau_debugfs_pstate_set() and the usif ioctl in
        usif_ioctl() look safe. nouveau_gem_ioctl_pushbuf() otoh breaks this
        everywhere and needs to be fixed up.
      
      v2: Thomas pointed at that vmwgfx calls dma_resv_init while it holds a
      dma_resv lock of a different object already. Christian mentioned that
      ttm core does this too for ghost objects. intel-gfx-ci highlighted
      that i915 has similar issues.
      
      Unfortunately we can't do this in the usual module init functions,
      because kernel threads don't have an ->mm - we have to wait around for
      some user thread to do this.
      
      Solution is to spawn a worker (but only once). It's horrible, but it
      works.
      
      v3: We can allocate mm! (Chris). Horrible worker hack out, clean
      initcall solution in.
      
      v4: Annotate with __init (Rob Herring)
      
      Cc: Rob Herring <robh@kernel.org>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Cc: Christian König <christian.koenig@amd.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Thomas Zimmermann <tzimmermann@suse.de>
      Cc: Rob Herring <robh@kernel.org>
      Cc: Tomeu Vizoso <tomeu.vizoso@collabora.com>
      Cc: Eric Anholt <eric@anholt.net>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Gerd Hoffmann <kraxel@redhat.com>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: "VMware Graphics" <linux-graphics-maintainer@vmware.com>
      Cc: Thomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: NThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: NChristian König <christian.koenig@amd.com>
      Reviewed-by: NChris Wilson <chris@chris-wilson.co.uk>
      Tested-by: NChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: NDaniel Vetter <daniel.vetter@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20191104173801.2972-1-daniel.vetter@ffwll.ch
      b2a8116e
  20. 10 10月, 2019 1 次提交
  21. 22 9月, 2019 1 次提交
  22. 16 8月, 2019 1 次提交
  23. 13 8月, 2019 2 次提交
  24. 10 8月, 2019 2 次提交
  25. 07 8月, 2019 3 次提交
  26. 17 7月, 2019 1 次提交
  27. 15 7月, 2019 1 次提交
  28. 28 6月, 2019 1 次提交