1. 21 8月, 2013 7 次提交
    • D
      drm/prime: Always add exported buffers to the handle cache · d0b2c533
      Daniel Vetter 提交于
      ... not only when the dma-buf is freshly created. In contrived
      examples someone else could have exported/imported the dma-buf already
      and handed us the gem object with a flink name. If such on object gets
      reexported as a dma_buf we won't have it in the handle cache already,
      which breaks the guarantee that for dma-buf imports we always hand
      back an existing handle if there is one.
      
      This is exercised by igt/prime_self_import/with_one_bo_two_files
      
      Now if we extend the locked sections just a notch more we can also
      plug th racy buf/handle cache setup in handle_to_fd:
      
      If evil userspace races a concurrent gem close against a prime export
      operation we can end up tearing down the gem handle before the dma buf
      handle cache is set up. When handle_to_fd gets around to adding the
      handle to the cache there will be no one left to clean it up,
      effectily leaking the bo (and the dma-buf, since the handle cache
      holds a ref on the dma-buf):
      
      Thread A			Thread B
      
      handle_to_fd:
      
      lookup gem object from handle
      creates new dma_buf
      
      				gem_close on the same handle
      				obj->dma_buf is set, but file priv buf
      				handle cache has no entry
      
      				obj->handle_count drops to 0
      
      drm_prime_add_buf_handle sets up the handle cache
      
      -> We have a dma-buf reference in the handle cache, but since the
      handle_count of the gem object already dropped to 0 no on will clean
      it up. When closing the drm device fd we'll hit the WARN_ON in
      drm_prime_destroy_file_private.
      
      The important change is to extend the critical section of the
      filp->prime.lock to cover the gem handle lookup. This serializes with
      a concurrent gem handle close.
      
      This leak is exercised by igt/prime_self_import/export-vs-gem_close-race
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      d0b2c533
    • D
      drm/prime: make drm_prime_lookup_buf_handle static · de9564d8
      Daniel Vetter 提交于
      ... and move it to the top of the function to avoid a forward
      declaration.
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      de9564d8
    • D
      drm/prime: proper locking+refcounting for obj->dma_buf link · 319c933c
      Daniel Vetter 提交于
      The export dma-buf cache is semantically similar to an flink name. So
      semantically it makes sense to treat it the same and remove the name
      (i.e. the dma_buf pointer) and its references when the last gem handle
      disappears.
      
      Again we need to be careful, but double so: Not just could someone
      race and export with a gem close ioctl (so we need to recheck
      obj->handle_count again when assigning the new name), but multiple
      exports can also race against each another. This is prevented by
      holding the dev->object_name_lock across the entire section which
      touches obj->dma_buf.
      
      With the new scheme we also need to reinstate the obj->dma_buf link at
      import time (in case the only reference userspace has held in-between
      was through the dma-buf fd and not through any native gem handle). For
      simplicity we don't check whether it's a native object but
      unconditionally set up that link - with the new scheme of removing the
      obj->dma_buf reference when the last handle disappears we can do that.
      
      To make it clear that this is not just for exported buffers anymore
      als rename it from export_dma_buf to dma_buf.
      
      To make sure that now one can race a fd_to_handle or handle_to_fd with
      gem_close we use the same tricks as in flink of extending the
      dev->object_name_locking critical section. With this change we finally
      have a guaranteed 1:1 relationship (at least for native objects)
      between gem objects and dma-bufs, even accounting for races (which can
      happen since the dma-buf itself holds a reference while in-flight).
      
      This prevent igt/prime_self_import/export-vs-gem_close-race from
      Oopsing the kernel. There is still a leak though since the per-file
      priv dma-buf/handle cache handling is racy. That will be fixed in a
      later patch.
      
      v2: Remove the bogus dma_buf_put from the export_and_register_object
      failure path if we've raced with the handle count dropping to 0.
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      319c933c
    • D
      drm/prime: clarify logic a bit in drm_gem_prime_fd_to_handle · 84341c28
      Daniel Vetter 提交于
      if (!ret) implies that ret == 0, so no need to clear it again. And
      explicitly check for ret == 0 to indicate that we're checking an errno
      integer.
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      84341c28
    • D
      drm/prime: shrink critical section protected by prime lock · bdf655de
      Daniel Vetter 提交于
      When exporting a gem object as a dma-buf the critical section for the
      per-fd prime lock is just the adding (and in case of errors, removing)
      of the handle to the per-fd lookup cache.
      
      So restrict the critical section to just that part of the function.
      
      This simplifies later reordering.
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      bdf655de
    • D
      drm/prime: use proper pointer in drm_gem_prime_handle_to_fd · 4332bf43
      Daniel Vetter 提交于
      Part of the function uses the properly-typed dmabuf variable, the
      other an untyped void *buf. Kill the later.
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      4332bf43
    • D
      drm/prime: fix error path in drm_gem_prime_fd_to_handle · 730c4ff9
      Daniel Vetter 提交于
      handle_unreference only clears up the obj->name and the reference,
      but would leave a dangling handle in the idr. The right thing
      to do is to call handle_delete.
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      730c4ff9
  2. 19 8月, 2013 2 次提交
    • D
      drm/prime: remove cargo-cult locking from map_sg helper · 01ce605a
      Daniel Vetter 提交于
      I've checked both implementations (radeon/nouveau) and they both grab
      the page array from ttm simply by dereferencing it and then wrapping
      it up with drm_prime_pages_to_sg in the callback and map it with
      dma_map_sg (in the helper).
      
      Only the grabbing of the underlying page array is anything we need to
      be concerned about, and either those pages are pinned independently,
      or we're screwed no matter what.
      
      And indeed, nouveau/radeon pin the backing storage in their
      attach/detach functions.
      
      Since I've created this patch cma prime support for dma_buf was added.
      drm_gem_cma_prime_get_sg_table only calls kzalloc and the creates&maps
      the sg table with dma_get_sgtable. It doesn't touch any gem object
      state otherwise. So the cma helpers also look safe.
      
      The only thing we might claim it does is prevent concurrent mapping of
      dma_buf attachments. But a) that's not allowed and b) the current code
      is racy already since it checks whether the sg mapping exists _before_
      grabbing the lock.
      
      So the dev->struct_mutex locking here does absolutely nothing useful,
      but only distracts. Remove it.
      
      This should also help Maarten's work to eventually pin the backing
      storage more dynamically by preventing locking inversions around
      dev->struct_mutex.
      
      v2: Add analysis for recently added cma helper prime code.
      
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com>
      Acked-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Acked-by: NMaarten Lankhorst <maarten.lankhorst@canonical.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      01ce605a
    • D
      drm: use common drm_gem_dmabuf_release in i915/exynos drivers · c1d6798d
      Daniel Vetter 提交于
      Note that this is slightly tricky since both drivers store their
      native objects in dma_buf->priv. But both also embed the base
      drm_gem_object at the first position, so the implicit cast is ok.
      
      To use the release helper we need to export it, too.
      
      Cc: Inki Dae <inki.dae@samsung.com>
      Cc: Intel Graphics Development <intel-gfx@lists.freedesktop.org>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      c1d6798d
  3. 05 7月, 2013 2 次提交
  4. 04 7月, 2013 1 次提交
  5. 28 6月, 2013 6 次提交
  6. 19 6月, 2013 1 次提交
  7. 11 6月, 2013 3 次提交
  8. 01 5月, 2013 3 次提交
    • I
      drm/prime: warn for non-empty handle lookup list during drm file release · 98b76231
      Imre Deak 提交于
      drm_gem_release should release all handles connected to the drm file and
      so should also release the prime lookup entries of these handles. So
      just WARN if this isn't the case.
      Signed-off-by: NImre Deak <imre.deak@intel.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      98b76231
    • I
      drm: prime: fix refcounting on the dmabuf import error path · 011c2282
      Imre Deak 提交于
      In commit be8a42ae we inroduced a refcount problem, where on the
      drm_gem_prime_fd_to_handle() error path we'll call dma_buf_put() for
      self imported dma buffers.
      
      Fix this by taking a reference on the dma buffer in the .gem_import
      hook instead of assuming the caller had taken one. Besides fixing the
      bug this is also more logical.
      Signed-off-by: NImre Deak <imre.deak@intel.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      011c2282
    • D
      drm/prime: keep a reference from the handle to exported dma-buf (v6) · 219b4733
      Dave Airlie 提交于
      Currently we have a problem with this:
      1. i915: create gem object
      2. i915: export gem object to prime
      3. radeon: import gem object
      4. close prime fd
      5. radeon: unref object
      6. i915: unref object
      
      i915 has an imported object reference in its file priv, that isn't
      cleaned up properly until fd close. The reference gets added at step 2,
      but at step 6 we don't have enough info to clean it up.
      
      The solution is to take a reference on the dma-buf when we export it,
      and drop the reference when the gem handle goes away.
      
      So when we export a dma_buf from a gem object, we keep track of it
      with the handle, we take a reference to the dma_buf. When we close
      the handle (i.e. userspace is finished with the buffer), we drop
      the reference to the dma_buf, and it gets collected.
      
      This patch isn't meant to fix any other problem or bikesheds, and it doesn't
      fix any races with other scenarios.
      
      v1.1: move export symbol line back up.
      
      v2: okay I had to do a bit more, as the first patch showed a leak
      on one of my tests, that I found using the dma-buf debugfs support,
      the problem case is exporting a buffer twice with the same handle,
      we'd add another export handle for it unnecessarily, however
      we now fail if we try to export the same object with a different gem handle,
      however I'm not sure if that is a case I want to support, and I've
      gotten the code to WARN_ON if we hit something like that.
      
      v2.1: rebase this patch, write better commit msg.
      v3: cleanup error handling, track import vs export in linked list,
      these two patches were separate previously, but seem to work better
      like this.
      v4: danvet is correct, this code is no longer useful, since the buffer
      better exist, so remove it.
      v5: always take a reference to the dma buf object, import or export.
      (Imre Deak contributed this originally)
      v6: square the circle, remove import vs export tracking now
      that there is no difference
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: stable@vger.kernel.org
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      219b4733
  9. 23 3月, 2013 1 次提交
  10. 08 2月, 2013 1 次提交
    • A
      drm: add prime helpers · 89177644
      Aaron Plattner 提交于
      Instead of reimplementing all of the dma_buf functionality in every driver,
      create helpers drm_prime_import and drm_prime_export that implement them in
      terms of new, lower-level hook functions:
      
        gem_prime_pin: callback when a buffer is created, used to pin buffers into GTT
        gem_prime_get_sg_table: convert a drm_gem_object to an sg_table for export
        gem_prime_import_sg_table: convert an sg_table into a drm_gem_object
        gem_prime_vmap, gem_prime_vunmap: map and unmap an object
      
      These hooks are optional; drivers can opt in by using drm_gem_prime_import and
      drm_gem_prime_export as the .gem_prime_import and .gem_prime_export fields of
      struct drm_driver.
      
      v2:
      - Drop .begin_cpu_access.  None of the drivers this code replaces implemented
        it.  Having it here was a leftover from when I was trying to include i915 in
        this rework.
      - Use mutex_lock instead of mutex_lock_interruptible, as these three drivers
        did.  This patch series shouldn't change that behavior.
      - Rename helpers to gem_prime_get_sg_table and gem_prime_import_sg_table.
        Rename struct sg_table* variables to 'sgt' for clarity.
      - Update drm.tmpl for these new hooks.
      
      v3:
      - Pass the vaddr down to the driver.  This lets drivers that just call vunmap on
        the pointer avoid having to store the pointer in their GEM private structures.
      - Move documentation into a /** DOC */ comment in drm_prime.c and include it in
        drm.tmpl with a !P line.  I tried to use !F lines to include documentation of
        the individual functions from drmP.h, but the docproc / kernel-doc scripts
        barf on that file, so hopefully this is good enough for now.
      - apply refcount fix from commit be8a42ae
        ("drm/prime: drop reference on imported dma-buf come from gem")
      Signed-off-by: NAaron Plattner <aplattner@nvidia.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: David Airlie <airlied@linux.ie>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      89177644
  11. 03 10月, 2012 1 次提交
  12. 23 5月, 2012 2 次提交
  13. 30 3月, 2012 1 次提交