From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 474AEC2BB54 for ; Tue, 7 Apr 2020 00:02:29 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 182AB2078A for ; Tue, 7 Apr 2020 00:02:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="oLQ2QkE6" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 182AB2078A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 9B4CE6E4D2; Tue, 7 Apr 2020 00:02:28 +0000 (UTC) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by gabe.freedesktop.org (Postfix) with ESMTPS id F03C96E4D2 for ; Tue, 7 Apr 2020 00:02:26 +0000 (UTC) Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D929C2078A; Tue, 7 Apr 2020 00:02:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586217746; bh=3HsCAiHIhmh9HwXV4C3mMYFFAkRIIvi1FdCduwndbkA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oLQ2QkE6nAz8/BCA9cjiwS50IfeRdHZVuJ89EhFtUOvr3dbOkC7F4qsvMRG2kzHJY poZ2vpYXKmAEhU3H4dQdYPj1mjiv5Lf5meou707UoXJhqCZC3r78n1UvgsodRGPqXS 2GSldvjRx/cLgQykifEUGSAHlPmz7qCKSfHOAsEA= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH AUTOSEL 5.4 28/32] drm/scheduler: fix rare NULL ptr race Date: Mon, 6 Apr 2020 20:01:46 -0400 Message-Id: <20200407000151.16768-28-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200407000151.16768-1-sashal@kernel.org> References: <20200407000151.16768-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sasha Levin , dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, Alex Deucher , Yintian Tao , =?UTF-8?q?Christian=20K=C3=B6nig?= , linux-media@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" RnJvbTogWWludGlhbiBUYW8gPHl0dGFvQGFtZC5jb20+CgpbIFVwc3RyZWFtIGNvbW1pdCA3N2Ji MmYyMDRmMWYwYTUzYTYwMmE4ZmQxNTgxNmQ2ODI2MjEyMDc3IF0KClRoZXJlIGlzIG9uZSBvbmUg Y29ybmVyIGNhc2UgYXQgZG1hX2ZlbmNlX3NpZ25hbF9sb2NrZWQKd2hpY2ggd2lsbCByYWlzZSB0 aGUgTlVMTCBwb2ludGVyIHByb2JsZW0ganVzdCBsaWtlIGJlbG93LgotPmRtYV9mZW5jZV9zaWdu YWwKICAgIC0+ZG1hX2ZlbmNlX3NpZ25hbF9sb2NrZWQKCS0+dGVzdF9hbmRfc2V0X2JpdApoZXJl IHRyaWdnZXIgZG1hX2ZlbmNlX3JlbGVhc2UgaGFwcGVuIGR1ZSB0byB0aGUgemVybyBvZiBmZW5j ZSByZWZjb3VudC4KCi0+ZG1hX2ZlbmNlX3B1dAogICAgLT5kbWFfZmVuY2VfcmVsZWFzZQoJLT5k cm1fc2NoZWRfZmVuY2VfcmVsZWFzZV9zY2hlZHVsZWQKCSAgICAtPmNhbGxfcmN1CmhlcmUgbWFr ZSB0aGUgdW5pb24gZmxlZCDigJxjYl9saXN04oCdIGF0IGZpbmlzaGVkIGZlbmNlCnRvIE5VTEwg YmVjYXVzZSBzdHJ1Y3QgcmN1X2hlYWQgY29udGFpbnMgdHdvIHBvaW50ZXIKd2hpY2ggaXMgc2Ft ZSBhcyBzdHJ1Y3QgbGlzdF9oZWFkIGNiX2xpc3QKClRoZXJlZm9yZSwgdG8gaG9sZCB0aGUgcmVm ZXJlbmNlIG9mIGZpbmlzaGVkIGZlbmNlIGF0IGRybV9zY2hlZF9wcm9jZXNzX2pvYgp0byBwcmV2 ZW50IHRoZSBudWxsIHBvaW50ZXIgZHVyaW5nIGZpbmlzaGVkIGZlbmNlIGRtYV9mZW5jZV9zaWdu YWwKClsgIDczMi45MTI4NjddIEJVRzoga2VybmVsIE5VTEwgcG9pbnRlciBkZXJlZmVyZW5jZSwg YWRkcmVzczogMDAwMDAwMDAwMDAwMDAwOApbICA3MzIuOTE0ODE1XSAjUEY6IHN1cGVydmlzb3Ig d3JpdGUgYWNjZXNzIGluIGtlcm5lbCBtb2RlClsgIDczMi45MTU3MzFdICNQRjogZXJyb3JfY29k ZSgweDAwMDIpIC0gbm90LXByZXNlbnQgcGFnZQpbICA3MzIuOTE2NjIxXSBQR0QgMCBQNEQgMApb ICA3MzIuOTE3MDcyXSBPb3BzOiAwMDAyIFsjMV0gU01QIFBUSQpbICA3MzIuOTE3NjgyXSBDUFU6 IDcgUElEOiAwIENvbW06IHN3YXBwZXIvNyBUYWludGVkOiBHICAgICAgICAgICBPRSAgICAgNS40 LjAtcmM3ICMxClsgIDczMi45MTg5ODBdIEhhcmR3YXJlIG5hbWU6IFFFTVUgU3RhbmRhcmQgUEMg KGk0NDBGWCArIFBJSVgsIDE5OTYpLCBCSU9TIHJlbC0xLjguMi0wLWczM2ZiZTEzIGJ5IHFlbXUt cHJvamVjdC5vcmcgMDQvMDEvMjAxNApbICA3MzIuOTIwOTA2XSBSSVA6IDAwMTA6ZG1hX2ZlbmNl X3NpZ25hbF9sb2NrZWQrMHgzZS8weDEwMApbICA3MzIuOTM4NTY5XSBDYWxsIFRyYWNlOgpbICA3 MzIuOTM5MDAzXSAgPElSUT4KWyAgNzMyLjkzOTM2NF0gIGRtYV9mZW5jZV9zaWduYWwrMHgyOS8w eDUwClsgIDczMi45NDAwMzZdICBkcm1fc2NoZWRfZmVuY2VfZmluaXNoZWQrMHgxMi8weDIwIFtn cHVfc2NoZWRdClsgIDczMi45NDA5OTZdICBkcm1fc2NoZWRfcHJvY2Vzc19qb2IrMHgzNC8weGEw IFtncHVfc2NoZWRdClsgIDczMi45NDE5MTBdICBkbWFfZmVuY2Vfc2lnbmFsX2xvY2tlZCsweDg1 LzB4MTAwClsgIDczMi45NDI2OTJdICBkbWFfZmVuY2Vfc2lnbmFsKzB4MjkvMHg1MApbICA3MzIu OTQzNDU3XSAgYW1kZ3B1X2ZlbmNlX3Byb2Nlc3MrMHg5OS8weDEyMCBbYW1kZ3B1XQpbICA3MzIu OTQ0MzkzXSAgc2RtYV92NF8wX3Byb2Nlc3NfdHJhcF9pcnErMHg4MS8weGEwIFthbWRncHVdCgp2 MjogaG9sZCB0aGUgZmluaXNoZWQgZmVuY2UgYXQgZHJtX3NjaGVkX3Byb2Nlc3Nfam9iIGluc3Rl YWQgb2YKICAgIGFtZGdwdV9mZW5jZV9wcm9jZXNzCnYzOiByZXN1bWUgdGhlIGJsYW5rIGxpbmUK ClNpZ25lZC1vZmYtYnk6IFlpbnRpYW4gVGFvIDx5dHRhb0BhbWQuY29tPgpSZXZpZXdlZC1ieTog Q2hyaXN0aWFuIEvDtm5pZyA8Y2hyaXN0aWFuLmtvZW5pZ0BhbWQuY29tPgpTaWduZWQtb2ZmLWJ5 OiBBbGV4IERldWNoZXIgPGFsZXhhbmRlci5kZXVjaGVyQGFtZC5jb20+ClNpZ25lZC1vZmYtYnk6 IFNhc2hhIExldmluIDxzYXNoYWxAa2VybmVsLm9yZz4KLS0tCiBkcml2ZXJzL2dwdS9kcm0vc2No ZWR1bGVyL3NjaGVkX21haW4uYyB8IDIgKysKIDEgZmlsZSBjaGFuZ2VkLCAyIGluc2VydGlvbnMo KykKCmRpZmYgLS1naXQgYS9kcml2ZXJzL2dwdS9kcm0vc2NoZWR1bGVyL3NjaGVkX21haW4uYyBi L2RyaXZlcnMvZ3B1L2RybS9zY2hlZHVsZXIvc2NoZWRfbWFpbi5jCmluZGV4IDJhZjY0NDU5YjNk NzcuLmRmYjI5ZTZlZWZmMWUgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L2RybS9zY2hlZHVsZXIv c2NoZWRfbWFpbi5jCisrKyBiL2RyaXZlcnMvZ3B1L2RybS9zY2hlZHVsZXIvc2NoZWRfbWFpbi5j CkBAIC02MjcsNyArNjI3LDkgQEAgc3RhdGljIHZvaWQgZHJtX3NjaGVkX3Byb2Nlc3Nfam9iKHN0 cnVjdCBkbWFfZmVuY2UgKmYsIHN0cnVjdCBkbWFfZmVuY2VfY2IgKmNiKQogCiAJdHJhY2VfZHJt X3NjaGVkX3Byb2Nlc3Nfam9iKHNfZmVuY2UpOwogCisJZG1hX2ZlbmNlX2dldCgmc19mZW5jZS0+ ZmluaXNoZWQpOwogCWRybV9zY2hlZF9mZW5jZV9maW5pc2hlZChzX2ZlbmNlKTsKKwlkbWFfZmVu Y2VfcHV0KCZzX2ZlbmNlLT5maW5pc2hlZCk7CiAJd2FrZV91cF9pbnRlcnJ1cHRpYmxlKCZzY2hl ZC0+d2FrZV91cF93b3JrZXIpOwogfQogCi0tIAoyLjIwLjEKCl9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRl dmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9yZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9t YWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZlbAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7568CC2BA1A for ; Tue, 7 Apr 2020 00:05:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4A42C2078A for ; Tue, 7 Apr 2020 00:05:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586217932; bh=3HsCAiHIhmh9HwXV4C3mMYFFAkRIIvi1FdCduwndbkA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=2mekB08FEB/PpRJoOXgsskHgsWROs5zleqUqlEOt9Pp6Iez4nq2cZD+APU2a8W3BI FqNRsPd/mA4SHwd6pV1iBzKJTPEKPtJrDiO6+sxwg8sZ7CO0GA1tigcgiXjRzoHFVU OY8/VwHu2tpJgmcTgYTXeiTrOoUwSLg1xPlUpPoI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728322AbgDGAFb (ORCPT ); Mon, 6 Apr 2020 20:05:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:36950 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726484AbgDGAC1 (ORCPT ); Mon, 6 Apr 2020 20:02:27 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D929C2078A; Tue, 7 Apr 2020 00:02:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586217746; bh=3HsCAiHIhmh9HwXV4C3mMYFFAkRIIvi1FdCduwndbkA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oLQ2QkE6nAz8/BCA9cjiwS50IfeRdHZVuJ89EhFtUOvr3dbOkC7F4qsvMRG2kzHJY poZ2vpYXKmAEhU3H4dQdYPj1mjiv5Lf5meou707UoXJhqCZC3r78n1UvgsodRGPqXS 2GSldvjRx/cLgQykifEUGSAHlPmz7qCKSfHOAsEA= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Yintian Tao , =?UTF-8?q?Christian=20K=C3=B6nig?= , Alex Deucher , Sasha Levin , dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org Subject: [PATCH AUTOSEL 5.4 28/32] drm/scheduler: fix rare NULL ptr race Date: Mon, 6 Apr 2020 20:01:46 -0400 Message-Id: <20200407000151.16768-28-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200407000151.16768-1-sashal@kernel.org> References: <20200407000151.16768-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org From: Yintian Tao [ Upstream commit 77bb2f204f1f0a53a602a8fd15816d6826212077 ] There is one one corner case at dma_fence_signal_locked which will raise the NULL pointer problem just like below. ->dma_fence_signal ->dma_fence_signal_locked ->test_and_set_bit here trigger dma_fence_release happen due to the zero of fence refcount. ->dma_fence_put ->dma_fence_release ->drm_sched_fence_release_scheduled ->call_rcu here make the union fled “cb_list” at finished fence to NULL because struct rcu_head contains two pointer which is same as struct list_head cb_list Therefore, to hold the reference of finished fence at drm_sched_process_job to prevent the null pointer during finished fence dma_fence_signal [ 732.912867] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 732.914815] #PF: supervisor write access in kernel mode [ 732.915731] #PF: error_code(0x0002) - not-present page [ 732.916621] PGD 0 P4D 0 [ 732.917072] Oops: 0002 [#1] SMP PTI [ 732.917682] CPU: 7 PID: 0 Comm: swapper/7 Tainted: G OE 5.4.0-rc7 #1 [ 732.918980] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 [ 732.920906] RIP: 0010:dma_fence_signal_locked+0x3e/0x100 [ 732.938569] Call Trace: [ 732.939003] [ 732.939364] dma_fence_signal+0x29/0x50 [ 732.940036] drm_sched_fence_finished+0x12/0x20 [gpu_sched] [ 732.940996] drm_sched_process_job+0x34/0xa0 [gpu_sched] [ 732.941910] dma_fence_signal_locked+0x85/0x100 [ 732.942692] dma_fence_signal+0x29/0x50 [ 732.943457] amdgpu_fence_process+0x99/0x120 [amdgpu] [ 732.944393] sdma_v4_0_process_trap_irq+0x81/0xa0 [amdgpu] v2: hold the finished fence at drm_sched_process_job instead of amdgpu_fence_process v3: resume the blank line Signed-off-by: Yintian Tao Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin --- drivers/gpu/drm/scheduler/sched_main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 2af64459b3d77..dfb29e6eeff1e 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -627,7 +627,9 @@ static void drm_sched_process_job(struct dma_fence *f, struct dma_fence_cb *cb) trace_drm_sched_process_job(s_fence); + dma_fence_get(&s_fence->finished); drm_sched_fence_finished(s_fence); + dma_fence_put(&s_fence->finished); wake_up_interruptible(&sched->wake_up_worker); } -- 2.20.1