* [PATCH v2 1/2] drm/panthor: Don't check the array stride on empty uobj arrays
2024-07-03 7:16 [PATCH v2 0/2] drm/panthor: Fix support for sync-only jobs Boris Brezillon
@ 2024-07-03 7:16 ` Boris Brezillon
2024-07-03 7:16 ` [PATCH v2 2/2] drm/panthor: Fix sync-only jobs Boris Brezillon
2024-07-03 7:47 ` [PATCH v2 0/2] drm/panthor: Fix support for " Boris Brezillon
2 siblings, 0 replies; 4+ messages in thread
From: Boris Brezillon @ 2024-07-03 7:16 UTC (permalink / raw)
To: Boris Brezillon, Steven Price, Liviu Dudau, Adrián Larumbe
Cc: dri-devel, kernel
The user is likely to leave all the drm_panthor_obj_array fields
to zero when the array is empty, which will cause an EINVAL failure.
v2:
- Added R-bs
Fixes: 4bdca1150792 ("drm/panthor: Add the driver frontend block")
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Reviewed-by: Steven Price <steven.price@arm.com>
---
drivers/gpu/drm/panthor/panthor_drv.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/panthor/panthor_drv.c b/drivers/gpu/drm/panthor/panthor_drv.c
index b8a84f26b3ef..b5e7b919f241 100644
--- a/drivers/gpu/drm/panthor/panthor_drv.c
+++ b/drivers/gpu/drm/panthor/panthor_drv.c
@@ -86,15 +86,15 @@ panthor_get_uobj_array(const struct drm_panthor_obj_array *in, u32 min_stride,
int ret = 0;
void *out_alloc;
+ if (!in->count)
+ return NULL;
+
/* User stride must be at least the minimum object size, otherwise it might
* lack useful information.
*/
if (in->stride < min_stride)
return ERR_PTR(-EINVAL);
- if (!in->count)
- return NULL;
-
out_alloc = kvmalloc_array(in->count, obj_size, GFP_KERNEL);
if (!out_alloc)
return ERR_PTR(-ENOMEM);
--
2.45.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH v2 2/2] drm/panthor: Fix sync-only jobs
2024-07-03 7:16 [PATCH v2 0/2] drm/panthor: Fix support for sync-only jobs Boris Brezillon
2024-07-03 7:16 ` [PATCH v2 1/2] drm/panthor: Don't check the array stride on empty uobj arrays Boris Brezillon
@ 2024-07-03 7:16 ` Boris Brezillon
2024-07-03 7:47 ` [PATCH v2 0/2] drm/panthor: Fix support for " Boris Brezillon
2 siblings, 0 replies; 4+ messages in thread
From: Boris Brezillon @ 2024-07-03 7:16 UTC (permalink / raw)
To: Boris Brezillon, Steven Price, Liviu Dudau, Adrián Larumbe
Cc: dri-devel, kernel
A sync-only job is meant to provide a synchronization point on a
queue, so we can't return a NULL fence there, we have to add a signal
operation to the command stream which executes after all other
previously submitted jobs are done.
v2:
- Fixed a UAF bug
- Added R-bs
Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block")
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Reviewed-by: Steven Price <steven.price@arm.com>
---
drivers/gpu/drm/panthor/panthor_sched.c | 44 ++++++++++++++++++-------
include/uapi/drm/panthor_drm.h | 5 +++
2 files changed, 38 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c
index 79ffcbc41d78..9a0ff48f7061 100644
--- a/drivers/gpu/drm/panthor/panthor_sched.c
+++ b/drivers/gpu/drm/panthor/panthor_sched.c
@@ -458,6 +458,16 @@ struct panthor_queue {
/** @seqno: Sequence number of the last initialized fence. */
atomic64_t seqno;
+ /**
+ * @last_fence: Fence of the last submitted job.
+ *
+ * We return this fence when we get an empty command stream.
+ * This way, we are guaranteed that all earlier jobs have completed
+ * when drm_sched_job::s_fence::finished without having to feed
+ * the CS ring buffer with a dummy job that only signals the fence.
+ */
+ struct dma_fence *last_fence;
+
/**
* @in_flight_jobs: List containing all in-flight jobs.
*
@@ -829,6 +839,9 @@ static void group_free_queue(struct panthor_group *group, struct panthor_queue *
panthor_kernel_bo_destroy(queue->ringbuf);
panthor_kernel_bo_destroy(queue->iface.mem);
+ /* Release the last_fence we were holding, if any. */
+ dma_fence_put(queue->fence_ctx.last_fence);
+
kfree(queue);
}
@@ -2784,9 +2797,6 @@ static void group_sync_upd_work(struct work_struct *work)
spin_lock(&queue->fence_ctx.lock);
list_for_each_entry_safe(job, job_tmp, &queue->fence_ctx.in_flight_jobs, node) {
- if (!job->call_info.size)
- continue;
-
if (syncobj->seqno < job->done_fence->seqno)
break;
@@ -2865,11 +2875,14 @@ queue_run_job(struct drm_sched_job *sched_job)
static_assert(sizeof(call_instrs) % 64 == 0,
"call_instrs is not aligned on a cacheline");
- /* Stream size is zero, nothing to do => return a NULL fence and let
- * drm_sched signal the parent.
+ /* Stream size is zero, nothing to do except making sure all previously
+ * submitted jobs are done before we signal the
+ * drm_sched_job::s_fence::finished fence.
*/
- if (!job->call_info.size)
- return NULL;
+ if (!job->call_info.size) {
+ job->done_fence = dma_fence_get(queue->fence_ctx.last_fence);
+ return dma_fence_get(job->done_fence);
+ }
ret = pm_runtime_resume_and_get(ptdev->base.dev);
if (drm_WARN_ON(&ptdev->base, ret))
@@ -2928,6 +2941,10 @@ queue_run_job(struct drm_sched_job *sched_job)
}
}
+ /* Update the last fence. */
+ dma_fence_put(queue->fence_ctx.last_fence);
+ queue->fence_ctx.last_fence = dma_fence_get(job->done_fence);
+
done_fence = dma_fence_get(job->done_fence);
out_unlock:
@@ -3378,10 +3395,15 @@ panthor_job_create(struct panthor_file *pfile,
goto err_put_job;
}
- job->done_fence = kzalloc(sizeof(*job->done_fence), GFP_KERNEL);
- if (!job->done_fence) {
- ret = -ENOMEM;
- goto err_put_job;
+ /* Empty command streams don't need a fence, they'll pick the one from
+ * the previously submitted job.
+ */
+ if (job->call_info.size) {
+ job->done_fence = kzalloc(sizeof(*job->done_fence), GFP_KERNEL);
+ if (!job->done_fence) {
+ ret = -ENOMEM;
+ goto err_put_job;
+ }
}
ret = drm_sched_job_init(&job->base,
diff --git a/include/uapi/drm/panthor_drm.h b/include/uapi/drm/panthor_drm.h
index aaed8e12ad0b..926b1deb1116 100644
--- a/include/uapi/drm/panthor_drm.h
+++ b/include/uapi/drm/panthor_drm.h
@@ -802,6 +802,9 @@ struct drm_panthor_queue_submit {
* Must be 64-bit/8-byte aligned (the size of a CS instruction)
*
* Can be zero if stream_addr is zero too.
+ *
+ * When the stream size is zero, the queue submit serves as a
+ * synchronization point.
*/
__u32 stream_size;
@@ -822,6 +825,8 @@ struct drm_panthor_queue_submit {
* ensure the GPU doesn't get garbage when reading the indirect command
* stream buffers. If you want the cache flush to happen
* unconditionally, pass a zero here.
+ *
+ * Ignored when stream_size is zero.
*/
__u32 latest_flush;
--
2.45.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v2 0/2] drm/panthor: Fix support for sync-only jobs
2024-07-03 7:16 [PATCH v2 0/2] drm/panthor: Fix support for sync-only jobs Boris Brezillon
2024-07-03 7:16 ` [PATCH v2 1/2] drm/panthor: Don't check the array stride on empty uobj arrays Boris Brezillon
2024-07-03 7:16 ` [PATCH v2 2/2] drm/panthor: Fix sync-only jobs Boris Brezillon
@ 2024-07-03 7:47 ` Boris Brezillon
2 siblings, 0 replies; 4+ messages in thread
From: Boris Brezillon @ 2024-07-03 7:47 UTC (permalink / raw)
To: Boris Brezillon, Steven Price, Liviu Dudau, Adrián Larumbe
Cc: dri-devel, kernel
On Wed, 3 Jul 2024 09:16:38 +0200
Boris Brezillon <boris.brezillon@collabora.com> wrote:
> Hello,
>
> Here are two relatively trivial fixes for bugs found while woking
> on the Vulkan implementation, where NULL CS are needed to implement
> VkQueue synchronization.
>
> Regards,
>
> Boris
>
> v2:
> - Fix a UAF bug in the second patch
>
> Boris Brezillon (2):
> drm/panthor: Don't check the array stride on empty uobj arrays
> drm/panthor: Fix sync-only jobs
Queued to drm-misc-next.
>
> drivers/gpu/drm/panthor/panthor_drv.c | 6 ++--
> drivers/gpu/drm/panthor/panthor_sched.c | 44 ++++++++++++++++++-------
> include/uapi/drm/panthor_drm.h | 5 +++
> 3 files changed, 41 insertions(+), 14 deletions(-)
>
^ permalink raw reply [flat|nested] 4+ messages in thread