From: Danilo Krummrich <dakr@redhat.com>
To: Boris Brezillon <boris.brezillon@collabora.com>
Cc: matthew.brost@intel.com, thomas.hellstrom@linux.intel.com,
sarah.walker@imgtec.com, nouveau@lists.freedesktop.org,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
donald.robson@imgtec.com, daniel@ffwll.ch,
christian.koenig@amd.com, faith.ekstrand@collabora.com
Subject: Re: [Nouveau] [PATCH drm-misc-next v3 6/7] drm/gpuvm: generalize dma_resv/extobj handling and GEM validation
Date: Mon, 11 Sep 2023 18:30:10 +0200 [thread overview]
Message-ID: <ZP9AkkJ1FruZGSVV@cassiopeiae> (raw)
In-Reply-To: <20230911164526.0192a686@collabora.com>
On Mon, Sep 11, 2023 at 04:45:26PM +0200, Boris Brezillon wrote:
> On Sat, 9 Sep 2023 17:31:13 +0200
> Danilo Krummrich <dakr@redhat.com> wrote:
>
> > @@ -807,6 +1262,14 @@ drm_gpuvm_bo_destroy(struct kref *kref)
> >
> > drm_gem_gpuva_assert_lock_held(vm_bo->obj);
> >
> > + spin_lock(&gpuvm->extobj.lock);
> > + list_del(&vm_bo->list.entry.extobj);
> > + spin_unlock(&gpuvm->extobj.lock);
> > +
> > + spin_lock(&gpuvm->evict.lock);
> > + list_del(&vm_bo->list.entry.evict);
> > + spin_unlock(&gpuvm->evict.lock);
> > +
> > list_del(&vm_bo->list.entry.gem);
> >
> > drm_gem_object_put(obj);
>
> I ran into a UAF situation when the drm_gpuvm_bo object is the last
> owner of obj, because the lock that's supposed to be held when calling
> this function (drm_gem_gpuva_assert_lock_held() call above), belongs to
> obj (either obj->resv, or a driver specific lock that's attached to the
> driver-specific GEM object). I worked around it by taking a ref to obj
> before calling lock()+drm_gpuvm_bo_put()+unlock(), and releasing it
> after I'm node with the lock, but that just feels wrong.
>
As mentioned in a previous reply, I think we want to bring the dedicated GEM
gpuva list lock back instead of abusing the dma-resv lock. This way we can
handle locking internally and don't run into such issues.
There is also no reason for a driver to already hold the GEM gpuva list lock
when when calling drm_gpuvm_bo_put(). Drivers would only acquire the lock to
iterate the GEMs list of drm_gpuvm_bos or the drm_gpuvm_bos list of drm_gpuvas.
And dropping the drm_gpuvm_bo from within such a loop is forbidden anyways.
WARNING: multiple messages have this Message-ID (diff)
From: Danilo Krummrich <dakr@redhat.com>
To: Boris Brezillon <boris.brezillon@collabora.com>
Cc: matthew.brost@intel.com, thomas.hellstrom@linux.intel.com,
sarah.walker@imgtec.com, nouveau@lists.freedesktop.org,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
donald.robson@imgtec.com, christian.koenig@amd.com,
faith.ekstrand@collabora.com
Subject: Re: [PATCH drm-misc-next v3 6/7] drm/gpuvm: generalize dma_resv/extobj handling and GEM validation
Date: Mon, 11 Sep 2023 18:30:10 +0200 [thread overview]
Message-ID: <ZP9AkkJ1FruZGSVV@cassiopeiae> (raw)
In-Reply-To: <20230911164526.0192a686@collabora.com>
On Mon, Sep 11, 2023 at 04:45:26PM +0200, Boris Brezillon wrote:
> On Sat, 9 Sep 2023 17:31:13 +0200
> Danilo Krummrich <dakr@redhat.com> wrote:
>
> > @@ -807,6 +1262,14 @@ drm_gpuvm_bo_destroy(struct kref *kref)
> >
> > drm_gem_gpuva_assert_lock_held(vm_bo->obj);
> >
> > + spin_lock(&gpuvm->extobj.lock);
> > + list_del(&vm_bo->list.entry.extobj);
> > + spin_unlock(&gpuvm->extobj.lock);
> > +
> > + spin_lock(&gpuvm->evict.lock);
> > + list_del(&vm_bo->list.entry.evict);
> > + spin_unlock(&gpuvm->evict.lock);
> > +
> > list_del(&vm_bo->list.entry.gem);
> >
> > drm_gem_object_put(obj);
>
> I ran into a UAF situation when the drm_gpuvm_bo object is the last
> owner of obj, because the lock that's supposed to be held when calling
> this function (drm_gem_gpuva_assert_lock_held() call above), belongs to
> obj (either obj->resv, or a driver specific lock that's attached to the
> driver-specific GEM object). I worked around it by taking a ref to obj
> before calling lock()+drm_gpuvm_bo_put()+unlock(), and releasing it
> after I'm node with the lock, but that just feels wrong.
>
As mentioned in a previous reply, I think we want to bring the dedicated GEM
gpuva list lock back instead of abusing the dma-resv lock. This way we can
handle locking internally and don't run into such issues.
There is also no reason for a driver to already hold the GEM gpuva list lock
when when calling drm_gpuvm_bo_put(). Drivers would only acquire the lock to
iterate the GEMs list of drm_gpuvm_bos or the drm_gpuvm_bos list of drm_gpuvas.
And dropping the drm_gpuvm_bo from within such a loop is forbidden anyways.
WARNING: multiple messages have this Message-ID (diff)
From: Danilo Krummrich <dakr@redhat.com>
To: Boris Brezillon <boris.brezillon@collabora.com>
Cc: airlied@gmail.com, daniel@ffwll.ch, matthew.brost@intel.com,
thomas.hellstrom@linux.intel.com, sarah.walker@imgtec.com,
donald.robson@imgtec.com, christian.koenig@amd.com,
faith.ekstrand@collabora.com, dri-devel@lists.freedesktop.org,
nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH drm-misc-next v3 6/7] drm/gpuvm: generalize dma_resv/extobj handling and GEM validation
Date: Mon, 11 Sep 2023 18:30:10 +0200 [thread overview]
Message-ID: <ZP9AkkJ1FruZGSVV@cassiopeiae> (raw)
In-Reply-To: <20230911164526.0192a686@collabora.com>
On Mon, Sep 11, 2023 at 04:45:26PM +0200, Boris Brezillon wrote:
> On Sat, 9 Sep 2023 17:31:13 +0200
> Danilo Krummrich <dakr@redhat.com> wrote:
>
> > @@ -807,6 +1262,14 @@ drm_gpuvm_bo_destroy(struct kref *kref)
> >
> > drm_gem_gpuva_assert_lock_held(vm_bo->obj);
> >
> > + spin_lock(&gpuvm->extobj.lock);
> > + list_del(&vm_bo->list.entry.extobj);
> > + spin_unlock(&gpuvm->extobj.lock);
> > +
> > + spin_lock(&gpuvm->evict.lock);
> > + list_del(&vm_bo->list.entry.evict);
> > + spin_unlock(&gpuvm->evict.lock);
> > +
> > list_del(&vm_bo->list.entry.gem);
> >
> > drm_gem_object_put(obj);
>
> I ran into a UAF situation when the drm_gpuvm_bo object is the last
> owner of obj, because the lock that's supposed to be held when calling
> this function (drm_gem_gpuva_assert_lock_held() call above), belongs to
> obj (either obj->resv, or a driver specific lock that's attached to the
> driver-specific GEM object). I worked around it by taking a ref to obj
> before calling lock()+drm_gpuvm_bo_put()+unlock(), and releasing it
> after I'm node with the lock, but that just feels wrong.
>
As mentioned in a previous reply, I think we want to bring the dedicated GEM
gpuva list lock back instead of abusing the dma-resv lock. This way we can
handle locking internally and don't run into such issues.
There is also no reason for a driver to already hold the GEM gpuva list lock
when when calling drm_gpuvm_bo_put(). Drivers would only acquire the lock to
iterate the GEMs list of drm_gpuvm_bos or the drm_gpuvm_bos list of drm_gpuvas.
And dropping the drm_gpuvm_bo from within such a loop is forbidden anyways.
next prev parent reply other threads:[~2023-09-11 16:30 UTC|newest]
Thread overview: 213+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-09 15:31 [Nouveau] [PATCH drm-misc-next v3 0/7] [RFC] DRM GPUVA Manager GPU-VM features Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` [Nouveau] [PATCH drm-misc-next v3 1/7] drm/gpuvm: rename struct drm_gpuva_manager to struct drm_gpuvm Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 18:23 ` [Nouveau] " kernel test robot
2023-09-09 18:23 ` kernel test robot
2023-09-09 18:23 ` kernel test robot
2023-09-09 15:31 ` [Nouveau] [PATCH drm-misc-next v3 2/7] drm/gpuvm: allow building as module Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-11 13:09 ` [Nouveau] " Christian König
2023-09-11 13:09 ` Christian König
2023-09-11 13:09 ` Christian König
2023-09-09 15:31 ` [Nouveau] [PATCH drm-misc-next v3 3/7] drm/nouveau: uvmm: rename 'umgr' to 'base' Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` [Nouveau] [PATCH drm-misc-next v3 4/7] drm/gpuvm: common dma-resv per struct drm_gpuvm Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-11 12:00 ` Boris Brezillon
2023-09-11 12:00 ` Boris Brezillon
2023-09-11 16:16 ` [Nouveau] " Danilo Krummrich
2023-09-11 16:16 ` Danilo Krummrich
2023-09-11 16:16 ` Danilo Krummrich
2023-09-09 15:31 ` [Nouveau] [PATCH drm-misc-next v3 5/7] drm/gpuvm: add an abstraction for a VM / BO combination Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-11 17:19 ` [Nouveau] " Thomas Hellström
2023-09-11 17:19 ` Thomas Hellström
2023-09-11 17:19 ` Thomas Hellström
2023-09-11 17:49 ` [Nouveau] " Danilo Krummrich
2023-09-11 17:49 ` Danilo Krummrich
2023-09-11 17:49 ` Danilo Krummrich
2023-09-11 18:37 ` [Nouveau] " Thomas Hellström
2023-09-11 18:37 ` Thomas Hellström
2023-09-11 18:37 ` Thomas Hellström
2023-09-12 7:42 ` [Nouveau] " Thomas Hellström
2023-09-12 7:42 ` Thomas Hellström
2023-09-12 7:42 ` Thomas Hellström
2023-09-12 10:06 ` [Nouveau] " Danilo Krummrich
2023-09-12 10:06 ` Danilo Krummrich
2023-09-12 10:06 ` Danilo Krummrich
2023-09-12 10:33 ` [Nouveau] " Thomas Hellström
2023-09-12 10:33 ` Thomas Hellström
2023-09-12 10:33 ` Thomas Hellström
2023-09-12 11:05 ` [Nouveau] " Danilo Krummrich
2023-09-12 11:05 ` Danilo Krummrich
2023-09-12 11:05 ` Danilo Krummrich
2023-09-09 15:31 ` [Nouveau] [PATCH drm-misc-next v3 6/7] drm/gpuvm: generalize dma_resv/extobj handling and GEM validation Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 20:16 ` [Nouveau] " kernel test robot
2023-09-09 20:16 ` kernel test robot
2023-09-09 20:16 ` kernel test robot
2023-09-11 10:35 ` Boris Brezillon
2023-09-11 10:35 ` Boris Brezillon
2023-09-11 16:23 ` [Nouveau] " Danilo Krummrich
2023-09-11 16:23 ` Danilo Krummrich
2023-09-11 16:23 ` Danilo Krummrich
2023-09-11 12:54 ` Boris Brezillon
2023-09-11 12:54 ` Boris Brezillon
2023-09-11 14:45 ` Boris Brezillon
2023-09-11 14:45 ` Boris Brezillon
2023-09-11 16:30 ` Danilo Krummrich [this message]
2023-09-11 16:30 ` Danilo Krummrich
2023-09-11 16:30 ` Danilo Krummrich
2023-09-12 16:20 ` [Nouveau] " Thomas Hellström
2023-09-12 16:20 ` Thomas Hellström
2023-09-12 16:20 ` Thomas Hellström
2023-09-12 16:50 ` [Nouveau] " Danilo Krummrich
2023-09-12 16:50 ` Danilo Krummrich
2023-09-12 16:50 ` Danilo Krummrich
2023-09-12 19:23 ` [Nouveau] " Thomas Hellström
2023-09-12 19:23 ` Thomas Hellström
2023-09-12 19:23 ` Thomas Hellström
2023-09-12 23:36 ` [Nouveau] " Danilo Krummrich
2023-09-12 23:36 ` Danilo Krummrich
2023-09-12 23:36 ` Danilo Krummrich
2023-09-13 9:14 ` [Nouveau] " Thomas Hellström
2023-09-13 9:14 ` Thomas Hellström
2023-09-13 9:14 ` Thomas Hellström
2023-09-13 12:16 ` [Nouveau] " Danilo Krummrich
2023-09-13 12:16 ` Danilo Krummrich
2023-09-13 12:16 ` Danilo Krummrich
2023-09-13 14:26 ` [Nouveau] " Christian König
2023-09-13 14:26 ` Christian König
2023-09-13 14:26 ` Christian König
2023-09-13 15:13 ` [Nouveau] " Thomas Hellström
2023-09-13 15:13 ` Thomas Hellström
2023-09-13 15:13 ` Thomas Hellström
2023-09-13 15:26 ` [Nouveau] " Christian König
2023-09-13 15:26 ` Christian König
2023-09-13 15:26 ` Christian König
2023-09-13 15:15 ` [Nouveau] " Danilo Krummrich
2023-09-13 15:15 ` Danilo Krummrich
2023-09-13 15:15 ` Danilo Krummrich
2023-09-13 15:33 ` [Nouveau] " Christian König
2023-09-13 15:33 ` Christian König
2023-09-13 15:33 ` Christian König
2023-09-13 15:46 ` [Nouveau] " Danilo Krummrich
2023-09-13 15:46 ` Danilo Krummrich
2023-09-13 15:46 ` Danilo Krummrich
2023-09-19 12:07 ` [Nouveau] " Christian König
2023-09-19 12:07 ` Christian König
2023-09-19 12:07 ` Christian König
2023-09-19 12:21 ` [Nouveau] " Thomas Hellström
2023-09-19 12:21 ` Thomas Hellström
2023-09-19 12:21 ` Thomas Hellström
2023-09-19 15:16 ` [Nouveau] " Danilo Krummrich
2023-09-19 15:16 ` Danilo Krummrich
2023-09-19 15:16 ` Danilo Krummrich
2023-09-19 15:23 ` [Nouveau] " Thomas Hellström
2023-09-19 15:23 ` Thomas Hellström
2023-09-19 15:23 ` Thomas Hellström
2023-09-20 5:37 ` [Nouveau] " Christian König
2023-09-20 5:37 ` Christian König
2023-09-20 5:37 ` Christian König
2023-09-20 7:44 ` [Nouveau] " Thomas Hellström
2023-09-20 7:44 ` Thomas Hellström
2023-09-20 7:44 ` Thomas Hellström
2023-09-20 8:29 ` [Nouveau] " Thomas Hellström
2023-09-20 8:29 ` Thomas Hellström
2023-09-20 8:29 ` Thomas Hellström
2023-09-20 10:51 ` [Nouveau] " Christian König
2023-09-20 10:51 ` Christian König
2023-09-20 10:51 ` Christian König
2023-09-20 12:06 ` [Nouveau] " Thomas Hellström
2023-09-20 12:06 ` Thomas Hellström
2023-09-20 12:06 ` Thomas Hellström
2023-09-20 13:06 ` [Nouveau] " Christian König
2023-09-20 13:06 ` Christian König
2023-09-20 13:06 ` Christian König
2023-09-20 13:38 ` [Nouveau] " Thomas Hellström
2023-09-20 13:38 ` Thomas Hellström
2023-09-20 13:38 ` Thomas Hellström
2023-09-20 13:48 ` [Nouveau] " Christian König
2023-09-20 13:48 ` Christian König
2023-09-20 13:48 ` Christian König
2023-09-20 14:02 ` [Nouveau] " Thomas Hellström
2023-09-20 14:02 ` Thomas Hellström
2023-09-20 14:02 ` Thomas Hellström
2023-09-20 14:11 ` [Nouveau] " Christian König
2023-09-20 14:11 ` Christian König
2023-09-20 14:11 ` Christian König
2023-09-14 10:57 ` [Nouveau] " Danilo Krummrich
2023-09-14 10:57 ` Danilo Krummrich
2023-09-14 11:32 ` Thomas Hellström
2023-09-14 11:32 ` Thomas Hellström
2023-09-14 15:27 ` Danilo Krummrich
2023-09-14 15:27 ` Danilo Krummrich
2023-09-14 17:13 ` Thomas Hellström
2023-09-14 17:13 ` Thomas Hellström
2023-09-14 17:15 ` Danilo Krummrich
2023-09-14 17:15 ` Danilo Krummrich
2023-09-18 11:21 ` Danilo Krummrich
2023-09-18 11:21 ` Danilo Krummrich
2023-09-13 7:03 ` Boris Brezillon
2023-09-13 7:03 ` Boris Brezillon
2023-09-13 7:05 ` [Nouveau] " Dave Airlie
2023-09-13 7:05 ` Dave Airlie
2023-09-13 7:05 ` Dave Airlie
2023-09-13 7:19 ` Boris Brezillon
2023-09-13 7:19 ` Boris Brezillon
2023-09-13 10:39 ` [Nouveau] " Thomas Hellström
2023-09-13 10:39 ` Thomas Hellström
2023-09-13 10:39 ` Thomas Hellström
2023-09-13 11:33 ` Boris Brezillon
2023-09-13 11:33 ` Boris Brezillon
2023-09-13 12:01 ` [Nouveau] " Danilo Krummrich
2023-09-13 12:01 ` Danilo Krummrich
2023-09-13 12:01 ` Danilo Krummrich
2023-09-13 13:22 ` [Nouveau] " Thomas Hellström
2023-09-13 13:22 ` Thomas Hellström
2023-09-13 13:22 ` Thomas Hellström
2023-09-13 14:01 ` Boris Brezillon
2023-09-13 14:01 ` Boris Brezillon
2023-09-13 14:29 ` [Nouveau] " Thomas Hellström
2023-09-13 14:29 ` Thomas Hellström
2023-09-13 14:29 ` Thomas Hellström
2023-09-13 15:17 ` Boris Brezillon
2023-09-13 15:17 ` Boris Brezillon
2023-09-14 8:20 ` Boris Brezillon
2023-09-14 8:20 ` Boris Brezillon
2023-09-14 10:45 ` [Nouveau] " Thomas Hellström
2023-09-14 10:45 ` Thomas Hellström
2023-09-14 10:45 ` Thomas Hellström
2023-09-14 11:54 ` Boris Brezillon
2023-09-14 11:54 ` Boris Brezillon
2023-09-14 13:33 ` [Nouveau] " Thomas Hellström
2023-09-14 13:33 ` Thomas Hellström
2023-09-14 13:33 ` Thomas Hellström
2023-09-14 15:37 ` Boris Brezillon
2023-09-14 15:37 ` Boris Brezillon
2023-09-14 13:48 ` [Nouveau] " Thomas Hellström
2023-09-14 13:48 ` Thomas Hellström
2023-09-14 13:48 ` Thomas Hellström
2023-09-14 16:36 ` [Nouveau] " Danilo Krummrich
2023-09-14 16:36 ` Danilo Krummrich
2023-09-14 16:36 ` Danilo Krummrich
2023-09-14 17:21 ` [Nouveau] " Thomas Hellström
2023-09-14 17:21 ` Thomas Hellström
2023-09-14 17:21 ` Thomas Hellström
2023-09-14 17:25 ` [Nouveau] " Danilo Krummrich
2023-09-14 17:25 ` Danilo Krummrich
2023-09-14 17:25 ` Danilo Krummrich
2023-09-14 19:14 ` [Nouveau] " Thomas Hellström
2023-09-14 19:14 ` Thomas Hellström
2023-09-14 19:14 ` Thomas Hellström
2023-09-09 15:31 ` [Nouveau] [PATCH drm-misc-next v3 7/7] drm/nouveau: GPUVM dma-resv/extobj handling, " Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
2023-09-09 15:31 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZP9AkkJ1FruZGSVV@cassiopeiae \
--to=dakr@redhat.com \
--cc=boris.brezillon@collabora.com \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=donald.robson@imgtec.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=faith.ekstrand@collabora.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matthew.brost@intel.com \
--cc=nouveau@lists.freedesktop.org \
--cc=sarah.walker@imgtec.com \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.