dri-devel Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Philipp Stanner" <phasta@kernel.org>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 5/5] drm/sched: Remove entity->entity_idle
Date: Wed, 01 Jul 2026 09:09:29 +0000	[thread overview]
Message-ID: <20260701090930.0808D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701085920.3253248-7-phasta@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Removing the `entity_idle` completion introduces a critical race condition between the scheduler worker thread and the entity teardown path, leading to Use-After-Free (UAF) vulnerabilities and SPSC queue corruption.
--

commit f72f2810652760301a56b6a9cbcac8c26715a4a4
Author: Philipp Stanner <phasta@kernel.org>

drm/sched: Remove entity->entity_idle

The completion entity->entity_idle only existed because the entity was
not properly locked through it's spinlock. The completion served to
inform waiters about whether the entity is actually idle, which is
something locking (previously added to drm_sched_entity_is_idle()) can
fully achieve.

> diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c
> index cb03d6a36578b..23536dcfa96a9 100644
> --- a/drivers/gpu/drm/scheduler/sched_entity.c
> +++ b/drivers/gpu/drm/scheduler/sched_entity.c
[ ... ]
> @@ -285,12 +281,7 @@ void drm_sched_entity_kill(struct drm_sched_entity *entity)
>  	spin_lock(&entity->lock);
>  	entity->stopped = true;
>  	drm_sched_rq_remove_entity(entity->rq, entity);
> -	spin_unlock(&entity->lock);
>  
> -	/* Make sure this entity is not used by the scheduler at the moment */
> -	wait_for_completion(&entity->entity_idle);
> -
> -	spin_lock(&entity->lock);

[Severity: High]
Does removing this completion introduce a regression involving a race condition
between the scheduler worker thread and the entity teardown path?

If a userspace application submits gpu jobs and is simultaneously killed with
a fatal signal, wait_event_killable() in drm_sched_entity_flush() can return
-ERESTARTSYS immediately, bypassing the idle wait.

Then drm_sched_entity_kill() executes and returns without waiting for the
worker thread, allowing the entity to be freed while the scheduler worker
thread is concurrently extracting a job.

This could lead to concurrent spsc_queue_pop() calls in
drm_sched_entity_pop_job() violating spsc queue invariants.

It could also lead to a use-after-free when the worker thread accesses the
freed entity pointer:

drivers/gpu/drm/scheduler/sched_main.c:drm_sched_run_job_work() {
    ...
    sched_job = drm_sched_entity_pop_job(entity);
    if (!sched_job) {
    ...
    trace_drm_sched_job_run(sched_job, entity);
    ...
}

>  	prev = entity->last_scheduled;
>  	dma_fence_get(prev);
>  	spin_unlock(&entity->lock);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701085920.3253248-2-phasta@kernel.org?part=5

  reply	other threads:[~2026-07-01  9:09 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  8:59 [PATCH 0/5] drm/sched: Introduce the miracle of locking to entity Philipp Stanner
2026-07-01  8:59 ` [PATCH 1/5] drm/sched: Protect entity->last_scheduled with spinlock Philipp Stanner
2026-07-03 11:27   ` Tvrtko Ursulin
2026-07-03 14:47     ` Philipp Stanner
2026-07-01  8:59 ` [PATCH 2/5] drm/sched: Lock spsc_queue in drm_sched_entity_pop_job() Philipp Stanner
2026-07-01  8:59 ` [PATCH 3/5] drm/sched: Avoid lock cycle for sched_entity Philipp Stanner
2026-07-01  8:59 ` [PATCH 4/5] drm/sched: Lock drm_sched_entity_is_idle() Philipp Stanner
2026-07-01  9:47   ` Tvrtko Ursulin
2026-07-01  8:59 ` [PATCH 5/5] drm/sched: Remove entity->entity_idle Philipp Stanner
2026-07-01  9:09   ` sashiko-bot [this message]
2026-07-01  9:38   ` Philipp Stanner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701090930.0808D1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=phasta@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox