[PATCH] drm/i915: Reorder phys backing storage release

[PATCH] drm/i915: Reorder phys backing storage release

[Chris Wilson]

In commit a4f5ea64f0a8 ("drm/i915: Refactor object page API"), I
reordered the object->pages teardown to be more friendly wrt to a
separate obj->mm.lock. However, I overlooked the phys object and left it
with a dangling use-after-free of its phys_handle. Move the allocation
of the phys handle to get_pages and it release to put_pages to prevent
the invalid access and to improve symmetry.

Testcase: igt/drv_selftest/objects
Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Fixes: a4f5ea64f0a8 ("drm/i915: Refactor object page API")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: intel-gfx@lists.freedesktop.org
---
 drivers/gpu/drm/i915/i915_gem.c | 43 +++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 15 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index ca0bb837a57f..f05c48dce7d0 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -176,21 +176,29 @@ static struct sg_table *
 i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
 {
 	struct address_space *mapping = obj->base.filp->f_mapping;
-	char *vaddr = obj->phys_handle->vaddr;
+	drm_dma_handle_t *phys;
 	struct sg_table *st;
 	struct scatterlist *sg;
+	char *vaddr;
 	int i;
 
 	if (WARN_ON(i915_gem_object_needs_bit17_swizzle(obj)))
 		return ERR_PTR(-EINVAL);
 
+	phys = drm_pci_alloc(obj->base.dev, obj->base.size, obj->base.size);
+	if (!phys)
+		return ERR_PTR(-ENOMEM);
+
+	vaddr = phys->vaddr;
 	for (i = 0; i < obj->base.size / PAGE_SIZE; i++) {
 		struct page *page;
 		char *src;
 
 		page = shmem_read_mapping_page(mapping, i);
-		if (IS_ERR(page))
-			return ERR_CAST(page);
+		if (IS_ERR(page)) {
+			st = ERR_CAST(page);
+			goto err_phys;
+		}
 
 		src = kmap_atomic(page);
 		memcpy(vaddr, src, PAGE_SIZE);
@@ -204,21 +212,29 @@ i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
 	i915_gem_chipset_flush(to_i915(obj->base.dev));
 
 	st = kmalloc(sizeof(*st), GFP_KERNEL);
-	if (st == NULL)
-		return ERR_PTR(-ENOMEM);
+	if (st == NULL) {
+		st = ERR_PTR(-ENOMEM);
+		goto err_phys;
+	}
 
 	if (sg_alloc_table(st, 1, GFP_KERNEL)) {
 		kfree(st);
-		return ERR_PTR(-ENOMEM);
+		st = ERR_PTR(-ENOMEM);
+		goto err_phys;
 	}
 
 	sg = st->sgl;
 	sg->offset = 0;
 	sg->length = obj->base.size;
 
-	sg_dma_address(sg) = obj->phys_handle->busaddr;
+	sg_dma_address(sg) = phys->busaddr;
 	sg_dma_len(sg) = obj->base.size;
 
+	obj->phys_handle = phys;
+	return st;
+
+err_phys:
+	drm_pci_free(obj->base.dev, phys);
 	return st;
 }
 
@@ -274,12 +290,13 @@ i915_gem_object_put_pages_phys(struct drm_i915_gem_object *obj,
 
 	sg_free_table(pages);
 	kfree(pages);
+
+	drm_pci_free(obj->base.dev, obj->phys_handle);
 }
 
 static void
 i915_gem_object_release_phys(struct drm_i915_gem_object *obj)
 {
-	drm_pci_free(obj->base.dev, obj->phys_handle);
 	i915_gem_object_unpin_pages(obj);
 }
 
@@ -540,9 +557,11 @@ int
 i915_gem_object_attach_phys(struct drm_i915_gem_object *obj,
 			    int align)
 {
-	drm_dma_handle_t *phys;
 	int ret;
 
+	if (align > obj->base.size)
+		return -EINVAL;
+
 	if (obj->phys_handle) {
 		if ((unsigned long)obj->phys_handle->vaddr & (align -1))
 			return -EBUSY;
@@ -564,12 +583,6 @@ i915_gem_object_attach_phys(struct drm_i915_gem_object *obj,
 	if (obj->mm.pages)
 		return -EBUSY;
 
-	/* create a new object */
-	phys = drm_pci_alloc(obj->base.dev, obj->base.size, align);
-	if (!phys)
-		return -ENOMEM;
-
-	obj->phys_handle = phys;
 	obj->ops = &i915_gem_phys_ops;
 
 	return i915_gem_object_pin_pages(obj);
-- 
2.11.0

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

✓ Fi.CI.BAT: success for drm/i915: Reorder phys backing storage release

[Patchwork]

== Series Details ==

Series: drm/i915: Reorder phys backing storage release
URL   : https://patchwork.freedesktop.org/series/16468/
State : success

== Summary ==

Series 16468v1 drm/i915: Reorder phys backing storage release
https://patchwork.freedesktop.org/api/1.0/series/16468/revisions/1/mbox/


fi-bdw-5557u     total:247  pass:219  dwarn:0   dfail:0   fail:0   skip:28 
fi-bsw-n3050     total:247  pass:195  dwarn:0   dfail:0   fail:0   skip:52 
fi-bxt-t5700     total:247  pass:206  dwarn:0   dfail:0   fail:0   skip:41 
fi-byt-j1900     total:247  pass:206  dwarn:0   dfail:0   fail:0   skip:41 
fi-hsw-4770      total:247  pass:214  dwarn:0   dfail:0   fail:0   skip:33 
fi-hsw-4770r     total:247  pass:214  dwarn:0   dfail:0   fail:0   skip:33 
fi-ilk-650       total:247  pass:181  dwarn:0   dfail:0   fail:0   skip:66 
fi-ivb-3520m     total:247  pass:213  dwarn:0   dfail:0   fail:0   skip:34 
fi-ivb-3770      total:247  pass:212  dwarn:0   dfail:0   fail:0   skip:35 
fi-kbl-7500u     total:247  pass:212  dwarn:0   dfail:0   fail:0   skip:35 
fi-skl-6260u     total:247  pass:220  dwarn:0   dfail:0   fail:0   skip:27 
fi-skl-6700hq    total:247  pass:214  dwarn:0   dfail:0   fail:0   skip:33 
fi-skl-6700k     total:247  pass:210  dwarn:3   dfail:0   fail:0   skip:34 
fi-skl-6770hq    total:247  pass:220  dwarn:0   dfail:0   fail:0   skip:27 
fi-snb-2520m     total:247  pass:202  dwarn:0   dfail:0   fail:0   skip:45 
fi-snb-2600      total:247  pass:201  dwarn:0   dfail:0   fail:0   skip:46 

7955526172a2154393986eb78de44e61cabd81f3 drm-tip: 2016y-12m-07d-10h-06m-32s UTC integration manifest
bd87780 drm/i915: Reorder phys backing storage release

== Logs ==

For more details see: https://intel-gfx-ci.01.org/CI/Patchwork_3213/
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: Reorder phys backing storage release

[Joonas Lahtinen]

On ke, 2016-12-07 at 10:07 +0000, Chris Wilson wrote:
> In commit a4f5ea64f0a8 ("drm/i915: Refactor object page API"), I
> reordered the object->pages teardown to be more friendly wrt to a
> separate obj->mm.lock. However, I overlooked the phys object and left it
> with a dangling use-after-free of its phys_handle. Move the allocation
> of the phys handle to get_pages and it release to put_pages to prevent
> the invalid access and to improve symmetry.
> 
> Testcase: igt/drv_selftest/objects
> Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Fixes: a4f5ea64f0a8 ("drm/i915: Refactor object page API")
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Cc: intel-gfx@lists.freedesktop.org

<SNIP>

>  i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
>  {
>  	struct address_space *mapping = obj->base.filp->f_mapping;
> -	char *vaddr = obj->phys_handle->vaddr;
> +	drm_dma_handle_t *phys;
>  	struct sg_table *st;
>  	struct scatterlist *sg;
> +	char *vaddr;
>  	int i;
>  
>  	if (WARN_ON(i915_gem_object_needs_bit17_swizzle(obj)))
>  		return ERR_PTR(-EINVAL);
>  
> +	phys = drm_pci_alloc(obj->base.dev, obj->base.size, obj->base.size);

Aligning to object size sounds bit rough without any comments.

> @@ -204,21 +212,29 @@ i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
>  	i915_gem_chipset_flush(to_i915(obj->base.dev));
>  
>  	st = kmalloc(sizeof(*st), GFP_KERNEL);
> -	if (st == NULL)
> -		return ERR_PTR(-ENOMEM);
> +	if (st == NULL) {

Could convert to (!st) when touching, pleases checkpatch.pl.

With the align propagated or explained in a comment;

Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

Regards, Joonas
-- 
Joonas Lahtinen
Open Source Technology Center
Intel Corporation
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: Reorder phys backing storage release

[Chris Wilson]

On Wed, Dec 07, 2016 at 02:10:34PM +0200, Joonas Lahtinen wrote:
> On ke, 2016-12-07 at 10:07 +0000, Chris Wilson wrote:
> > In commit a4f5ea64f0a8 ("drm/i915: Refactor object page API"), I
> > reordered the object->pages teardown to be more friendly wrt to a
> > separate obj->mm.lock. However, I overlooked the phys object and left it
> > with a dangling use-after-free of its phys_handle. Move the allocation
> > of the phys handle to get_pages and it release to put_pages to prevent
> > the invalid access and to improve symmetry.
> > 
> > Testcase: igt/drv_selftest/objects
> > Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> > Fixes: a4f5ea64f0a8 ("drm/i915: Refactor object page API")
> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> > Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
> > Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
> > Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> > Cc: intel-gfx@lists.freedesktop.org
> 
> <SNIP>
> 
> >  i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
> >  {
> >  	struct address_space *mapping = obj->base.filp->f_mapping;
> > -	char *vaddr = obj->phys_handle->vaddr;
> > +	drm_dma_handle_t *phys;
> >  	struct sg_table *st;
> >  	struct scatterlist *sg;
> > +	char *vaddr;
> >  	int i;
> >  
> >  	if (WARN_ON(i915_gem_object_needs_bit17_swizzle(obj)))
> >  		return ERR_PTR(-EINVAL);
> >  
> > +	phys = drm_pci_alloc(obj->base.dev, obj->base.size, obj->base.size);
> 
> Aligning to object size sounds bit rough without any comments.

Not that rough really, since the phys allocation will be power-of-two
aligned both in size and address. The alignment can only be power-of-two
up to the size of the object (rounded up).

The choice is adding an extra parameter for a rarely used feature or
just picking an alignment that must work for all callers. Since the
objects are either 4k or 16k and either 4k or 16k aligned (though only
830 cursors are 16k aligned), the alignment falls out of the actual
buddy allocation for the contiguous pages.
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: Reorder phys backing storage release

[Joonas Lahtinen]

On ke, 2016-12-07 at 12:27 +0000, Chris Wilson wrote:

> Since the
> objects are either 4k or 16k and either 4k or 16k aligned (though only
> 830 cursors are 16k aligned), the alignment falls out of the actual
> buddy allocation for the contiguous pages.

This should be enough information to add. Maybe even an explicit
{WARN,GEM_BUG}_ON...

Regards, Joonas
-- 
Joonas Lahtinen
Open Source Technology Center
Intel Corporation
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx