* [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl
@ 2013-12-19 23:22 Ben Widawsky
2013-12-20 6:05 ` Daniel Vetter
2013-12-22 20:55 ` [PATCH] drm/i915/ppgtt: Never return a NULL context Ben Widawsky
0 siblings, 2 replies; 10+ messages in thread
From: Ben Widawsky @ 2013-12-19 23:22 UTC (permalink / raw)
To: Intel GFX; +Cc: Ben Widawsky, Ben Widawsky
If we look up an invalid context ID, the idr will return NULL. The ptr
is unconditionally dereferenced afterwards causing a problem.
Note that if the context does not exist, we still return success. This
appears to be the behavior desired by gem_reset_stats --subtest ban
Introduced in v3 of
commit 41bde5535a7d48876095926bb55b1aed5ccd6b2c
Author: Ben Widawsky <ben@bwidawsk.net>
Date: Fri Dec 6 14:11:21 2013 -0800
drm/i915: Get context early in execbuf
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Signed-off-by: Ben Widawsky <ben@bwidawsk.net>
---
drivers/gpu/drm/i915/intel_uncore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/intel_uncore.c b/drivers/gpu/drm/i915/intel_uncore.c
index e52fcce..aa4c55a 100644
--- a/drivers/gpu/drm/i915/intel_uncore.c
+++ b/drivers/gpu/drm/i915/intel_uncore.c
@@ -850,7 +850,7 @@ int i915_get_reset_stats_ioctl(struct drm_device *dev,
return ret;
ctx = i915_gem_context_get(file->driver_priv, args->ctx_id);
- if (IS_ERR(ctx)) {
+ if (IS_ERR_OR_NULL(ctx)) {
mutex_unlock(&dev->struct_mutex);
return PTR_ERR(ctx);
}
--
1.8.5.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl 2013-12-19 23:22 [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl Ben Widawsky @ 2013-12-20 6:05 ` Daniel Vetter 2013-12-20 6:55 ` Ben Widawsky 2013-12-22 20:55 ` [PATCH] drm/i915/ppgtt: Never return a NULL context Ben Widawsky 1 sibling, 1 reply; 10+ messages in thread From: Daniel Vetter @ 2013-12-20 6:05 UTC (permalink / raw) To: Ben Widawsky; +Cc: Intel GFX, Ben Widawsky On Fri, Dec 20, 2013 at 12:22 AM, Ben Widawsky <benjamin.widawsky@intel.com> wrote: > ctx = i915_gem_context_get(file->driver_priv, args->ctx_id); > - if (IS_ERR(ctx)) { > + if (IS_ERR_OR_NULL(ctx)) { We now have half the callers check for IS_ERR and the others not. Afaics i915_gem_context_get can only return NULL or a real context though. Also from a quite read the expected error for a lookup failure is ENOENT (and there seems to be a testcase for this). -Daniel -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl 2013-12-20 6:05 ` Daniel Vetter @ 2013-12-20 6:55 ` Ben Widawsky 2013-12-20 14:11 ` Daniel Vetter 0 siblings, 1 reply; 10+ messages in thread From: Ben Widawsky @ 2013-12-20 6:55 UTC (permalink / raw) To: Daniel Vetter; +Cc: Intel GFX, Ben Widawsky On Fri, Dec 20, 2013 at 07:05:10AM +0100, Daniel Vetter wrote: > On Fri, Dec 20, 2013 at 12:22 AM, Ben Widawsky > <benjamin.widawsky@intel.com> wrote: > > ctx = i915_gem_context_get(file->driver_priv, args->ctx_id); > > - if (IS_ERR(ctx)) { > > + if (IS_ERR_OR_NULL(ctx)) { > > We now have half the callers check for IS_ERR and the others not. > Afaics i915_gem_context_get can only return NULL or a real context > though. Also from a quite read the expected error for a lookup failure > is ENOENT (and there seems to be a testcase for this). > -Daniel To your first point: I think checking null is always the right thing currently, but for future proofing, IS_ERR_OR_NULL is really the right thing. After his patch, I believe only i915_gem_context_destroy_ioctl is still incorrect. To the second: This is only based on my memory, so feel free to change whatever you need. When I retuned -ENXIO, the test failed. It should be: return ctx ? PTR_ERR(ctx) : -ENOENT; I had return ctx ? PTR_ERR(ctx) : -ENXIO; which made the subtest fail. However, as we've noted, this itself was not correct. Try the return above. -- Ben Widawsky, Intel Open Source Technology Center ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl 2013-12-20 6:55 ` Ben Widawsky @ 2013-12-20 14:11 ` Daniel Vetter 2013-12-20 14:37 ` Jani Nikula 2013-12-20 18:21 ` Ben Widawsky 0 siblings, 2 replies; 10+ messages in thread From: Daniel Vetter @ 2013-12-20 14:11 UTC (permalink / raw) To: Ben Widawsky; +Cc: Intel GFX, Ben Widawsky On Thu, Dec 19, 2013 at 10:55:56PM -0800, Ben Widawsky wrote: > On Fri, Dec 20, 2013 at 07:05:10AM +0100, Daniel Vetter wrote: > > On Fri, Dec 20, 2013 at 12:22 AM, Ben Widawsky > > <benjamin.widawsky@intel.com> wrote: > > > ctx = i915_gem_context_get(file->driver_priv, args->ctx_id); > > > - if (IS_ERR(ctx)) { > > > + if (IS_ERR_OR_NULL(ctx)) { > > > > We now have half the callers check for IS_ERR and the others not. > > Afaics i915_gem_context_get can only return NULL or a real context > > though. Also from a quite read the expected error for a lookup failure > > is ENOENT (and there seems to be a testcase for this). > > -Daniel > > > To your first point: > I think checking null is always the right thing currently, but for > future proofing, IS_ERR_OR_NULL is really the right thing. After his > patch, I believe only i915_gem_context_destroy_ioctl is still incorrect. Using IS_ERR_OR_NULL on a return value which can never contain an encoded errno value is imo confusing, more so when it's inconsitently applied. > To the second: > This is only based on my memory, so feel free to change whatever you > need. When I retuned -ENXIO, the test failed. > > It should be: > return ctx ? PTR_ERR(ctx) : -ENOENT; On a cursory read that's been the semantics before your patch. And there seems to be a testcase in gem_reset_stat for this, have you run all subtests? > I had > return ctx ? PTR_ERR(ctx) : -ENXIO; > which made the subtest fail. However, as we've noted, this itself was > not correct. Try the return above. Thanks, Daniel -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl 2013-12-20 14:11 ` Daniel Vetter @ 2013-12-20 14:37 ` Jani Nikula 2013-12-20 18:21 ` Ben Widawsky 2013-12-20 18:21 ` Ben Widawsky 1 sibling, 1 reply; 10+ messages in thread From: Jani Nikula @ 2013-12-20 14:37 UTC (permalink / raw) To: Daniel Vetter, Ben Widawsky; +Cc: Intel GFX, Ben Widawsky On Fri, 20 Dec 2013, Daniel Vetter <daniel@ffwll.ch> wrote: > On Thu, Dec 19, 2013 at 10:55:56PM -0800, Ben Widawsky wrote: >> On Fri, Dec 20, 2013 at 07:05:10AM +0100, Daniel Vetter wrote: >> > On Fri, Dec 20, 2013 at 12:22 AM, Ben Widawsky >> > <benjamin.widawsky@intel.com> wrote: >> > > ctx = i915_gem_context_get(file->driver_priv, args->ctx_id); >> > > - if (IS_ERR(ctx)) { >> > > + if (IS_ERR_OR_NULL(ctx)) { >> > >> > We now have half the callers check for IS_ERR and the others not. >> > Afaics i915_gem_context_get can only return NULL or a real context >> > though. Also from a quite read the expected error for a lookup failure >> > is ENOENT (and there seems to be a testcase for this). >> > -Daniel >> >> >> To your first point: >> I think checking null is always the right thing currently, but for >> future proofing, IS_ERR_OR_NULL is really the right thing. After his >> patch, I believe only i915_gem_context_destroy_ioctl is still incorrect. > > Using IS_ERR_OR_NULL on a return value which can never contain an > encoded errno value is imo confusing, more so when it's inconsitently > applied. Moreover, the error path then goes on to return 0 for success when the pointer is NULL. BR, Jani. -- Jani Nikula, Intel Open Source Technology Center ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl 2013-12-20 14:37 ` Jani Nikula @ 2013-12-20 18:21 ` Ben Widawsky 0 siblings, 0 replies; 10+ messages in thread From: Ben Widawsky @ 2013-12-20 18:21 UTC (permalink / raw) To: Jani Nikula; +Cc: Intel GFX, Ben Widawsky On Fri, Dec 20, 2013 at 04:37:34PM +0200, Jani Nikula wrote: > On Fri, 20 Dec 2013, Daniel Vetter <daniel@ffwll.ch> wrote: > > On Thu, Dec 19, 2013 at 10:55:56PM -0800, Ben Widawsky wrote: > >> On Fri, Dec 20, 2013 at 07:05:10AM +0100, Daniel Vetter wrote: > >> > On Fri, Dec 20, 2013 at 12:22 AM, Ben Widawsky > >> > <benjamin.widawsky@intel.com> wrote: > >> > > ctx = i915_gem_context_get(file->driver_priv, args->ctx_id); > >> > > - if (IS_ERR(ctx)) { > >> > > + if (IS_ERR_OR_NULL(ctx)) { > >> > > >> > We now have half the callers check for IS_ERR and the others not. > >> > Afaics i915_gem_context_get can only return NULL or a real context > >> > though. Also from a quite read the expected error for a lookup failure > >> > is ENOENT (and there seems to be a testcase for this). > >> > -Daniel > >> > >> > >> To your first point: > >> I think checking null is always the right thing currently, but for > >> future proofing, IS_ERR_OR_NULL is really the right thing. After his > >> patch, I believe only i915_gem_context_destroy_ioctl is still incorrect. > > > > Using IS_ERR_OR_NULL on a return value which can never contain an > > encoded errno value is imo confusing, more so when it's inconsitently > > applied. > > Moreover, the error path then goes on to return 0 for success when the > pointer is NULL. > That was mentioned in the commit message. > BR, > Jani. > > > -- > Jani Nikula, Intel Open Source Technology Center -- Ben Widawsky, Intel Open Source Technology Center ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl 2013-12-20 14:11 ` Daniel Vetter 2013-12-20 14:37 ` Jani Nikula @ 2013-12-20 18:21 ` Ben Widawsky 1 sibling, 0 replies; 10+ messages in thread From: Ben Widawsky @ 2013-12-20 18:21 UTC (permalink / raw) To: Daniel Vetter; +Cc: Intel GFX, Ben Widawsky On Fri, Dec 20, 2013 at 03:11:09PM +0100, Daniel Vetter wrote: > On Thu, Dec 19, 2013 at 10:55:56PM -0800, Ben Widawsky wrote: > > On Fri, Dec 20, 2013 at 07:05:10AM +0100, Daniel Vetter wrote: > > > On Fri, Dec 20, 2013 at 12:22 AM, Ben Widawsky > > > <benjamin.widawsky@intel.com> wrote: > > > > ctx = i915_gem_context_get(file->driver_priv, args->ctx_id); > > > > - if (IS_ERR(ctx)) { > > > > + if (IS_ERR_OR_NULL(ctx)) { > > > > > > We now have half the callers check for IS_ERR and the others not. > > > Afaics i915_gem_context_get can only return NULL or a real context > > > though. Also from a quite read the expected error for a lookup failure > > > is ENOENT (and there seems to be a testcase for this). > > > -Daniel > > > > > > To your first point: > > I think checking null is always the right thing currently, but for > > future proofing, IS_ERR_OR_NULL is really the right thing. After his > > patch, I believe only i915_gem_context_destroy_ioctl is still incorrect. > > Using IS_ERR_OR_NULL on a return value which can never contain an > encoded errno value is imo confusing, more so when it's inconsitently > applied. > > > To the second: > > This is only based on my memory, so feel free to change whatever you > > need. When I retuned -ENXIO, the test failed. > > > > It should be: > > return ctx ? PTR_ERR(ctx) : -ENOENT; > > On a cursory read that's been the semantics before your patch. And there > seems to be a testcase in gem_reset_stat for this, have you run all > subtests? As I mentioned on IRC, but I think you missed it - a later subtest hits a really bad BUG (pre-ppgtt). It was all pass up to that subtest. > > > I had > > return ctx ? PTR_ERR(ctx) : -ENXIO; > > which made the subtest fail. However, as we've noted, this itself was > > not correct. Try the return above. > > Thanks, Daniel > -- > Daniel Vetter > Software Engineer, Intel Corporation > +41 (0) 79 365 57 48 - http://blog.ffwll.ch -- Ben Widawsky, Intel Open Source Technology Center ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] drm/i915/ppgtt: Never return a NULL context 2013-12-19 23:22 [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl Ben Widawsky 2013-12-20 6:05 ` Daniel Vetter @ 2013-12-22 20:55 ` Ben Widawsky 2014-01-01 5:46 ` [PATCH] [v2] " Ben Widawsky 1 sibling, 1 reply; 10+ messages in thread From: Ben Widawsky @ 2013-12-22 20:55 UTC (permalink / raw) To: Intel GFX; +Cc: Ben Widawsky, Ben Widawsky It makes all the code which calls into this function way too confusing. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=72903 Signed-off-by: Ben Widawsky <ben@bwidawsk.net> --- drivers/gpu/drm/i915/i915_gem_context.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/i915_gem_context.c b/drivers/gpu/drm/i915/i915_gem_context.c index ebe0f67..4794c18 100644 --- a/drivers/gpu/drm/i915/i915_gem_context.c +++ b/drivers/gpu/drm/i915/i915_gem_context.c @@ -526,10 +526,16 @@ void i915_gem_context_close(struct drm_device *dev, struct drm_file *file) struct i915_hw_context * i915_gem_context_get(struct drm_i915_file_private *file_priv, u32 id) { + struct i915_hw_context *ctx; + if (!HAS_HW_CONTEXTS(file_priv->dev_priv->dev)) return file_priv->private_default_ctx; - return (struct i915_hw_context *)idr_find(&file_priv->context_idr, id); + ctx = (struct i915_hw_context *)idr_find(&file_priv->context_idr, id); + if (!ctx) + return ERR_PTR(-ENOENT); + + return ctx; } static inline int -- 1.8.5.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH] [v2] drm/i915/ppgtt: Never return a NULL context 2013-12-22 20:55 ` [PATCH] drm/i915/ppgtt: Never return a NULL context Ben Widawsky @ 2014-01-01 5:46 ` Ben Widawsky 2014-01-02 14:34 ` Mika Kuoppala 0 siblings, 1 reply; 10+ messages in thread From: Ben Widawsky @ 2014-01-01 5:46 UTC (permalink / raw) To: Intel GFX; +Cc: Ben Widawsky, Ben Widawsky It makes all the code which calls into this function way too confusing. v2: Fix destroy IOCTL as well Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=72903 Signed-off-by: Ben Widawsky <ben@bwidawsk.net> --- drivers/gpu/drm/i915/i915_gem_context.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gem_context.c b/drivers/gpu/drm/i915/i915_gem_context.c index a90a0a1..f3ac9a2 100644 --- a/drivers/gpu/drm/i915/i915_gem_context.c +++ b/drivers/gpu/drm/i915/i915_gem_context.c @@ -524,10 +524,16 @@ void i915_gem_context_close(struct drm_device *dev, struct drm_file *file) struct i915_hw_context * i915_gem_context_get(struct drm_i915_file_private *file_priv, u32 id) { + struct i915_hw_context *ctx; + if (!HAS_HW_CONTEXTS(file_priv->dev_priv->dev)) return file_priv->private_default_ctx; - return (struct i915_hw_context *)idr_find(&file_priv->context_idr, id); + ctx = (struct i915_hw_context *)idr_find(&file_priv->context_idr, id); + if (!ctx) + return ERR_PTR(-ENOENT); + + return ctx; } static inline int @@ -774,9 +780,9 @@ int i915_gem_context_destroy_ioctl(struct drm_device *dev, void *data, return ret; ctx = i915_gem_context_get(file_priv, args->ctx_id); - if (!ctx) { + if (IS_ERR(ctx)) { mutex_unlock(&dev->struct_mutex); - return -ENOENT; + return PTR_ERR(ctx); } idr_remove(&ctx->file_priv->context_idr, ctx->id); -- 1.8.5.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] [v2] drm/i915/ppgtt: Never return a NULL context 2014-01-01 5:46 ` [PATCH] [v2] " Ben Widawsky @ 2014-01-02 14:34 ` Mika Kuoppala 0 siblings, 0 replies; 10+ messages in thread From: Mika Kuoppala @ 2014-01-02 14:34 UTC (permalink / raw) To: Intel GFX; +Cc: Ben Widawsky, Ben Widawsky Ben Widawsky <benjamin.widawsky@intel.com> writes: > It makes all the code which calls into this function way too confusing. > > v2: Fix destroy IOCTL as well > callsite inside i915_gem_validate_context() and after it is called in i915_gem_do_execbuffer() are still confusing as they seem to expect NULL. Latter even tries to dig out error value from NULL. -- Mika > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=72903 > Signed-off-by: Ben Widawsky <ben@bwidawsk.net> > --- > drivers/gpu/drm/i915/i915_gem_context.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_gem_context.c b/drivers/gpu/drm/i915/i915_gem_context.c > index a90a0a1..f3ac9a2 100644 > --- a/drivers/gpu/drm/i915/i915_gem_context.c > +++ b/drivers/gpu/drm/i915/i915_gem_context.c > @@ -524,10 +524,16 @@ void i915_gem_context_close(struct drm_device *dev, struct drm_file *file) > struct i915_hw_context * > i915_gem_context_get(struct drm_i915_file_private *file_priv, u32 id) > { > + struct i915_hw_context *ctx; > + > if (!HAS_HW_CONTEXTS(file_priv->dev_priv->dev)) > return file_priv->private_default_ctx; > > - return (struct i915_hw_context *)idr_find(&file_priv->context_idr, id); > + ctx = (struct i915_hw_context *)idr_find(&file_priv->context_idr, id); > + if (!ctx) > + return ERR_PTR(-ENOENT); > + > + return ctx; > } > > static inline int > @@ -774,9 +780,9 @@ int i915_gem_context_destroy_ioctl(struct drm_device *dev, void *data, > return ret; > > ctx = i915_gem_context_get(file_priv, args->ctx_id); > - if (!ctx) { > + if (IS_ERR(ctx)) { > mutex_unlock(&dev->struct_mutex); > - return -ENOENT; > + return PTR_ERR(ctx); > } > > idr_remove(&ctx->file_priv->context_idr, ctx->id); > -- > 1.8.5.2 > > _______________________________________________ > Intel-gfx mailing list > Intel-gfx@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/intel-gfx ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-01-02 14:34 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-12-19 23:22 [PATCH] drm/i915/ppgtt: Prevent NULL deref in reset ioctl Ben Widawsky 2013-12-20 6:05 ` Daniel Vetter 2013-12-20 6:55 ` Ben Widawsky 2013-12-20 14:11 ` Daniel Vetter 2013-12-20 14:37 ` Jani Nikula 2013-12-20 18:21 ` Ben Widawsky 2013-12-20 18:21 ` Ben Widawsky 2013-12-22 20:55 ` [PATCH] drm/i915/ppgtt: Never return a NULL context Ben Widawsky 2014-01-01 5:46 ` [PATCH] [v2] " Ben Widawsky 2014-01-02 14:34 ` Mika Kuoppala
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox