From: Matthew Auld <matthew.auld@intel.com>
To: intel-xe@lists.freedesktop.org
Cc: "Himal Prasad Ghimiray" <himal.prasad.ghimiray@intel.com>,
"Tejas Upadhyay" <tejas.upadhyay@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
stable@vger.kernel.org
Subject: [PATCH 2/4] drm/xe/client: add missing bo locking in show_meminfo()
Date: Tue, 10 Sep 2024 14:11:47 +0100 [thread overview]
Message-ID: <20240910131145.136984-6-matthew.auld@intel.com> (raw)
In-Reply-To: <20240910131145.136984-5-matthew.auld@intel.com>
bo_meminfo() wants to inspect bo state like tt and the ttm resource,
however this state can change at any point leading to stuff like NPD and
UAF, if the bo lock is not held. Grab the bo lock when calling
bo_meminfo(), ensuring we drop any spinlocks first. In the case of
object_idr we now also need to hold a ref.
Fixes: 0845233388f8 ("drm/xe: Implement fdinfo memory stats printing")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Cc: Tejas Upadhyay <tejas.upadhyay@intel.com>
Cc: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
Cc: <stable@vger.kernel.org> # v6.8+
---
drivers/gpu/drm/xe/xe_drm_client.c | 37 +++++++++++++++++++++++++++---
1 file changed, 34 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_drm_client.c b/drivers/gpu/drm/xe/xe_drm_client.c
index badfa045ead8..3cca741c500c 100644
--- a/drivers/gpu/drm/xe/xe_drm_client.c
+++ b/drivers/gpu/drm/xe/xe_drm_client.c
@@ -10,6 +10,7 @@
#include <linux/slab.h>
#include <linux/types.h>
+#include "xe_assert.h"
#include "xe_bo.h"
#include "xe_bo_types.h"
#include "xe_device_types.h"
@@ -151,10 +152,13 @@ void xe_drm_client_add_bo(struct xe_drm_client *client,
*/
void xe_drm_client_remove_bo(struct xe_bo *bo)
{
+ struct xe_device *xe = ttm_to_xe_device(bo->ttm.bdev);
struct xe_drm_client *client = bo->client;
+ xe_assert(xe, !kref_read(&bo->ttm.base.refcount));
+
spin_lock(&client->bos_lock);
- list_del(&bo->client_link);
+ list_del_init(&bo->client_link);
spin_unlock(&client->bos_lock);
xe_drm_client_put(client);
@@ -207,7 +211,20 @@ static void show_meminfo(struct drm_printer *p, struct drm_file *file)
idr_for_each_entry(&file->object_idr, obj, id) {
struct xe_bo *bo = gem_to_xe_bo(obj);
- bo_meminfo(bo, stats);
+ if (dma_resv_trylock(bo->ttm.base.resv)) {
+ bo_meminfo(bo, stats);
+ xe_bo_unlock(bo);
+ } else {
+ xe_bo_get(bo);
+ spin_unlock(&file->table_lock);
+
+ xe_bo_lock(bo, false);
+ bo_meminfo(bo, stats);
+ xe_bo_unlock(bo);
+
+ xe_bo_put(bo);
+ spin_lock(&file->table_lock);
+ }
}
spin_unlock(&file->table_lock);
@@ -217,7 +234,21 @@ static void show_meminfo(struct drm_printer *p, struct drm_file *file)
if (!kref_get_unless_zero(&bo->ttm.base.refcount))
continue;
- bo_meminfo(bo, stats);
+ if (dma_resv_trylock(bo->ttm.base.resv)) {
+ bo_meminfo(bo, stats);
+ xe_bo_unlock(bo);
+ } else {
+ spin_unlock(&client->bos_lock);
+
+ xe_bo_lock(bo, false);
+ bo_meminfo(bo, stats);
+ xe_bo_unlock(bo);
+
+ spin_lock(&client->bos_lock);
+ /* The bo ref will prevent this bo from being removed from the list */
+ xe_assert(xef->xe, !list_empty(&bo->client_link));
+ }
+
xe_bo_put_deferred(bo, &deferred);
}
spin_unlock(&client->bos_lock);
--
2.46.0
next prev parent reply other threads:[~2024-09-10 13:12 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-10 13:11 [PATCH 1/4] drm/xe/client: fix deadlock in show_meminfo() Matthew Auld
2024-09-10 13:11 ` Matthew Auld [this message]
2024-09-10 14:16 ` [PATCH 2/4] drm/xe/client: add missing bo locking " Matthew Brost
2024-09-11 5:39 ` Upadhyay, Tejas
2024-09-11 8:35 ` Matthew Auld
2024-09-11 9:40 ` Upadhyay, Tejas
2024-09-10 13:11 ` [PATCH 3/4] drm/xe/client: use mem_type from the current resource Matthew Auld
2024-09-10 14:18 ` Matthew Brost
2024-09-11 5:45 ` Upadhyay, Tejas
2024-09-10 13:11 ` [PATCH 4/4] drm/xe/bo: add some annotations in bo_put() Matthew Auld
2024-09-10 13:59 ` Matthew Brost
2024-09-10 14:52 ` Matthew Auld
2024-09-10 15:59 ` Matthew Brost
2024-09-10 14:49 ` Matthew Brost
2024-09-10 15:03 ` Matthew Auld
2024-09-10 15:26 ` Matthew Brost
2024-09-10 15:29 ` Matthew Brost
2024-09-11 5:40 ` Upadhyay, Tejas
2024-09-10 13:29 ` ✓ CI.Patch_applied: success for series starting with [1/4] drm/xe/client: fix deadlock in show_meminfo() Patchwork
2024-09-10 13:30 ` ✓ CI.checkpatch: " Patchwork
2024-09-10 13:31 ` ✓ CI.KUnit: " Patchwork
2024-09-10 13:48 ` ✓ CI.Build: " Patchwork
2024-09-10 13:53 ` ✓ CI.Hooks: " Patchwork
2024-09-10 13:55 ` [PATCH 1/4] " Matthew Brost
2024-09-10 13:56 ` ✓ CI.checksparse: success for series starting with [1/4] " Patchwork
2024-09-10 14:39 ` ✓ CI.BAT: " Patchwork
2024-09-10 15:45 ` ✗ CI.FULL: failure " Patchwork
2024-09-11 5:19 ` [PATCH 1/4] " Upadhyay, Tejas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240910131145.136984-6-matthew.auld@intel.com \
--to=matthew.auld@intel.com \
--cc=himal.prasad.ghimiray@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=stable@vger.kernel.org \
--cc=tejas.upadhyay@intel.com \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox