From: Danilo Krummrich <dakr@redhat.com>
To: Boris Brezillon <boris.brezillon@collabora.com>
Cc: airlied@gmail.com, daniel@ffwll.ch, matthew.brost@intel.com,
thomas.hellstrom@linux.intel.com, sarah.walker@imgtec.com,
donald.robson@imgtec.com, christian.koenig@amd.com,
faith.ekstrand@collabora.com, dri-devel@lists.freedesktop.org,
nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH drm-misc-next v3 6/7] drm/gpuvm: generalize dma_resv/extobj handling and GEM validation
Date: Mon, 11 Sep 2023 18:30:10 +0200 [thread overview]
Message-ID: <ZP9AkkJ1FruZGSVV@cassiopeiae> (raw)
In-Reply-To: <20230911164526.0192a686@collabora.com>
On Mon, Sep 11, 2023 at 04:45:26PM +0200, Boris Brezillon wrote:
> On Sat, 9 Sep 2023 17:31:13 +0200
> Danilo Krummrich <dakr@redhat.com> wrote:
>
> > @@ -807,6 +1262,14 @@ drm_gpuvm_bo_destroy(struct kref *kref)
> >
> > drm_gem_gpuva_assert_lock_held(vm_bo->obj);
> >
> > + spin_lock(&gpuvm->extobj.lock);
> > + list_del(&vm_bo->list.entry.extobj);
> > + spin_unlock(&gpuvm->extobj.lock);
> > +
> > + spin_lock(&gpuvm->evict.lock);
> > + list_del(&vm_bo->list.entry.evict);
> > + spin_unlock(&gpuvm->evict.lock);
> > +
> > list_del(&vm_bo->list.entry.gem);
> >
> > drm_gem_object_put(obj);
>
> I ran into a UAF situation when the drm_gpuvm_bo object is the last
> owner of obj, because the lock that's supposed to be held when calling
> this function (drm_gem_gpuva_assert_lock_held() call above), belongs to
> obj (either obj->resv, or a driver specific lock that's attached to the
> driver-specific GEM object). I worked around it by taking a ref to obj
> before calling lock()+drm_gpuvm_bo_put()+unlock(), and releasing it
> after I'm node with the lock, but that just feels wrong.
>
As mentioned in a previous reply, I think we want to bring the dedicated GEM
gpuva list lock back instead of abusing the dma-resv lock. This way we can
handle locking internally and don't run into such issues.
There is also no reason for a driver to already hold the GEM gpuva list lock
when when calling drm_gpuvm_bo_put(). Drivers would only acquire the lock to
iterate the GEMs list of drm_gpuvm_bos or the drm_gpuvm_bos list of drm_gpuvas.
And dropping the drm_gpuvm_bo from within such a loop is forbidden anyways.
next prev parent reply other threads:[~2023-09-11 22:43 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-09 15:31 [PATCH drm-misc-next v3 0/7] [RFC] DRM GPUVA Manager GPU-VM features Danilo Krummrich
2023-09-09 15:31 ` [PATCH drm-misc-next v3 1/7] drm/gpuvm: rename struct drm_gpuva_manager to struct drm_gpuvm Danilo Krummrich
2023-09-09 18:23 ` kernel test robot
2023-09-09 15:31 ` [PATCH drm-misc-next v3 2/7] drm/gpuvm: allow building as module Danilo Krummrich
2023-09-11 13:09 ` Christian König
2023-09-09 15:31 ` [PATCH drm-misc-next v3 3/7] drm/nouveau: uvmm: rename 'umgr' to 'base' Danilo Krummrich
2023-09-09 15:31 ` [PATCH drm-misc-next v3 4/7] drm/gpuvm: common dma-resv per struct drm_gpuvm Danilo Krummrich
2023-09-11 12:00 ` Boris Brezillon
2023-09-11 16:16 ` Danilo Krummrich
2023-09-09 15:31 ` [PATCH drm-misc-next v3 5/7] drm/gpuvm: add an abstraction for a VM / BO combination Danilo Krummrich
2023-09-11 17:19 ` Thomas Hellström
2023-09-11 17:49 ` Danilo Krummrich
2023-09-11 18:37 ` Thomas Hellström
2023-09-12 7:42 ` Thomas Hellström
2023-09-12 10:06 ` Danilo Krummrich
2023-09-12 10:33 ` Thomas Hellström
2023-09-12 11:05 ` Danilo Krummrich
2023-09-09 15:31 ` [PATCH drm-misc-next v3 6/7] drm/gpuvm: generalize dma_resv/extobj handling and GEM validation Danilo Krummrich
2023-09-09 20:16 ` kernel test robot
2023-09-11 10:35 ` Boris Brezillon
2023-09-11 16:23 ` Danilo Krummrich
2023-09-11 12:54 ` Boris Brezillon
2023-09-11 14:45 ` Boris Brezillon
2023-09-11 16:30 ` Danilo Krummrich [this message]
2023-09-12 16:20 ` Thomas Hellström
2023-09-12 16:50 ` Danilo Krummrich
2023-09-12 19:23 ` Thomas Hellström
2023-09-12 23:36 ` Danilo Krummrich
2023-09-13 9:14 ` Thomas Hellström
2023-09-13 12:16 ` Danilo Krummrich
2023-09-13 14:26 ` Christian König
2023-09-13 15:13 ` Thomas Hellström
2023-09-13 15:26 ` Christian König
2023-09-13 15:15 ` Danilo Krummrich
2023-09-13 15:33 ` Christian König
2023-09-13 15:46 ` Danilo Krummrich
2023-09-19 12:07 ` Christian König
2023-09-19 12:21 ` Thomas Hellström
2023-09-19 15:16 ` Danilo Krummrich
2023-09-19 15:23 ` Thomas Hellström
2023-09-20 5:37 ` Christian König
2023-09-20 7:44 ` Thomas Hellström
2023-09-20 8:29 ` Thomas Hellström
2023-09-20 10:51 ` Christian König
2023-09-20 12:06 ` Thomas Hellström
2023-09-20 13:06 ` Christian König
2023-09-20 13:38 ` Thomas Hellström
2023-09-20 13:48 ` Christian König
2023-09-20 14:02 ` Thomas Hellström
2023-09-20 14:11 ` Christian König
2023-09-14 10:57 ` [Nouveau] " Danilo Krummrich
2023-09-14 11:32 ` Thomas Hellström
2023-09-14 15:27 ` Danilo Krummrich
2023-09-14 17:13 ` Thomas Hellström
2023-09-14 17:15 ` Danilo Krummrich
2023-09-18 11:21 ` Danilo Krummrich
2023-09-13 7:03 ` Boris Brezillon
2023-09-13 7:05 ` Dave Airlie
2023-09-13 7:19 ` Boris Brezillon
2023-09-13 10:39 ` Thomas Hellström
2023-09-13 11:33 ` Boris Brezillon
2023-09-13 12:01 ` Danilo Krummrich
2023-09-13 13:22 ` Thomas Hellström
2023-09-13 14:01 ` Boris Brezillon
2023-09-13 14:29 ` Thomas Hellström
2023-09-13 15:17 ` Boris Brezillon
2023-09-14 8:20 ` Boris Brezillon
2023-09-14 10:45 ` Thomas Hellström
2023-09-14 11:54 ` Boris Brezillon
2023-09-14 13:33 ` Thomas Hellström
2023-09-14 15:37 ` Boris Brezillon
2023-09-14 13:48 ` Thomas Hellström
2023-09-14 16:36 ` Danilo Krummrich
2023-09-14 17:21 ` Thomas Hellström
2023-09-14 17:25 ` Danilo Krummrich
2023-09-14 19:14 ` Thomas Hellström
2023-09-09 15:31 ` [PATCH drm-misc-next v3 7/7] drm/nouveau: GPUVM dma-resv/extobj handling, " Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZP9AkkJ1FruZGSVV@cassiopeiae \
--to=dakr@redhat.com \
--cc=airlied@gmail.com \
--cc=boris.brezillon@collabora.com \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=donald.robson@imgtec.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=faith.ekstrand@collabora.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matthew.brost@intel.com \
--cc=nouveau@lists.freedesktop.org \
--cc=sarah.walker@imgtec.com \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).