* [PATCH v2] dma-buf/sw_sync: Avoid recursive lock during fence signal
@ 2023-08-18 14:59 Rob Clark
2023-08-22 13:01 ` [Linaro-mm-sig] " Christian König
0 siblings, 1 reply; 4+ messages in thread
From: Rob Clark @ 2023-08-18 14:59 UTC (permalink / raw)
To: dri-devel
Cc: Christian König, Rob Clark, Bas Nieuwenhuizen, Sumit Semwal,
Gustavo Padovan, Chris Wilson, open list:SYNC FILE FRAMEWORK,
moderated list:DMA BUFFER SHARING FRAMEWORK, open list
From: Rob Clark <robdclark@chromium.org>
If a signal callback releases the sw_sync fence, that will trigger a
deadlock as the timeline_fence_release recurses onto the fence->lock
(used both for signaling and the the timeline tree).
To avoid that, temporarily hold an extra reference to the signalled
fences until after we drop the lock.
(This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/
which avoids some potential UAF issues with the original patch.)
v2: Remove now obsolete comment, use list_move_tail() and
list_del_init()
Reported-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
Signed-off-by: Rob Clark <robdclark@chromium.org>
---
drivers/dma-buf/sw_sync.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
index 63f0aeb66db6..f0a35277fd84 100644
--- a/drivers/dma-buf/sw_sync.c
+++ b/drivers/dma-buf/sw_sync.c
@@ -191,6 +191,7 @@ static const struct dma_fence_ops timeline_fence_ops = {
*/
static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
{
+ LIST_HEAD(signalled);
struct sync_pt *pt, *next;
trace_sync_timeline(obj);
@@ -203,21 +204,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
if (!timeline_fence_signaled(&pt->base))
break;
- list_del_init(&pt->link);
+ dma_fence_get(&pt->base);
+
+ list_move_tail(&pt->link, &signalled);
rb_erase(&pt->node, &obj->pt_tree);
- /*
- * A signal callback may release the last reference to this
- * fence, causing it to be freed. That operation has to be
- * last to avoid a use after free inside this loop, and must
- * be after we remove the fence from the timeline in order to
- * prevent deadlocking on timeline->lock inside
- * timeline_fence_release().
- */
dma_fence_signal_locked(&pt->base);
}
spin_unlock_irq(&obj->lock);
+
+ list_for_each_entry_safe(pt, next, &signalled, link) {
+ list_del_init(&pt->link);
+ dma_fence_put(&pt->base);
+ }
}
/**
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Linaro-mm-sig] [PATCH v2] dma-buf/sw_sync: Avoid recursive lock during fence signal
2023-08-18 14:59 [PATCH v2] dma-buf/sw_sync: Avoid recursive lock during fence signal Rob Clark
@ 2023-08-22 13:01 ` Christian König
2023-08-22 17:15 ` Rob Clark
0 siblings, 1 reply; 4+ messages in thread
From: Christian König @ 2023-08-22 13:01 UTC (permalink / raw)
To: Rob Clark, dri-devel
Cc: Christian König, Rob Clark, Bas Nieuwenhuizen, Sumit Semwal,
Gustavo Padovan, Chris Wilson, open list:SYNC FILE FRAMEWORK,
moderated list:DMA BUFFER SHARING FRAMEWORK, open list
Am 18.08.23 um 16:59 schrieb Rob Clark:
> From: Rob Clark <robdclark@chromium.org>
>
> If a signal callback releases the sw_sync fence, that will trigger a
> deadlock as the timeline_fence_release recurses onto the fence->lock
> (used both for signaling and the the timeline tree).
>
> To avoid that, temporarily hold an extra reference to the signalled
> fences until after we drop the lock.
>
> (This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/
> which avoids some potential UAF issues with the original patch.)
>
> v2: Remove now obsolete comment, use list_move_tail() and
> list_del_init()
>
> Reported-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
> Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
> Signed-off-by: Rob Clark <robdclark@chromium.org>
Reviewed-by: Christian König <christian.koenig@amd.com>
> ---
> drivers/dma-buf/sw_sync.c | 18 +++++++++---------
> 1 file changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
> index 63f0aeb66db6..f0a35277fd84 100644
> --- a/drivers/dma-buf/sw_sync.c
> +++ b/drivers/dma-buf/sw_sync.c
> @@ -191,6 +191,7 @@ static const struct dma_fence_ops timeline_fence_ops = {
> */
> static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
> {
> + LIST_HEAD(signalled);
> struct sync_pt *pt, *next;
>
> trace_sync_timeline(obj);
> @@ -203,21 +204,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
> if (!timeline_fence_signaled(&pt->base))
> break;
>
> - list_del_init(&pt->link);
> + dma_fence_get(&pt->base);
> +
> + list_move_tail(&pt->link, &signalled);
> rb_erase(&pt->node, &obj->pt_tree);
>
> - /*
> - * A signal callback may release the last reference to this
> - * fence, causing it to be freed. That operation has to be
> - * last to avoid a use after free inside this loop, and must
> - * be after we remove the fence from the timeline in order to
> - * prevent deadlocking on timeline->lock inside
> - * timeline_fence_release().
> - */
> dma_fence_signal_locked(&pt->base);
> }
>
> spin_unlock_irq(&obj->lock);
> +
> + list_for_each_entry_safe(pt, next, &signalled, link) {
> + list_del_init(&pt->link);
> + dma_fence_put(&pt->base);
> + }
> }
>
> /**
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Linaro-mm-sig] [PATCH v2] dma-buf/sw_sync: Avoid recursive lock during fence signal
2023-08-22 13:01 ` [Linaro-mm-sig] " Christian König
@ 2023-08-22 17:15 ` Rob Clark
2023-08-28 5:56 ` Christian König
0 siblings, 1 reply; 4+ messages in thread
From: Rob Clark @ 2023-08-22 17:15 UTC (permalink / raw)
To: Christian König
Cc: dri-devel, Christian König, Rob Clark, Bas Nieuwenhuizen,
Sumit Semwal, Gustavo Padovan, Chris Wilson,
open list:SYNC FILE FRAMEWORK,
moderated list:DMA BUFFER SHARING FRAMEWORK, open list
On Tue, Aug 22, 2023 at 6:01 AM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 18.08.23 um 16:59 schrieb Rob Clark:
> > From: Rob Clark <robdclark@chromium.org>
> >
> > If a signal callback releases the sw_sync fence, that will trigger a
> > deadlock as the timeline_fence_release recurses onto the fence->lock
> > (used both for signaling and the the timeline tree).
> >
> > To avoid that, temporarily hold an extra reference to the signalled
> > fences until after we drop the lock.
> >
> > (This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/
> > which avoids some potential UAF issues with the original patch.)
> >
> > v2: Remove now obsolete comment, use list_move_tail() and
> > list_del_init()
> >
> > Reported-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
> > Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
> > Signed-off-by: Rob Clark <robdclark@chromium.org>
>
> Reviewed-by: Christian König <christian.koenig@amd.com>
Thanks, any chance you could take this via drm-misc?
BR,
-R
>
> > ---
> > drivers/dma-buf/sw_sync.c | 18 +++++++++---------
> > 1 file changed, 9 insertions(+), 9 deletions(-)
> >
> > diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
> > index 63f0aeb66db6..f0a35277fd84 100644
> > --- a/drivers/dma-buf/sw_sync.c
> > +++ b/drivers/dma-buf/sw_sync.c
> > @@ -191,6 +191,7 @@ static const struct dma_fence_ops timeline_fence_ops = {
> > */
> > static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
> > {
> > + LIST_HEAD(signalled);
> > struct sync_pt *pt, *next;
> >
> > trace_sync_timeline(obj);
> > @@ -203,21 +204,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
> > if (!timeline_fence_signaled(&pt->base))
> > break;
> >
> > - list_del_init(&pt->link);
> > + dma_fence_get(&pt->base);
> > +
> > + list_move_tail(&pt->link, &signalled);
> > rb_erase(&pt->node, &obj->pt_tree);
> >
> > - /*
> > - * A signal callback may release the last reference to this
> > - * fence, causing it to be freed. That operation has to be
> > - * last to avoid a use after free inside this loop, and must
> > - * be after we remove the fence from the timeline in order to
> > - * prevent deadlocking on timeline->lock inside
> > - * timeline_fence_release().
> > - */
> > dma_fence_signal_locked(&pt->base);
> > }
> >
> > spin_unlock_irq(&obj->lock);
> > +
> > + list_for_each_entry_safe(pt, next, &signalled, link) {
> > + list_del_init(&pt->link);
> > + dma_fence_put(&pt->base);
> > + }
> > }
> >
> > /**
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Linaro-mm-sig] [PATCH v2] dma-buf/sw_sync: Avoid recursive lock during fence signal
2023-08-22 17:15 ` Rob Clark
@ 2023-08-28 5:56 ` Christian König
0 siblings, 0 replies; 4+ messages in thread
From: Christian König @ 2023-08-28 5:56 UTC (permalink / raw)
To: Rob Clark, Christian König
Cc: dri-devel, Rob Clark, Bas Nieuwenhuizen, Sumit Semwal,
Gustavo Padovan, Chris Wilson, open list:SYNC FILE FRAMEWORK,
moderated list:DMA BUFFER SHARING FRAMEWORK, open list
Am 22.08.23 um 19:15 schrieb Rob Clark:
> On Tue, Aug 22, 2023 at 6:01 AM Christian König
> <ckoenig.leichtzumerken@gmail.com> wrote:
>> Am 18.08.23 um 16:59 schrieb Rob Clark:
>>> From: Rob Clark <robdclark@chromium.org>
>>>
>>> If a signal callback releases the sw_sync fence, that will trigger a
>>> deadlock as the timeline_fence_release recurses onto the fence->lock
>>> (used both for signaling and the the timeline tree).
>>>
>>> To avoid that, temporarily hold an extra reference to the signalled
>>> fences until after we drop the lock.
>>>
>>> (This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/
>>> which avoids some potential UAF issues with the original patch.)
>>>
>>> v2: Remove now obsolete comment, use list_move_tail() and
>>> list_del_init()
>>>
>>> Reported-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
>>> Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
>>> Signed-off-by: Rob Clark <robdclark@chromium.org>
>> Reviewed-by: Christian König <christian.koenig@amd.com>
> Thanks, any chance you could take this via drm-misc?
I've already pushed this quite a while ago.
At the moment I have problem answering because AMD has a new security
policy which makes it impossible to push patches and access mails at the
same time.
We are working with our IT to get this fixed, but at the moment its
eating my time.
Sorry for the delay,
Christian.
>
> BR,
> -R
>
>>> ---
>>> drivers/dma-buf/sw_sync.c | 18 +++++++++---------
>>> 1 file changed, 9 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
>>> index 63f0aeb66db6..f0a35277fd84 100644
>>> --- a/drivers/dma-buf/sw_sync.c
>>> +++ b/drivers/dma-buf/sw_sync.c
>>> @@ -191,6 +191,7 @@ static const struct dma_fence_ops timeline_fence_ops = {
>>> */
>>> static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
>>> {
>>> + LIST_HEAD(signalled);
>>> struct sync_pt *pt, *next;
>>>
>>> trace_sync_timeline(obj);
>>> @@ -203,21 +204,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
>>> if (!timeline_fence_signaled(&pt->base))
>>> break;
>>>
>>> - list_del_init(&pt->link);
>>> + dma_fence_get(&pt->base);
>>> +
>>> + list_move_tail(&pt->link, &signalled);
>>> rb_erase(&pt->node, &obj->pt_tree);
>>>
>>> - /*
>>> - * A signal callback may release the last reference to this
>>> - * fence, causing it to be freed. That operation has to be
>>> - * last to avoid a use after free inside this loop, and must
>>> - * be after we remove the fence from the timeline in order to
>>> - * prevent deadlocking on timeline->lock inside
>>> - * timeline_fence_release().
>>> - */
>>> dma_fence_signal_locked(&pt->base);
>>> }
>>>
>>> spin_unlock_irq(&obj->lock);
>>> +
>>> + list_for_each_entry_safe(pt, next, &signalled, link) {
>>> + list_del_init(&pt->link);
>>> + dma_fence_put(&pt->base);
>>> + }
>>> }
>>>
>>> /**
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-28 5:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-18 14:59 [PATCH v2] dma-buf/sw_sync: Avoid recursive lock during fence signal Rob Clark
2023-08-22 13:01 ` [Linaro-mm-sig] " Christian König
2023-08-22 17:15 ` Rob Clark
2023-08-28 5:56 ` Christian König
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox