linux-mainline

mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux synced 2025-09-16 09:36:47 +10:00

History

Simona Vetter bd46cece51 drm/gem: Fix race in drm_gem_handle_create_tail() Object creation is a careful dance where we must guarantee that the object is fully constructed before it is visible to other threads, and GEM buffer objects are no difference. Final publishing happens by calling drm_gem_handle_create(). After that the only allowed thing to do is call drm_gem_object_put() because a concurrent call to the GEM_CLOSE ioctl with a correctly guessed id (which is trivial since we have a linear allocator) can already tear down the object again. Luckily most drivers get this right, the very few exceptions I've pinged the relevant maintainers for. Unfortunately we also need drm_gem_handle_create() when creating additional handles for an already existing object (e.g. GETFB ioctl or the various bo import ioctl), and hence we cannot have a drm_gem_handle_create_and_put() as the only exported function to stop these issues from happening. Now unfortunately the implementation of drm_gem_handle_create() isn't living up to standards: It does correctly finishe object initialization at the global level, and hence is safe against a concurrent tear down. But it also sets up the file-private aspects of the handle, and that part goes wrong: We fully register the object in the drm_file.object_idr before calling drm_vma_node_allow() or obj->funcs->open, which opens up races against concurrent removal of that handle in drm_gem_handle_delete(). Fix this with the usual two-stage approach of first reserving the handle id, and then only registering the object after we've completed the file-private setup. Jacek reported this with a testcase of concurrently calling GEM_CLOSE on a freshly-created object (which also destroys the object), but it should be possible to hit this with just additional handles created through import or GETFB without completed destroying the underlying object with the concurrent GEM_CLOSE ioctl calls. Note that the close-side of this race was fixed in `f6cd7daecf` ("drm: Release driver references to handle before making it available again"), which means a cool 9 years have passed until someone noticed that we need to make this symmetry or there's still gaps left :-/ Without the 2-stage close approach we'd still have a race, therefore that's an integral part of this bugfix. More importantly, this means we can have NULL pointers behind allocated id in our drm_file.object_idr. We need to check for that now: - drm_gem_handle_delete() checks for ERR_OR_NULL already - drm_gem.c:object_lookup() also chekcs for NULL - drm_gem_release() should never be called if there's another thread still existing that could call into an IOCTL that creates a new handle, so cannot race. For paranoia I added a NULL check to drm_gem_object_release_handle() though. - most drivers (etnaviv, i915, msm) are find because they use idr_find(), which maps both ENOENT and NULL to NULL. - drivers using idr_for_each_entry() should also be fine, because idr_get_next does filter out NULL entries and continues the iteration. - The same holds for drm_show_memory_stats(). v2: Use drm_WARN_ON (Thomas) Reported-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com> Tested-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> Cc: stable@vger.kernel.org Cc: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: David Airlie <airlied@gmail.com> Cc: Simona Vetter <simona@ffwll.ch> Signed-off-by: Simona Vetter <simona.vetter@intel.com> Signed-off-by: Simona Vetter <simona.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20250707151814.603897-1-simona.vetter@ffwll.ch		2025-07-09 15:53:34 +02:00
..
bridge
clients
display	drm/dp: add option to disable zero sized address only transactions.	2025-05-19 07:14:45 +10:00
intel	drm for 6.16-rc1	2025-05-28 09:46:39 -07:00
ttm	drm for 6.16-rc1	2025-05-28 09:46:39 -07:00
amd_asic_type.h
drm_accel.h
drm_atomic_helper.h
drm_atomic_state_helper.h
drm_atomic_uapi.h
drm_atomic.h
drm_audio_component.h
drm_auth.h
drm_blend.h
drm_bridge_connector.h
drm_bridge_helper.h
drm_bridge.h
drm_buddy.h
drm_cache.h
drm_client_event.h
drm_client.h
drm_color_mgmt.h
drm_connector.h
drm_crtc_helper.h
drm_crtc.h
drm_damage_helper.h
drm_debugfs_crc.h
drm_debugfs.h
drm_device.h
drm_drv.h
drm_edid.h
drm_eld.h
drm_encoder.h
drm_exec.h
drm_fb_dma_helper.h
drm_fb_helper.h
drm_fbdev_dma.h
drm_fbdev_shmem.h
drm_fbdev_ttm.h
drm_file.h	drm/gem: Fix race in drm_gem_handle_create_tail()	2025-07-09 15:53:34 +02:00
drm_fixed.h
drm_flip_work.h
drm_format_helper.h
drm_fourcc.h
drm_framebuffer.h	drm/framebuffer: Acquire internal references on GEM handles	2025-07-09 14:03:28 +02:00
drm_gem_atomic_helper.h
drm_gem_dma_helper.h
drm_gem_framebuffer_helper.h
drm_gem_shmem_helper.h
drm_gem_ttm_helper.h
drm_gem_vram_helper.h
drm_gem.h
drm_gpusvm.h	drm/gpusvm: Add timeslicing support to GPU SVM	2025-05-14 09:03:29 -07:00
drm_gpuvm.h
drm_ioctl.h
drm_kunit_helpers.h
drm_lease.h
drm_managed.h
drm_mipi_dbi.h
drm_mipi_dsi.h	drm/mipi-dsi: Add dev_is_mipi_dsi function	2025-06-27 11:22:39 +02:00
drm_mm.h
drm_mode_config.h
drm_mode_object.h
drm_modes.h
drm_modeset_helper_vtables.h
drm_modeset_helper.h
drm_modeset_lock.h
drm_module.h
drm_of.h
drm_pagemap.h
drm_panel.h
drm_panic.h
drm_pciids.h
drm_plane_helper.h
drm_plane.h
drm_prime.h
drm_print.h
drm_privacy_screen_consumer.h
drm_privacy_screen_driver.h
drm_privacy_screen_machine.h
drm_probe_helper.h
drm_property.h
drm_rect.h
drm_self_refresh_helper.h
drm_simple_kms_helper.h
drm_suballoc.h
drm_syncobj.h
drm_sysfs.h
drm_util.h
drm_utils.h
drm_vblank_work.h
drm_vblank.h
drm_vma_manager.h
drm_writeback.h
gpu_scheduler.h
gud.h
Makefile
spsc_queue.h	drm/sched: Increment job count before swapping tail spsc queue	2025-07-01 16:14:47 -07:00
task_barrier.h