| Message ID | 20171219120700.27797-1-chris@chris-wilson.co.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, Dec 19, 2017 at 12:07:00PM +0000, Chris Wilson wrote: > The vk cts test: > dEQP-VK.api.external.semaphore.opaque_fd.export_multiple_times_temporary > > triggers a lot of > VFS: Close: file count is 0 > > Dave pointed out that clearing the syncobj->file from > drm_syncobj_file_release() was sufficient to silence the test, but that > opens a can of worm since we assumed that the syncobj->file was never > unset. Stop trying to reuse the same struct file for every fd pointing > to the drm_syncobj, and allocate one file for each fd instead. It's worse: syncobj->file points to a refcounted thing, and we never did grab a reference for it. This is a classic use-after-free thing :-) > Reported-by: Dave Airlie <airlied@redhat.com> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> > Cc: Dave Airlie <airlied@redhat.com> Assuming it doesn't break the vk testsuite: Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Also an igt for this would be nice: 1. create syncobj 2. export to fd 3. close fd, note that now syncobj->file points to a freed struct file 4. reexport -> BOOM Cheers, Daniel > --- > drivers/gpu/drm/drm_syncobj.c | 74 +++++++++++++++---------------------------- > include/drm/drm_syncobj.h | 4 --- > 2 files changed, 26 insertions(+), 52 deletions(-) > > diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c > index 131695915acd..0cca2e792719 100644 > --- a/drivers/gpu/drm/drm_syncobj.c > +++ b/drivers/gpu/drm/drm_syncobj.c > @@ -399,23 +399,6 @@ static const struct file_operations drm_syncobj_file_fops = { > .release = drm_syncobj_file_release, > }; > > -static int drm_syncobj_alloc_file(struct drm_syncobj *syncobj) > -{ > - struct file *file = anon_inode_getfile("syncobj_file", > - &drm_syncobj_file_fops, > - syncobj, 0); > - if (IS_ERR(file)) > - return PTR_ERR(file); > - > - drm_syncobj_get(syncobj); > - if (cmpxchg(&syncobj->file, NULL, file)) { > - /* lost the race */ > - fput(file); > - } > - > - return 0; > -} > - > /** > * drm_syncobj_get_fd - get a file descriptor from a syncobj > * @syncobj: Sync object to export > @@ -427,21 +410,24 @@ static int drm_syncobj_alloc_file(struct drm_syncobj *syncobj) > */ > int drm_syncobj_get_fd(struct drm_syncobj *syncobj, int *p_fd) > { > - int ret; > + struct file *file; > int fd; > > fd = get_unused_fd_flags(O_CLOEXEC); > if (fd < 0) > return fd; > > - if (!syncobj->file) { > - ret = drm_syncobj_alloc_file(syncobj); > - if (ret) { > - put_unused_fd(fd); > - return ret; > - } > + file = anon_inode_getfile("syncobj_file", > + &drm_syncobj_file_fops, > + syncobj, 0); > + if (IS_ERR(file)) { > + put_unused_fd(fd); > + return PTR_ERR(file); > } > - fd_install(fd, syncobj->file); > + > + drm_syncobj_get(syncobj); > + fd_install(fd, file); > + > *p_fd = fd; > return 0; > } > @@ -461,31 +447,24 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private, > return ret; > } > > -static struct drm_syncobj *drm_syncobj_fdget(int fd) > -{ > - struct file *file = fget(fd); > - > - if (!file) > - return NULL; > - if (file->f_op != &drm_syncobj_file_fops) > - goto err; > - > - return file->private_data; > -err: > - fput(file); > - return NULL; > -}; > - > static int drm_syncobj_fd_to_handle(struct drm_file *file_private, > int fd, u32 *handle) > { > - struct drm_syncobj *syncobj = drm_syncobj_fdget(fd); > + struct drm_syncobj *syncobj; > + struct file *file; > int ret; > > - if (!syncobj) > + file = fget(fd); > + if (!file) > return -EINVAL; > > + if (file->f_op != &drm_syncobj_file_fops) { > + fput(file); > + return -EINVAL; > + } > + > /* take a reference to put in the idr */ > + syncobj = file->private_data; > drm_syncobj_get(syncobj); > > idr_preload(GFP_KERNEL); > @@ -494,12 +473,11 @@ static int drm_syncobj_fd_to_handle(struct drm_file *file_private, > spin_unlock(&file_private->syncobj_table_lock); > idr_preload_end(); > > - if (ret < 0) { > - fput(syncobj->file); > - return ret; > - } > - *handle = ret; > - return 0; > + if (ret > 0) > + *handle = ret; > + > + fput(file); > + return ret; > } > > static int drm_syncobj_import_sync_file_fence(struct drm_file *file_private, > diff --git a/include/drm/drm_syncobj.h b/include/drm/drm_syncobj.h > index 3980602472c0..ca5bf7d12d0b 100644 > --- a/include/drm/drm_syncobj.h > +++ b/include/drm/drm_syncobj.h > @@ -56,10 +56,6 @@ struct drm_syncobj { > * @lock: Protects &cb_list and write-locks &fence. > */ > spinlock_t lock; > - /** > - * @file: A file backing for this syncobj. > - */ > - struct file *file; > }; > > typedef void (*drm_syncobj_func_t)(struct drm_syncobj *syncobj, > -- > 2.15.1 > > _______________________________________________ > Intel-gfx mailing list > Intel-gfx@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/intel-gfx
> @@ -494,12 +473,11 @@ static int drm_syncobj_fd_to_handle(struct drm_file *file_private, > spin_unlock(&file_private->syncobj_table_lock); > idr_preload_end(); > > - if (ret < 0) { > - fput(syncobj->file); > - return ret; > - } > - *handle = ret; > - return 0; > + if (ret > 0) > + *handle = ret; > + > + fput(file); > + return ret; > } This chunk breaks stuff, since it now returns the handle in ret if > 0, whereas before it returned 0. Otherwise the vulkan tests all pass on it. Dave.
Quoting Dave Airlie (2017-12-21 02:42:56) > > @@ -494,12 +473,11 @@ static int drm_syncobj_fd_to_handle(struct drm_file *file_private, > > spin_unlock(&file_private->syncobj_table_lock); > > idr_preload_end(); > > > > - if (ret < 0) { > > - fput(syncobj->file); > > - return ret; > > - } > > - *handle = ret; > > - return 0; > > + if (ret > 0) > > + *handle = ret; > > + > > + fput(file); > > + return ret; > > } > > This chunk breaks stuff, since it now returns the handle in ret if > > 0, whereas before > it returned 0. So much for trying to squeeze it into single point of return. Do we prefer return ret; or ret = 0 ? -Chris
diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c index 131695915acd..0cca2e792719 100644 --- a/drivers/gpu/drm/drm_syncobj.c +++ b/drivers/gpu/drm/drm_syncobj.c @@ -399,23 +399,6 @@ static const struct file_operations drm_syncobj_file_fops = { .release = drm_syncobj_file_release, }; -static int drm_syncobj_alloc_file(struct drm_syncobj *syncobj) -{ - struct file *file = anon_inode_getfile("syncobj_file", - &drm_syncobj_file_fops, - syncobj, 0); - if (IS_ERR(file)) - return PTR_ERR(file); - - drm_syncobj_get(syncobj); - if (cmpxchg(&syncobj->file, NULL, file)) { - /* lost the race */ - fput(file); - } - - return 0; -} - /** * drm_syncobj_get_fd - get a file descriptor from a syncobj * @syncobj: Sync object to export @@ -427,21 +410,24 @@ static int drm_syncobj_alloc_file(struct drm_syncobj *syncobj) */ int drm_syncobj_get_fd(struct drm_syncobj *syncobj, int *p_fd) { - int ret; + struct file *file; int fd; fd = get_unused_fd_flags(O_CLOEXEC); if (fd < 0) return fd; - if (!syncobj->file) { - ret = drm_syncobj_alloc_file(syncobj); - if (ret) { - put_unused_fd(fd); - return ret; - } + file = anon_inode_getfile("syncobj_file", + &drm_syncobj_file_fops, + syncobj, 0); + if (IS_ERR(file)) { + put_unused_fd(fd); + return PTR_ERR(file); } - fd_install(fd, syncobj->file); + + drm_syncobj_get(syncobj); + fd_install(fd, file); + *p_fd = fd; return 0; } @@ -461,31 +447,24 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private, return ret; } -static struct drm_syncobj *drm_syncobj_fdget(int fd) -{ - struct file *file = fget(fd); - - if (!file) - return NULL; - if (file->f_op != &drm_syncobj_file_fops) - goto err; - - return file->private_data; -err: - fput(file); - return NULL; -}; - static int drm_syncobj_fd_to_handle(struct drm_file *file_private, int fd, u32 *handle) { - struct drm_syncobj *syncobj = drm_syncobj_fdget(fd); + struct drm_syncobj *syncobj; + struct file *file; int ret; - if (!syncobj) + file = fget(fd); + if (!file) return -EINVAL; + if (file->f_op != &drm_syncobj_file_fops) { + fput(file); + return -EINVAL; + } + /* take a reference to put in the idr */ + syncobj = file->private_data; drm_syncobj_get(syncobj); idr_preload(GFP_KERNEL); @@ -494,12 +473,11 @@ static int drm_syncobj_fd_to_handle(struct drm_file *file_private, spin_unlock(&file_private->syncobj_table_lock); idr_preload_end(); - if (ret < 0) { - fput(syncobj->file); - return ret; - } - *handle = ret; - return 0; + if (ret > 0) + *handle = ret; + + fput(file); + return ret; } static int drm_syncobj_import_sync_file_fence(struct drm_file *file_private, diff --git a/include/drm/drm_syncobj.h b/include/drm/drm_syncobj.h index 3980602472c0..ca5bf7d12d0b 100644 --- a/include/drm/drm_syncobj.h +++ b/include/drm/drm_syncobj.h @@ -56,10 +56,6 @@ struct drm_syncobj { * @lock: Protects &cb_list and write-locks &fence. */ spinlock_t lock; - /** - * @file: A file backing for this syncobj. - */ - struct file *file; }; typedef void (*drm_syncobj_func_t)(struct drm_syncobj *syncobj,
The vk cts test: dEQP-VK.api.external.semaphore.opaque_fd.export_multiple_times_temporary triggers a lot of VFS: Close: file count is 0 Dave pointed out that clearing the syncobj->file from drm_syncobj_file_release() was sufficient to silence the test, but that opens a can of worm since we assumed that the syncobj->file was never unset. Stop trying to reuse the same struct file for every fd pointing to the drm_syncobj, and allocate one file for each fd instead. Reported-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Dave Airlie <airlied@redhat.com> --- drivers/gpu/drm/drm_syncobj.c | 74 +++++++++++++++---------------------------- include/drm/drm_syncobj.h | 4 --- 2 files changed, 26 insertions(+), 52 deletions(-)