From patchwork Sat Feb 18 22:50:07 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Nicolai_H=C3=A4hnle?= <nhaehnle@gmail.com>
X-Patchwork-Id: 9581377
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	C6E3E600F6 for <patchwork-dri-devel@patchwork.kernel.org>;
	Sat, 18 Feb 2017 22:50:23 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B16D0287AC
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Sat, 18 Feb 2017 22:50:23 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A627E287AE; Sat, 18 Feb 2017 22:50:23 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 0AD65287AC
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Sat, 18 Feb 2017 22:50:22 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 6F72F6E077;
	Sat, 18 Feb 2017 22:50:20 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com
	[IPv6:2a00:1450:400c:c09::241])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 32D0C6E077;
	Sat, 18 Feb 2017 22:50:19 +0000 (UTC)
Received: by mail-wm0-x241.google.com with SMTP id u63so8302114wmu.2;
	Sat, 18 Feb 2017 14:50:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=brkOD728CrqraDdwmsWy8T74+rz1DAzo8RcUpQ2NKQ8=;
	b=NATuHX7AI7ALSRL8dJU9Mucs+xqUr0Iuh091lB2U6sire3HCYjalMgJhgr4FN8FTnQ
	8USdRSkigFxa/QoQ0WLTf/k7hu5yShrWNwZpO0NOGDWcw/OOqeMNT3tZyyZwBWgLODyv
	eJOTy7k3lstMMI23LiN5KxG2w7ImhCFb7bHlswWV1z4rmCpnHDLWPS7EdxAB7KScVce2
	LkVeeKrDfsMsdt/f19AUoeyBGa6GeEe/IP3qwTXc4pXTRDAoquetHQFTD8VzNaTXBGXu
	VHXISzl1L3xcJlM7IleM2ocurlSoZEyQJux+FhdbpPKTMwwbcljRe189B2e1l3r4Pejy
	6NKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=brkOD728CrqraDdwmsWy8T74+rz1DAzo8RcUpQ2NKQ8=;
	b=rCL64gltg4Bum4yxlHRAd6cn5UnOtD9dWmo8i2K9NJ+wuG4WAnXZb2c2ZyqsaeoANn
	8LltIXgBESTkmnk9FTA5S5QX/91tfnhI7xLouUa1GedjBAixiNUv+OVIM1hFMRMrn9fj
	fWVNZHEPloF7cSz2AVArx0WNqQnnq8UVgUQBUpWJFWECuKWuyTLCgIEmpwNqJSb5NUuy
	ll41cDQM/zG/EtK1DPY2gKeh0V0qUSjvEILEEqnKBUtxnVvYJbb7ZRwpfovZLx5Jb3b/
	KvNr30FF4Ynkv3OE5pputHQ3hCOEHPD9QcWwpBB7XtgyiKGsqwfOcDlmh0sumuf7/6z5
	oTkQ==
X-Gm-Message-State: 
 AMke39nbvXsoIYLwGrHTcrPKot3URMW4Peg4Rwb9r/BuuMQcV6/b9cN20ARGUyxjFjKh0w==
X-Received: by 10.28.178.16 with SMTP id b16mr11815745wmf.83.1487458217675;
	Sat, 18 Feb 2017 14:50:17 -0800 (PST)
Received: from capella.localdomain (x4dbd8d05.dyn.telefonica.de.
	[77.189.141.5]) by smtp.gmail.com with ESMTPSA id
	b8sm18563586wrb.17.2017.02.18.14.50.16
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sat, 18 Feb 2017 14:50:16 -0800 (PST)
From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= <nhaehnle@gmail.com>
To: amd-gfx@lists.freedesktop.org
Subject: [PATCH] drm/ttm: fix use-after-free races in vm fault handling
Date: Sat, 18 Feb 2017 23:50:07 +0100
Message-Id: <20170218225007.20754-1-nhaehnle@gmail.com>
X-Mailer: git-send-email 2.9.3
MIME-Version: 1.0
Cc: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= <nicolai.haehnle@amd.com>,
	dri-devel@lists.freedesktop.org
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Nicolai Hähnle <nicolai.haehnle@amd.com>

The vm fault handler relies on the fact that the VMA owns a reference
to the BO. However, once mmap_sem is released, other tasks are free to
destroy the VMA, which can lead to the BO being freed. Fix two code
paths where that can happen, both related to vm fault retries.

Found via a lock debugging warning which flagged &bo->wu_mutex as
locked while being destroyed.

Fixes: cbe12e74ee4e ("drm/ttm: Allow vm fault retries")
Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
---
This does not fix the random memory corruption I've been seeing.
---
 drivers/gpu/drm/ttm/ttm_bo_vm.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
index a6ed9d5..750733a 100644
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -66,8 +66,11 @@ static int ttm_bo_vm_fault_idle(struct ttm_buffer_object *bo,
 		if (vmf->flags & FAULT_FLAG_RETRY_NOWAIT)
 			goto out_unlock;
 
+		ttm_bo_reference(bo);
 		up_read(&vma->vm_mm->mmap_sem);
 		(void) fence_wait(bo->moving, true);
+		ttm_bo_unreserve(bo);
+		ttm_bo_unref(&bo);
 		goto out_unlock;
 	}
 
@@ -120,8 +123,10 @@ static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 
 		if (vmf->flags & FAULT_FLAG_ALLOW_RETRY) {
 			if (!(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
+				ttm_bo_reference(bo);
 				up_read(&vma->vm_mm->mmap_sem);
 				(void) ttm_bo_wait_unreserved(bo);
+				ttm_bo_unref(&bo);
 			}
 
 			return VM_FAULT_RETRY;
@@ -166,6 +171,13 @@ static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
 	ret = ttm_bo_vm_fault_idle(bo, vma, vmf);
 	if (unlikely(ret != 0)) {
 		retval = ret;
+
+		if (retval == VM_FAULT_RETRY &&
+		    !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
+			/* The BO has already been unreserved. */
+			return retval;
+		}
+
 		goto out_unlock;
 	}