From patchwork Thu Apr 7 18:39:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Micha=C5=82_Winiarski?= X-Patchwork-Id: 8775951 Return-Path: X-Original-To: patchwork-intel-gfx@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id C37EB9FBEA for ; Thu, 7 Apr 2016 18:40:44 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id DD75020263 for ; Thu, 7 Apr 2016 18:40:43 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id E59E52025A for ; Thu, 7 Apr 2016 18:40:42 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 831626EA1F; Thu, 7 Apr 2016 18:40:42 +0000 (UTC) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by gabe.freedesktop.org (Postfix) with ESMTP id 9F9E66EA1F for ; Thu, 7 Apr 2016 18:40:41 +0000 (UTC) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga103.fm.intel.com with ESMTP; 07 Apr 2016 11:40:40 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.24,449,1455004800"; d="scan'208";a="927747414" Received: from irsmsx102.ger.corp.intel.com ([163.33.3.155]) by orsmga001.jf.intel.com with ESMTP; 07 Apr 2016 11:40:39 -0700 Received: from mwiniars-desk1.ger.corp.intel.com (172.28.173.39) by IRSMSX102.ger.corp.intel.com (163.33.3.155) with Microsoft SMTP Server id 14.3.248.2; Thu, 7 Apr 2016 19:40:38 +0100 From: =?UTF-8?q?Micha=C5=82=20Winiarski?= To: Date: Thu, 7 Apr 2016 20:39:49 +0200 Message-ID: <1460054389-25554-3-git-send-email-michal.winiarski@intel.com> X-Mailer: git-send-email 2.8.0 In-Reply-To: <1460054389-25554-1-git-send-email-michal.winiarski@intel.com> References: <1460054389-25554-1-git-send-email-michal.winiarski@intel.com> MIME-Version: 1.0 X-Originating-IP: [172.28.173.39] Subject: [Intel-gfx] [PATCH i-g-t 3/3] igt/gem_softpin: Add testcase for race between evict and close X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" X-Spam-Status: No, score=-5.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Artur Harasimiuk It's possible to trigger a race between vma eviction and closing the object backing it when handling colliding addresses, resulting in use-after-free. Cc: Chris Wilson Cc: Thomas Daniel Signed-off-by: Artur Harasimiuk Signed-off-by: Micha? Winiarski --- tests/gem_softpin.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/tests/gem_softpin.c b/tests/gem_softpin.c index 1a9ef02..d4613bc 100644 --- a/tests/gem_softpin.c +++ b/tests/gem_softpin.c @@ -27,6 +27,7 @@ */ #include "igt.h" +#include #define EXEC_OBJECT_PINNED (1<<4) #define EXEC_OBJECT_SUPPORTS_48B_ADDRESS (1<<3) @@ -471,6 +472,74 @@ static void test_noreloc(int fd, enum sleep sleep) gem_close(fd, object[i].handle); } +#define SOFTPIN_STRESS_LOOPS 100000 + +struct evict_close_thread_data { + int fd; + int pipefd[2]; + bool stop; + pthread_mutex_t mutex; +}; + +static void *evict_close_thread(void *data) +{ + struct evict_close_thread_data *t = (struct evict_close_thread_data*)data; + uint32_t handle; + + pthread_mutex_lock(&t->mutex); + while (!t->stop) { + pthread_mutex_unlock(&t->mutex); + read(t->pipefd[0], &handle, sizeof(handle)); + gem_close(t->fd, handle); + pthread_mutex_lock(&t->mutex); + } + pthread_mutex_unlock(&t->mutex); + + return NULL; +} + +static void test_evict_close_race(int fd) +{ + pthread_t t; + struct evict_close_thread_data t_data; + unsigned int loops = SOFTPIN_STRESS_LOOPS; + const uint32_t bbe = MI_BATCH_BUFFER_END; + struct drm_i915_gem_execbuffer2 execbuf; + struct drm_i915_gem_exec_object2 object; + + memset(&execbuf, 0, sizeof(execbuf)); + memset(&object, 0, sizeof(object)); + + execbuf.buffers_ptr = (uintptr_t)&object; + execbuf.buffer_count = 1; + object.flags = EXEC_OBJECT_PINNED; + object.offset = 0; + + memset(&t_data, 0, sizeof(t_data)); + t_data.fd = fd; + igt_assert(pthread_mutex_init(&t_data.mutex, NULL) == 0); + igt_assert(pipe(t_data.pipefd) == 0); + + igt_assert(pthread_create(&t, NULL, evict_close_thread, &t_data) == 0); + + while (loops--) { + object.handle = gem_create(fd, 4096); + gem_write(fd, object.handle, 0, &bbe, sizeof(bbe)); + gem_execbuf(fd, &execbuf); + write(t_data.pipefd[1], &object.handle, sizeof(object.handle)); + } + + pthread_mutex_lock(&t_data.mutex); + t_data.stop = 1; + pthread_mutex_unlock(&t_data.mutex); + + pthread_join(t, NULL); + + close(t_data.pipefd[0]); + close(t_data.pipefd[1]); + pthread_mutex_destroy(&t_data.mutex); +} + igt_main { int fd = -1; @@ -507,6 +576,9 @@ igt_main igt_subtest("evict-hang") test_evict_hang(fd); + igt_subtest("stress-evict-close") + test_evict_close_race(fd); + igt_fixture close(fd); }