From patchwork Fri Jan 27 20:05:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rob Clark X-Patchwork-Id: 49664 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp1027509wrn; Fri, 27 Jan 2023 12:23:34 -0800 (PST) X-Google-Smtp-Source: AMrXdXsXMikjPHX2jNjU+a+YGtJl99nT+DZVnwHl6xH3ckIlD6nHnCNG0vsmRHh0D+GAE3lN1bkN X-Received: by 2002:aa7:cc81:0:b0:47e:eaae:9a5b with SMTP id p1-20020aa7cc81000000b0047eeaae9a5bmr41829102edt.42.1674851014299; Fri, 27 Jan 2023 12:23:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674851014; cv=none; d=google.com; s=arc-20160816; b=d/zdcyUTf0+/KOQBD0g67GK9TlNFS9tVIwWsSpzhbh94KJWXCIf5LLi8NPz1NlCVZT jLV/DlMPWl+rwArHUxH/2Jukpv2cflRyIwtu3PMsx59xf5iw9K568cgnlYwTv/wNQnqi yhJzBBvAOZ0g62yYldzwU9nxR+/789GseOpbqo2CkeDoFNJv+itsS5sJtXSm+DqebnI6 XJ1mHdU1lcH1UBneijZk306L7pJaX/+G1UzqXMaaWHSa5WjstmgRBIlbxeGaYzRQ98I8 KmZnUgcBtgKyKPCVHyI12cbj6Fbome9Avzdfpvg7poi8cyez4H/ayu496JrmY/IkLA3L iVXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=lmNlTw6/hGVpApNMZq1gzzgAdrxXUdhCjEWwQxehEq8=; b=R9YcRytPF97+MqpPYGeY6ODTI4N3qO5E52JKtLtQzXUSRJd0HSAAkckB+u4wuY95VT bvsJFRZvhtjxdy38EpkkVK8H1/7vgR++VquYjo6jzaZoTPdtz4jqg2h0/BECOIuLt87X vofOOnaemGSWZVRD81+GdC5AwTvmNNCo0fOoqIpAn5QNv8VC3xqGkGOAwvgePdHlNeC7 7NZQef7xlCAdCh6TAWsIZjiygbqn+aMfFV5RDLGVHJQe/QAtzYzKapQ2pgnEzWxw61Fb qXYuxq8WiYD4GMHIoFqEx83reJ8mVyfVNNZcfybq57yP0+fz8+fOWs3qSMpAKAKKffv0 BtSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Q+nhlvBp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r24-20020a056402035800b0049e385155f3si6196060edw.100.2023.01.27.12.23.10; Fri, 27 Jan 2023 12:23:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Q+nhlvBp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233525AbjA0UHh (ORCPT + 99 others); Fri, 27 Jan 2023 15:07:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231686AbjA0UHF (ORCPT ); Fri, 27 Jan 2023 15:07:05 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E9F257280 for ; Fri, 27 Jan 2023 12:05:50 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id j5so5591623pjn.5 for ; Fri, 27 Jan 2023 12:05:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=lmNlTw6/hGVpApNMZq1gzzgAdrxXUdhCjEWwQxehEq8=; b=Q+nhlvBpWrP0fqHx3sgjPqQLGxq0tosbU3mQwlm/TZsauYDDCx8XNZyf53kYrQ3zMx BWPHLU1vWzPvaaXK5AJ3yTa14ZwMQmKlInPT8Ol8hXyVhNZrnZ7hNU2OkyH3gr915LxC SSVDPg0f+VBlpjs8ywlpRNXKXa4W3rDBx/KYQf01Fg/Q4r6FHOcuQd1oKYRYjBvroK9z bDAhQb+n6zbPGdWTiXTkS5qQ9tORBmn7dfmnBqkA5B46S31udvwKbbHQ2n16O52effaJ IBLjsScvH4CC6r/8FACqAESUM+EW27qmsYqbqE7HUscYT3r2JTjGx/XRbIuVxPNJAA/V R0AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lmNlTw6/hGVpApNMZq1gzzgAdrxXUdhCjEWwQxehEq8=; b=4JuiqiEtZ4AAz+Ps/e6utehYk7XjZUGrTar0GUhlIHbWfVgo9TRAsu4NyslSvi/4AF oYJdN6NwKMhtbxz0KX4uLViE1ZkixptUYZNmekhmBr/FucLNW0BE0biZKM6DamYa6EId d16HNlWuaQp+jMOmxV0nJWOHC1ICwKG5sYn1FTXLjtZZWuNi+A+hSzzad18p3WLZ/MpW C091ecvEvY+iV648koGptdY+uzeSMb6/bv2jZFW7zcUidl/2/N6+PRYzUWL7Qockctph 8JrLGMdZJCx6fwLZgryU/AoMcu3MxMZTT7eZVkYzquFnxqExgun+cbMcq+pvTEg814dX O7Yg== X-Gm-Message-State: AFqh2kpTIoi+Va3x2Nbvww+MCztOOn9avdJbOweGDP+D/QBItQsmte1W 0CW2QpxTlVWI2KlWOPlgy/4= X-Received: by 2002:a17:902:a40f:b0:194:5ff8:a3b0 with SMTP id p15-20020a170902a40f00b001945ff8a3b0mr37288703plq.7.1674849950312; Fri, 27 Jan 2023 12:05:50 -0800 (PST) Received: from localhost ([2a00:79e1:abd:4a00:2703:3c72:eb1a:cffd]) by smtp.gmail.com with ESMTPSA id y2-20020a170902d64200b001961608d74bsm3223200plh.299.2023.01.27.12.05.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Jan 2023 12:05:49 -0800 (PST) From: Rob Clark To: dri-devel@lists.freedesktop.org Cc: Rob Clark , Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , Tvrtko Ursulin , David Airlie , Daniel Vetter , Lucas De Marchi , Matt Roper , pengfuyuan , Chris Wilson , intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org (open list) Subject: [PATCH] drm/i915: Fix potential bit_17 double-free Date: Fri, 27 Jan 2023 12:05:31 -0800 Message-Id: <20230127200550.3531984-1-robdclark@gmail.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756208577500189456?= X-GMAIL-MSGID: =?utf-8?q?1756208577500189456?= From: Rob Clark A userspace with multiple threads racing I915_GEM_SET_TILING to set the tiling to I915_TILING_NONE could trigger a double free of the bit_17 bitmask. (Or conversely leak memory on the transition to tiled.) Move allocation/free'ing of the bitmask within the section protected by the obj lock. Fixes: e9b73c67390a ("drm/i915: Reduce memory pressure during shrinker by preallocating swizzle pages") Signed-off-by: Rob Clark Reviewed-by: Tvrtko Ursulin --- drivers/gpu/drm/i915/gem/i915_gem_tiling.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_tiling.c b/drivers/gpu/drm/i915/gem/i915_gem_tiling.c index fd42b89b7162..bc21b1c2350a 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_tiling.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_tiling.c @@ -298,36 +298,37 @@ i915_gem_object_set_tiling(struct drm_i915_gem_object *obj, vma->fence_alignment = i915_gem_fence_alignment(i915, vma->size, tiling, stride); if (vma->fence) vma->fence->dirty = true; } spin_unlock(&obj->vma.lock); obj->tiling_and_stride = tiling | stride; - i915_gem_object_unlock(obj); - - /* Force the fence to be reacquired for GTT access */ - i915_gem_object_release_mmap_gtt(obj); /* Try to preallocate memory required to save swizzling on put-pages */ if (i915_gem_object_needs_bit17_swizzle(obj)) { if (!obj->bit_17) { obj->bit_17 = bitmap_zalloc(obj->base.size >> PAGE_SHIFT, GFP_KERNEL); } } else { bitmap_free(obj->bit_17); obj->bit_17 = NULL; } + i915_gem_object_unlock(obj); + + /* Force the fence to be reacquired for GTT access */ + i915_gem_object_release_mmap_gtt(obj); + return 0; } /** * i915_gem_set_tiling_ioctl - IOCTL handler to set tiling mode * @dev: DRM device * @data: data pointer for the ioctl * @file: DRM file for the ioctl call * * Sets the tiling mode of an object, returning the required swizzling of