diff options
| author | Chris Wilson <chris@chris-wilson.co.uk> | 2017-02-14 07:40:01 -0500 |
|---|---|---|
| committer | Gustavo Padovan <gustavo.padovan@collabora.com> | 2017-07-14 15:09:55 -0400 |
| commit | 76250f2b743b72cb685cc51ac0cdabb32957180b (patch) | |
| tree | 1775015ba5bafa7f6e09e95cff19779101954819 /drivers/dma-buf | |
| parent | e94ac3510b6a0f696f2c442c4fc4051c8101ef12 (diff) | |
dma-buf/fence: Avoid use of uninitialised timestamp
[ 236.821534] WARNING: kmemcheck: Caught 64-bit read from uninitialized memory (ffff8802538683d0)
[ 236.828642] 420000001e7f0000000000000000000000080000000000000000000000000000
[ 236.839543] i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u
[ 236.850420] ^
[ 236.854123] RIP: 0010:[<ffffffff81396f07>] [<ffffffff81396f07>] fence_signal+0x17/0xd0
[ 236.861313] RSP: 0018:ffff88024acd7ba0 EFLAGS: 00010282
[ 236.865027] RAX: ffffffff812f6a90 RBX: ffff8802527ca800 RCX: ffff880252cb30e0
[ 236.868801] RDX: ffff88024ac5d918 RSI: ffff880252f780e0 RDI: ffff880253868380
[ 236.872579] RBP: ffff88024acd7bc0 R08: ffff88024acd7be0 R09: 0000000000000000
[ 236.876407] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880253868380
[ 236.880185] R13: ffff8802538684d0 R14: ffff880253868380 R15: ffff88024cd48e00
[ 236.883983] FS: 00007f1646d1a740(0000) GS:ffff88025d000000(0000) knlGS:0000000000000000
[ 236.890959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 236.894702] CR2: ffff880251360318 CR3: 000000024ad21000 CR4: 00000000001406f0
[ 236.898481] [<ffffffff8130d1ad>] i915_gem_request_retire+0x1cd/0x230
[ 236.902439] [<ffffffff8130e2b3>] i915_gem_request_alloc+0xa3/0x2f0
[ 236.906435] [<ffffffff812fb1bd>] i915_gem_do_execbuffer.isra.41+0xb6d/0x18b0
[ 236.910434] [<ffffffff812fc265>] i915_gem_execbuffer2+0x95/0x1e0
[ 236.914390] [<ffffffff812ad625>] drm_ioctl+0x1e5/0x460
[ 236.918275] [<ffffffff8110d4cf>] do_vfs_ioctl+0x8f/0x5c0
[ 236.922168] [<ffffffff8110da3c>] SyS_ioctl+0x3c/0x70
[ 236.926090] [<ffffffff814b7a5f>] entry_SYSCALL_64_fastpath+0x17/0x93
[ 236.930045] [<ffffffffffffffff>] 0xffffffffffffffff
We only set the timestamp before we mark the fence as signaled. It is
done before to avoid observers having a window in which they may see the
fence as complete but no timestamp. Having it does incur a potential for
the timestamp to be written twice, and even for it to be corrupted if
the u64 write is not atomic. Instead use a new bit to record the
presence of the timestamp, and teach the readers to wait until it is set
if the fence is complete. There still remains a race where the timestamp
for the signaled fence may be shown before the fence is reported as
signaled, but that's a pre-existing error.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Reported-by: Rafael Antognolli <rafael.antognolli@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170214124001.1930-1-chris@chris-wilson.co.uk
Diffstat (limited to 'drivers/dma-buf')
| -rw-r--r-- | drivers/dma-buf/dma-fence.c | 17 | ||||
| -rw-r--r-- | drivers/dma-buf/sync_debug.c | 2 | ||||
| -rw-r--r-- | drivers/dma-buf/sync_file.c | 8 |
3 files changed, 14 insertions, 13 deletions
diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c index 0918d3f003d6..13556fdda2a5 100644 --- a/drivers/dma-buf/dma-fence.c +++ b/drivers/dma-buf/dma-fence.c | |||
| @@ -75,11 +75,6 @@ int dma_fence_signal_locked(struct dma_fence *fence) | |||
| 75 | if (WARN_ON(!fence)) | 75 | if (WARN_ON(!fence)) |
| 76 | return -EINVAL; | 76 | return -EINVAL; |
| 77 | 77 | ||
| 78 | if (!ktime_to_ns(fence->timestamp)) { | ||
| 79 | fence->timestamp = ktime_get(); | ||
| 80 | smp_mb__before_atomic(); | ||
| 81 | } | ||
| 82 | |||
| 83 | if (test_and_set_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) { | 78 | if (test_and_set_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) { |
| 84 | ret = -EINVAL; | 79 | ret = -EINVAL; |
| 85 | 80 | ||
| @@ -87,8 +82,11 @@ int dma_fence_signal_locked(struct dma_fence *fence) | |||
| 87 | * we might have raced with the unlocked dma_fence_signal, | 82 | * we might have raced with the unlocked dma_fence_signal, |
| 88 | * still run through all callbacks | 83 | * still run through all callbacks |
| 89 | */ | 84 | */ |
| 90 | } else | 85 | } else { |
| 86 | fence->timestamp = ktime_get(); | ||
| 87 | set_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags); | ||
| 91 | trace_dma_fence_signaled(fence); | 88 | trace_dma_fence_signaled(fence); |
| 89 | } | ||
| 92 | 90 | ||
| 93 | list_for_each_entry_safe(cur, tmp, &fence->cb_list, node) { | 91 | list_for_each_entry_safe(cur, tmp, &fence->cb_list, node) { |
| 94 | list_del_init(&cur->node); | 92 | list_del_init(&cur->node); |
| @@ -115,14 +113,11 @@ int dma_fence_signal(struct dma_fence *fence) | |||
| 115 | if (!fence) | 113 | if (!fence) |
| 116 | return -EINVAL; | 114 | return -EINVAL; |
| 117 | 115 | ||
| 118 | if (!ktime_to_ns(fence->timestamp)) { | ||
| 119 | fence->timestamp = ktime_get(); | ||
| 120 | smp_mb__before_atomic(); | ||
| 121 | } | ||
| 122 | |||
| 123 | if (test_and_set_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) | 116 | if (test_and_set_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) |
| 124 | return -EINVAL; | 117 | return -EINVAL; |
| 125 | 118 | ||
| 119 | fence->timestamp = ktime_get(); | ||
| 120 | set_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags); | ||
| 126 | trace_dma_fence_signaled(fence); | 121 | trace_dma_fence_signaled(fence); |
| 127 | 122 | ||
| 128 | if (test_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT, &fence->flags)) { | 123 | if (test_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT, &fence->flags)) { |
diff --git a/drivers/dma-buf/sync_debug.c b/drivers/dma-buf/sync_debug.c index c769dc653b34..bfead12390f2 100644 --- a/drivers/dma-buf/sync_debug.c +++ b/drivers/dma-buf/sync_debug.c | |||
| @@ -84,7 +84,7 @@ static void sync_print_fence(struct seq_file *s, | |||
| 84 | show ? "_" : "", | 84 | show ? "_" : "", |
| 85 | sync_status_str(status)); | 85 | sync_status_str(status)); |
| 86 | 86 | ||
| 87 | if (status) { | 87 | if (test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags)) { |
| 88 | struct timespec64 ts64 = | 88 | struct timespec64 ts64 = |
| 89 | ktime_to_timespec64(fence->timestamp); | 89 | ktime_to_timespec64(fence->timestamp); |
| 90 | 90 | ||
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c index 2321035f6204..95f259b719fc 100644 --- a/drivers/dma-buf/sync_file.c +++ b/drivers/dma-buf/sync_file.c | |||
| @@ -375,7 +375,13 @@ static void sync_fill_fence_info(struct dma_fence *fence, | |||
| 375 | sizeof(info->driver_name)); | 375 | sizeof(info->driver_name)); |
| 376 | 376 | ||
| 377 | info->status = dma_fence_get_status(fence); | 377 | info->status = dma_fence_get_status(fence); |
| 378 | info->timestamp_ns = ktime_to_ns(fence->timestamp); | 378 | while (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags) && |
| 379 | !test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags)) | ||
| 380 | cpu_relax(); | ||
| 381 | info->timestamp_ns = | ||
| 382 | test_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags) ? | ||
| 383 | ktime_to_ns(fence->timestamp) : | ||
| 384 | ktime_set(0, 0); | ||
| 379 | } | 385 | } |
| 380 | 386 | ||
| 381 | static long sync_file_ioctl_fence_info(struct sync_file *sync_file, | 387 | static long sync_file_ioctl_fence_info(struct sync_file *sync_file, |