* Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
@ 2017-01-06 21:04 Chad Versace
2017-01-06 21:13 ` Chad Versace
2017-01-09 10:23 ` Daniel Vetter
0 siblings, 2 replies; 9+ messages in thread
From: Chad Versace @ 2017-01-06 21:04 UTC (permalink / raw)
To: dri-devel, Gustavo Padovan, Daniel Vetter, Rob Clark, Chris Wilson
Was this a mistake in the API? If so, can we fix this ABI mistake before
kernel consumers rely on this?
I naïvely expected that OUT_FENCE_PTR would be a pointer to, obviously, a fence
fd (s32 __user *). But it's not. It's s64 __user *. Due to that surprise, I
spent several hours chasing down weird corruption in Rob Clark's kmscube. The
kernel unexpectedly cleared the 32 bits *above* an `int kms_fence_fd` in
userspace.
For reference, here's the relevant DRM code.
// file: drivers/gpu/drm/drm_atomic.c
struct drm_out_fence_state {
s64 __user *out_fence_ptr;
struct sync_file *sync_file;
int fd;
};
static int setup_out_fence(struct drm_out_fence_state *fence_state,
struct dma_fence *fence)
{
fence_state->fd = get_unused_fd_flags(O_CLOEXEC);
if (fence_state->fd < 0)
return fence_state->fd;
if (put_user(fence_state->fd, fence_state->out_fence_ptr))
return -EFAULT;
fence_state->sync_file = sync_file_create(fence);
if (!fence_state->sync_file)
return -ENOMEM;
return 0;
}
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
2017-01-06 21:04 Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64? Chad Versace
@ 2017-01-06 21:13 ` Chad Versace
2017-01-09 10:23 ` Daniel Vetter
1 sibling, 0 replies; 9+ messages in thread
From: Chad Versace @ 2017-01-06 21:13 UTC (permalink / raw)
To: dri-devel, Gustavo Padovan, Daniel Vetter, Rob Clark, Chris Wilson
+rantogno
Rafael, I finally discovered the source of the bug I was hitting.
On Fri 06 Jan 2017, Chad Versace wrote:
> Was this a mistake in the API? If so, can we fix this ABI mistake before
> kernel consumers rely on this?
>
> I naïvely expected that OUT_FENCE_PTR would be a pointer to, obviously, a fence
> fd (s32 __user *). But it's not. It's s64 __user *. Due to that surprise, I
> spent several hours chasing down weird corruption in Rob Clark's kmscube. The
> kernel unexpectedly cleared the 32 bits *above* an `int kms_fence_fd` in
> userspace.
>
> For reference, here's the relevant DRM code.
>
> // file: drivers/gpu/drm/drm_atomic.c
> struct drm_out_fence_state {
> s64 __user *out_fence_ptr;
> struct sync_file *sync_file;
> int fd;
> };
>
> static int setup_out_fence(struct drm_out_fence_state *fence_state,
> struct dma_fence *fence)
> {
> fence_state->fd = get_unused_fd_flags(O_CLOEXEC);
> if (fence_state->fd < 0)
> return fence_state->fd;
>
> if (put_user(fence_state->fd, fence_state->out_fence_ptr))
> return -EFAULT;
>
> fence_state->sync_file = sync_file_create(fence);
> if (!fence_state->sync_file)
> return -ENOMEM;
>
> return 0;
> }
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
2017-01-06 21:04 Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64? Chad Versace
2017-01-06 21:13 ` Chad Versace
@ 2017-01-09 10:23 ` Daniel Vetter
2017-01-10 20:58 ` Laurent Pinchart
1 sibling, 1 reply; 9+ messages in thread
From: Daniel Vetter @ 2017-01-09 10:23 UTC (permalink / raw)
To: Chad Versace, dri-devel, Gustavo Padovan, Daniel Vetter,
Rob Clark, Chris Wilson
On Fri, Jan 06, 2017 at 01:04:55PM -0800, Chad Versace wrote:
> Was this a mistake in the API? If so, can we fix this ABI mistake before
> kernel consumers rely on this?
>
> I naïvely expected that OUT_FENCE_PTR would be a pointer to, obviously, a fence
> fd (s32 __user *). But it's not. It's s64 __user *. Due to that surprise, I
> spent several hours chasing down weird corruption in Rob Clark's kmscube. The
> kernel unexpectedly cleared the 32 bits *above* an `int kms_fence_fd` in
> userspace.
Never use unsized types for uabi. I guess we could have used s32, but then
someone is going to store this in a long and it goes boom on 64 bit, while
it works on 32 bit. "int" doesn't have that problem directly, but it's
still a red flag imo.
-Daniel
>
> For reference, here's the relevant DRM code.
>
> // file: drivers/gpu/drm/drm_atomic.c
> struct drm_out_fence_state {
> s64 __user *out_fence_ptr;
> struct sync_file *sync_file;
> int fd;
> };
>
> static int setup_out_fence(struct drm_out_fence_state *fence_state,
> struct dma_fence *fence)
> {
> fence_state->fd = get_unused_fd_flags(O_CLOEXEC);
> if (fence_state->fd < 0)
> return fence_state->fd;
>
> if (put_user(fence_state->fd, fence_state->out_fence_ptr))
> return -EFAULT;
>
> fence_state->sync_file = sync_file_create(fence);
> if (!fence_state->sync_file)
> return -ENOMEM;
>
> return 0;
> }
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
2017-01-09 10:23 ` Daniel Vetter
@ 2017-01-10 20:58 ` Laurent Pinchart
2017-01-12 19:17 ` Gustavo Padovan
0 siblings, 1 reply; 9+ messages in thread
From: Laurent Pinchart @ 2017-01-10 20:58 UTC (permalink / raw)
To: dri-devel; +Cc: Chad Versace
Hi Daniel,
On Monday 09 Jan 2017 11:23:23 Daniel Vetter wrote:
> On Fri, Jan 06, 2017 at 01:04:55PM -0800, Chad Versace wrote:
> > Was this a mistake in the API? If so, can we fix this ABI mistake before
> > kernel consumers rely on this?
> >
> > I naïvely expected that OUT_FENCE_PTR would be a pointer to, obviously, a
> > fence fd (s32 __user *). But it's not. It's s64 __user *. Due to that
> > surprise, I spent several hours chasing down weird corruption in Rob
> > Clark's kmscube. The kernel unexpectedly cleared the 32 bits *above* an
> > `int kms_fence_fd` in userspace.
>
> Never use unsized types for uabi. I guess we could have used s32, but then
> someone is going to store this in a long and it goes boom on 64 bit,
Why so ? And why do we care ? The commonly accepted practice is to store file
descriptors in int variables. s32 is an int on all platforms, so that's fine
too. If we use a s32 pointer here, and someone decides to store it in a long,
bool or cast it to a complex, that's their problem :-)
> while it works on 32 bit. "int" doesn't have that problem directly, but it's
> still a red flag imo.
>
> > For reference, here's the relevant DRM code.
> >
> > // file: drivers/gpu/drm/drm_atomic.c
> > struct drm_out_fence_state {
> > s64 __user *out_fence_ptr;
> > struct sync_file *sync_file;
> > int fd;
> > };
> >
> > static int setup_out_fence(struct drm_out_fence_state *fence_state,
> > struct dma_fence *fence)
> > {
> > fence_state->fd = get_unused_fd_flags(O_CLOEXEC);
> > if (fence_state->fd < 0)
> > return fence_state->fd;
> >
> > if (put_user(fence_state->fd, fence_state->out_fence_ptr))
> > return -EFAULT;
> >
> > fence_state->sync_file = sync_file_create(fence);
> > if (!fence_state->sync_file)
> > return -ENOMEM;
> >
> > return 0;
> > }
--
Regards,
Laurent Pinchart
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
2017-01-10 20:58 ` Laurent Pinchart
@ 2017-01-12 19:17 ` Gustavo Padovan
2017-01-12 19:26 ` Daniel Vetter
0 siblings, 1 reply; 9+ messages in thread
From: Gustavo Padovan @ 2017-01-12 19:17 UTC (permalink / raw)
To: Laurent Pinchart; +Cc: Chad Versace, dri-devel
2017-01-10 Laurent Pinchart <laurent.pinchart@ideasonboard.com>:
> Hi Daniel,
>
> On Monday 09 Jan 2017 11:23:23 Daniel Vetter wrote:
> > On Fri, Jan 06, 2017 at 01:04:55PM -0800, Chad Versace wrote:
> > > Was this a mistake in the API? If so, can we fix this ABI mistake before
> > > kernel consumers rely on this?
> > >
> > > I naïvely expected that OUT_FENCE_PTR would be a pointer to, obviously, a
> > > fence fd (s32 __user *). But it's not. It's s64 __user *. Due to that
> > > surprise, I spent several hours chasing down weird corruption in Rob
> > > Clark's kmscube. The kernel unexpectedly cleared the 32 bits *above* an
> > > `int kms_fence_fd` in userspace.
> >
> > Never use unsized types for uabi. I guess we could have used s32, but then
> > someone is going to store this in a long and it goes boom on 64 bit,
>
> Why so ? And why do we care ? The commonly accepted practice is to store file
> descriptors in int variables. s32 is an int on all platforms, so that's fine
> too. If we use a s32 pointer here, and someone decides to store it in a long,
> bool or cast it to a complex, that's their problem :-)
The only thing that really needs to be s64 here is the OUT_FENCE_PTR
property in the Atomic interface because we carry a pointer there, but
all the manipulation after that is actually done after can easily be
done on s32 or int.
We can't expect that userspace will know that we store as s64 and clear
the bits above if a int was passed down. if we use s32 we will be in
complaince with other linux apis that deals with fds. I'd say we fix
this before it can cause more damage out there.
Gustavo
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
2017-01-12 19:17 ` Gustavo Padovan
@ 2017-01-12 19:26 ` Daniel Vetter
2017-01-12 19:29 ` Laurent Pinchart
0 siblings, 1 reply; 9+ messages in thread
From: Daniel Vetter @ 2017-01-12 19:26 UTC (permalink / raw)
To: Gustavo Padovan, Laurent Pinchart, dri-devel, Daniel Vetter,
Chad Versace, Rob Clark, Chris Wilson
On Thu, Jan 12, 2017 at 05:17:26PM -0200, Gustavo Padovan wrote:
> 2017-01-10 Laurent Pinchart <laurent.pinchart@ideasonboard.com>:
>
> > Hi Daniel,
> >
> > On Monday 09 Jan 2017 11:23:23 Daniel Vetter wrote:
> > > On Fri, Jan 06, 2017 at 01:04:55PM -0800, Chad Versace wrote:
> > > > Was this a mistake in the API? If so, can we fix this ABI mistake before
> > > > kernel consumers rely on this?
> > > >
> > > > I naïvely expected that OUT_FENCE_PTR would be a pointer to, obviously, a
> > > > fence fd (s32 __user *). But it's not. It's s64 __user *. Due to that
> > > > surprise, I spent several hours chasing down weird corruption in Rob
> > > > Clark's kmscube. The kernel unexpectedly cleared the 32 bits *above* an
> > > > `int kms_fence_fd` in userspace.
> > >
> > > Never use unsized types for uabi. I guess we could have used s32, but then
> > > someone is going to store this in a long and it goes boom on 64 bit,
> >
> > Why so ? And why do we care ? The commonly accepted practice is to store file
> > descriptors in int variables. s32 is an int on all platforms, so that's fine
> > too. If we use a s32 pointer here, and someone decides to store it in a long,
> > bool or cast it to a complex, that's their problem :-)
>
> The only thing that really needs to be s64 here is the OUT_FENCE_PTR
> property in the Atomic interface because we carry a pointer there, but
> all the manipulation after that is actually done after can easily be
> done on s32 or int.
>
> We can't expect that userspace will know that we store as s64 and clear
> the bits above if a int was passed down. if we use s32 we will be in
> complaince with other linux apis that deals with fds. I'd say we fix
> this before it can cause more damage out there.
Changing uabi is kinda tricky, but it's still very new, so if we make sure
it gets applied everywhere and doesn't accidentally ship we can it. Iirc
fences are only in 4.10, so we should be fine ...
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
2017-01-12 19:26 ` Daniel Vetter
@ 2017-01-12 19:29 ` Laurent Pinchart
2017-01-12 19:34 ` Gustavo Padovan
0 siblings, 1 reply; 9+ messages in thread
From: Laurent Pinchart @ 2017-01-12 19:29 UTC (permalink / raw)
To: Daniel Vetter; +Cc: Chad Versace, dri-devel
Hi Daniel,
On Thursday 12 Jan 2017 20:26:40 Daniel Vetter wrote:
> On Thu, Jan 12, 2017 at 05:17:26PM -0200, Gustavo Padovan wrote:
> > 2017-01-10 Laurent Pinchart <laurent.pinchart@ideasonboard.com>:
> >> On Monday 09 Jan 2017 11:23:23 Daniel Vetter wrote:
> >>> On Fri, Jan 06, 2017 at 01:04:55PM -0800, Chad Versace wrote:
> >>>> Was this a mistake in the API? If so, can we fix this ABI mistake
> >>>> before kernel consumers rely on this?
> >>>>
> >>>> I naïvely expected that OUT_FENCE_PTR would be a pointer to,
> >>>> obviously, a fence fd (s32 __user *). But it's not. It's s64 __user
> >>>> *. Due to that surprise, I spent several hours chasing down weird
> >>>> corruption in Rob Clark's kmscube. The kernel unexpectedly cleared
> >>>> the 32 bits *above* an `int kms_fence_fd` in userspace.
> >>>
> >>> Never use unsized types for uabi. I guess we could have used s32, but
> >>> then someone is going to store this in a long and it goes boom on 64
> >>> bit,
> >>
> >> Why so ? And why do we care ? The commonly accepted practice is to store
> >> file descriptors in int variables. s32 is an int on all platforms, so
> >> that's fine too. If we use a s32 pointer here, and someone decides to
> >> store it in a long, bool or cast it to a complex, that's their problem
> >> :-)
> >
> > The only thing that really needs to be s64 here is the OUT_FENCE_PTR
> > property in the Atomic interface because we carry a pointer there, but
> > all the manipulation after that is actually done after can easily be
> > done on s32 or int.
> >
> > We can't expect that userspace will know that we store as s64 and clear
> > the bits above if a int was passed down. if we use s32 we will be in
> > complaince with other linux apis that deals with fds. I'd say we fix
> > this before it can cause more damage out there.
>
> Changing uabi is kinda tricky, but it's still very new, so if we make sure
> it gets applied everywhere and doesn't accidentally ship we can it. Iirc
> fences are only in 4.10, so we should be fine ...
Correct. That sounds good to me, there's still time for a v4.10-rc fix.
--
Regards,
Laurent Pinchart
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
2017-01-12 19:29 ` Laurent Pinchart
@ 2017-01-12 19:34 ` Gustavo Padovan
2017-01-13 21:31 ` Chad Versace
0 siblings, 1 reply; 9+ messages in thread
From: Gustavo Padovan @ 2017-01-12 19:34 UTC (permalink / raw)
To: Laurent Pinchart; +Cc: Chad Versace, dri-devel
2017-01-12 Laurent Pinchart <laurent.pinchart@ideasonboard.com>:
> Hi Daniel,
>
> On Thursday 12 Jan 2017 20:26:40 Daniel Vetter wrote:
> > On Thu, Jan 12, 2017 at 05:17:26PM -0200, Gustavo Padovan wrote:
> > > 2017-01-10 Laurent Pinchart <laurent.pinchart@ideasonboard.com>:
> > >> On Monday 09 Jan 2017 11:23:23 Daniel Vetter wrote:
> > >>> On Fri, Jan 06, 2017 at 01:04:55PM -0800, Chad Versace wrote:
> > >>>> Was this a mistake in the API? If so, can we fix this ABI mistake
> > >>>> before kernel consumers rely on this?
> > >>>>
> > >>>> I naïvely expected that OUT_FENCE_PTR would be a pointer to,
> > >>>> obviously, a fence fd (s32 __user *). But it's not. It's s64 __user
> > >>>> *. Due to that surprise, I spent several hours chasing down weird
> > >>>> corruption in Rob Clark's kmscube. The kernel unexpectedly cleared
> > >>>> the 32 bits *above* an `int kms_fence_fd` in userspace.
> > >>>
> > >>> Never use unsized types for uabi. I guess we could have used s32, but
> > >>> then someone is going to store this in a long and it goes boom on 64
> > >>> bit,
> > >>
> > >> Why so ? And why do we care ? The commonly accepted practice is to store
> > >> file descriptors in int variables. s32 is an int on all platforms, so
> > >> that's fine too. If we use a s32 pointer here, and someone decides to
> > >> store it in a long, bool or cast it to a complex, that's their problem
> > >> :-)
> > >
> > > The only thing that really needs to be s64 here is the OUT_FENCE_PTR
> > > property in the Atomic interface because we carry a pointer there, but
> > > all the manipulation after that is actually done after can easily be
> > > done on s32 or int.
> > >
> > > We can't expect that userspace will know that we store as s64 and clear
> > > the bits above if a int was passed down. if we use s32 we will be in
> > > complaince with other linux apis that deals with fds. I'd say we fix
> > > this before it can cause more damage out there.
> >
> > Changing uabi is kinda tricky, but it's still very new, so if we make sure
> > it gets applied everywhere and doesn't accidentally ship we can it. Iirc
> > fences are only in 4.10, so we should be fine ...
>
> Correct. That sounds good to me, there's still time for a v4.10-rc fix.
I'd expect users defining an int and hitting the issue Chad hit instead
of going to long types. So I hope we are safe here. I'll prepare a
patch to make it s32.
Gustavo
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64?
2017-01-12 19:34 ` Gustavo Padovan
@ 2017-01-13 21:31 ` Chad Versace
0 siblings, 0 replies; 9+ messages in thread
From: Chad Versace @ 2017-01-13 21:31 UTC (permalink / raw)
To: Gustavo Padovan, Laurent Pinchart, Daniel Vetter, dri-devel,
Rob Clark, Chris Wilson
On Thu 12 Jan 2017, Gustavo Padovan wrote:
> 2017-01-12 Laurent Pinchart <laurent.pinchart@ideasonboard.com>:
>
> > Hi Daniel,
> >
> > On Thursday 12 Jan 2017 20:26:40 Daniel Vetter wrote:
> > > On Thu, Jan 12, 2017 at 05:17:26PM -0200, Gustavo Padovan wrote:
> > > > 2017-01-10 Laurent Pinchart <laurent.pinchart@ideasonboard.com>:
> > > >> On Monday 09 Jan 2017 11:23:23 Daniel Vetter wrote:
> > > >>> On Fri, Jan 06, 2017 at 01:04:55PM -0800, Chad Versace wrote:
> > > >>>> Was this a mistake in the API? If so, can we fix this ABI mistake
> > > >>>> before kernel consumers rely on this?
[...]
> I'd expect users defining an int and hitting the issue Chad hit instead
> of going to long types. So I hope we are safe here. I'll prepare a
> patch to make it s32.
Thanks for fixing this. I'm glad we caught it before the uabi became
frozen.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-01-13 21:31 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-06 21:04 Why does OUT_FENCE_PTR point not to an fd (s32) but to an s64? Chad Versace
2017-01-06 21:13 ` Chad Versace
2017-01-09 10:23 ` Daniel Vetter
2017-01-10 20:58 ` Laurent Pinchart
2017-01-12 19:17 ` Gustavo Padovan
2017-01-12 19:26 ` Daniel Vetter
2017-01-12 19:29 ` Laurent Pinchart
2017-01-12 19:34 ` Gustavo Padovan
2017-01-13 21:31 ` Chad Versace
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.