* [PATCH 1/3] drm/tegra: Fix lockup on a use of staging API
@ 2017-05-12 19:00 Dmitry Osipenko
[not found] ` <20170512190044.17541-1-digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Osipenko @ 2017-05-12 19:00 UTC (permalink / raw)
To: Thierry Reding; +Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, DRI Development
Commit bdd2f9cd ("Don't leak kernel pointer to userspace") added a mutex
around staging IOCTL's, some of those mutexes are taken twice.
Fixes: bdd2f9cd10eb ("drm/tegra: Don't leak kernel pointer to userspace")
Signed-off-by: Dmitry Osipenko <digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
drivers/gpu/drm/tegra/drm.c | 20 ++++----------------
1 file changed, 4 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
index ab2dfd4e4bd9..768750226452 100644
--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -430,18 +430,6 @@ int tegra_drm_submit(struct tegra_drm_context *context,
#ifdef CONFIG_DRM_TEGRA_STAGING
-static struct tegra_drm_context *
-tegra_drm_file_get_context(struct tegra_drm_file *file, u32 id)
-{
- struct tegra_drm_context *context;
-
- mutex_lock(&file->lock);
- context = idr_find(&file->contexts, id);
- mutex_unlock(&file->lock);
-
- return context;
-}
-
static int tegra_gem_create(struct drm_device *drm, void *data,
struct drm_file *file)
{
@@ -585,7 +573,7 @@ static int tegra_close_channel(struct drm_device *drm, void *data,
mutex_lock(&fpriv->lock);
- context = tegra_drm_file_get_context(fpriv, args->context);
+ context = idr_find(&fpriv->contexts, args->context);
if (!context) {
err = -EINVAL;
goto unlock;
@@ -610,7 +598,7 @@ static int tegra_get_syncpt(struct drm_device *drm, void *data,
mutex_lock(&fpriv->lock);
- context = tegra_drm_file_get_context(fpriv, args->context);
+ context = idr_find(&fpriv->contexts, args->context);
if (!context) {
err = -ENODEV;
goto unlock;
@@ -639,7 +627,7 @@ static int tegra_submit(struct drm_device *drm, void *data,
mutex_lock(&fpriv->lock);
- context = tegra_drm_file_get_context(fpriv, args->context);
+ context = idr_find(&fpriv->contexts, args->context);
if (!context) {
err = -ENODEV;
goto unlock;
@@ -664,7 +652,7 @@ static int tegra_get_syncpt_base(struct drm_device *drm, void *data,
mutex_lock(&fpriv->lock);
- context = tegra_drm_file_get_context(fpriv, args->context);
+ context = idr_find(&fpriv->contexts, args->context);
if (!context) {
err = -ENODEV;
goto unlock;
--
2.12.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/3] drm/tegra: Correct idr_alloc() minimum id
[not found] ` <20170512190044.17541-1-digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2017-05-12 19:00 ` Dmitry Osipenko
[not found] ` <20170512190044.17541-2-digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-14 11:33 ` [PATCH 1/3] drm/tegra: Fix lockup on a use of staging API Mikko Perttunen
1 sibling, 1 reply; 6+ messages in thread
From: Dmitry Osipenko @ 2017-05-12 19:00 UTC (permalink / raw)
To: Thierry Reding; +Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, DRI Development
The start = 0 is invalid and causes weird CDMA channel timeouts, presumably
some memory misuse/corruption is going on.
Fixes: bdd2f9cd10eb ("drm/tegra: Don't leak kernel pointer to userspace")
Signed-off-by: Dmitry Osipenko <digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
drivers/gpu/drm/tegra/drm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
index 768750226452..732c8d98044f 100644
--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -518,7 +518,7 @@ static int tegra_client_open(struct tegra_drm_file *fpriv,
if (err < 0)
return err;
- err = idr_alloc(&fpriv->contexts, context, 0, 0, GFP_KERNEL);
+ err = idr_alloc(&fpriv->contexts, context, 1, 0, GFP_KERNEL);
if (err < 0) {
client->ops->close_channel(context);
return err;
--
2.12.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/3] drm/tegra: Fix lockup on a use of staging API
[not found] ` <20170512190044.17541-1-digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-12 19:00 ` [PATCH 2/3] drm/tegra: Correct idr_alloc() minimum id Dmitry Osipenko
@ 2017-05-14 11:33 ` Mikko Perttunen
1 sibling, 0 replies; 6+ messages in thread
From: Mikko Perttunen @ 2017-05-14 11:33 UTC (permalink / raw)
To: Dmitry Osipenko, Thierry Reding
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, DRI Development
Reviewed-by: Mikko Perttunen <mperttunen-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
On 05/12/2017 10:00 PM, Dmitry Osipenko wrote:
> Commit bdd2f9cd ("Don't leak kernel pointer to userspace") added a mutex
> around staging IOCTL's, some of those mutexes are taken twice.
>
> Fixes: bdd2f9cd10eb ("drm/tegra: Don't leak kernel pointer to userspace")
> Signed-off-by: Dmitry Osipenko <digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
> drivers/gpu/drm/tegra/drm.c | 20 ++++----------------
> 1 file changed, 4 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
> index ab2dfd4e4bd9..768750226452 100644
> --- a/drivers/gpu/drm/tegra/drm.c
> +++ b/drivers/gpu/drm/tegra/drm.c
> @@ -430,18 +430,6 @@ int tegra_drm_submit(struct tegra_drm_context *context,
>
>
> #ifdef CONFIG_DRM_TEGRA_STAGING
> -static struct tegra_drm_context *
> -tegra_drm_file_get_context(struct tegra_drm_file *file, u32 id)
> -{
> - struct tegra_drm_context *context;
> -
> - mutex_lock(&file->lock);
> - context = idr_find(&file->contexts, id);
> - mutex_unlock(&file->lock);
> -
> - return context;
> -}
> -
> static int tegra_gem_create(struct drm_device *drm, void *data,
> struct drm_file *file)
> {
> @@ -585,7 +573,7 @@ static int tegra_close_channel(struct drm_device *drm, void *data,
>
> mutex_lock(&fpriv->lock);
>
> - context = tegra_drm_file_get_context(fpriv, args->context);
> + context = idr_find(&fpriv->contexts, args->context);
> if (!context) {
> err = -EINVAL;
> goto unlock;
> @@ -610,7 +598,7 @@ static int tegra_get_syncpt(struct drm_device *drm, void *data,
>
> mutex_lock(&fpriv->lock);
>
> - context = tegra_drm_file_get_context(fpriv, args->context);
> + context = idr_find(&fpriv->contexts, args->context);
> if (!context) {
> err = -ENODEV;
> goto unlock;
> @@ -639,7 +627,7 @@ static int tegra_submit(struct drm_device *drm, void *data,
>
> mutex_lock(&fpriv->lock);
>
> - context = tegra_drm_file_get_context(fpriv, args->context);
> + context = idr_find(&fpriv->contexts, args->context);
> if (!context) {
> err = -ENODEV;
> goto unlock;
> @@ -664,7 +652,7 @@ static int tegra_get_syncpt_base(struct drm_device *drm, void *data,
>
> mutex_lock(&fpriv->lock);
>
> - context = tegra_drm_file_get_context(fpriv, args->context);
> + context = idr_find(&fpriv->contexts, args->context);
> if (!context) {
> err = -ENODEV;
> goto unlock;
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 2/3] drm/tegra: Correct idr_alloc() minimum id
[not found] ` <20170512190044.17541-2-digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2017-05-14 11:53 ` Mikko Perttunen
[not found] ` <b30acd8a-db8c-f43c-7c40-0064444466a0-/1wQRMveznE@public.gmane.org>
0 siblings, 1 reply; 6+ messages in thread
From: Mikko Perttunen @ 2017-05-14 11:53 UTC (permalink / raw)
To: Dmitry Osipenko, Thierry Reding
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, DRI Development
On 05/12/2017 10:00 PM, Dmitry Osipenko wrote:
> The start = 0 is invalid and causes weird CDMA channel timeouts, presumably
> some memory misuse/corruption is going on.
What makes you think start = 0 is invalid? I can't see anything pointing
to that in the idr code and there are many users in the kernel passing 0
as start.
>
> Fixes: bdd2f9cd10eb ("drm/tegra: Don't leak kernel pointer to userspace")
> Signed-off-by: Dmitry Osipenko <digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
> drivers/gpu/drm/tegra/drm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
> index 768750226452..732c8d98044f 100644
> --- a/drivers/gpu/drm/tegra/drm.c
> +++ b/drivers/gpu/drm/tegra/drm.c
> @@ -518,7 +518,7 @@ static int tegra_client_open(struct tegra_drm_file *fpriv,
> if (err < 0)
> return err;
>
> - err = idr_alloc(&fpriv->contexts, context, 0, 0, GFP_KERNEL);
> + err = idr_alloc(&fpriv->contexts, context, 1, 0, GFP_KERNEL);
> if (err < 0) {
> client->ops->close_channel(context);
> return err;
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 2/3] drm/tegra: Correct idr_alloc() minimum id
[not found] ` <b30acd8a-db8c-f43c-7c40-0064444466a0-/1wQRMveznE@public.gmane.org>
@ 2017-05-14 13:02 ` Dmitry Osipenko
[not found] ` <b61d6877-cbfc-9b14-93d2-cf6432452fd8-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Osipenko @ 2017-05-14 13:02 UTC (permalink / raw)
To: Mikko Perttunen, Thierry Reding
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, DRI Development
On 14.05.2017 14:53, Mikko Perttunen wrote:
> On 05/12/2017 10:00 PM, Dmitry Osipenko wrote:
>> The start = 0 is invalid and causes weird CDMA channel timeouts, presumably
>> some memory misuse/corruption is going on.
>
> What makes you think start = 0 is invalid? I can't see anything pointing to that
> in the idr code and there are many users in the kernel passing 0 as start.
>
Well, I can't see either. You are right that there are quite many others with 0
as a start, the 1 probably just masks the bug.
--
Dmitry
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 2/3] drm/tegra: Correct idr_alloc() minimum id
[not found] ` <b61d6877-cbfc-9b14-93d2-cf6432452fd8-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2017-05-14 19:47 ` Dmitry Osipenko
0 siblings, 0 replies; 6+ messages in thread
From: Dmitry Osipenko @ 2017-05-14 19:47 UTC (permalink / raw)
To: Mikko Perttunen, Thierry Reding
Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA, DRI Development
On 14.05.2017 16:02, Dmitry Osipenko wrote:
> On 14.05.2017 14:53, Mikko Perttunen wrote:
>> On 05/12/2017 10:00 PM, Dmitry Osipenko wrote:
>>> The start = 0 is invalid and causes weird CDMA channel timeouts, presumably
>>> some memory misuse/corruption is going on.
>>
>> What makes you think start = 0 is invalid? I can't see anything pointing to that
>> in the idr code and there are many users in the kernel passing 0 as start.
>>
>
> Well, I can't see either. You are right that there are quite many others with 0
> as a start, the 1 probably just masks the bug.
>
Finally, I found the root of the issue. The job->client is set to the context ID
in the tegra_drm_submit() and the host1x_cdma sets client ID to 0 to mark CDMA
job timeout timer as already armed. I'll send V2 with a new commit description.
--
Dmitry
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-05-14 19:47 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-12 19:00 [PATCH 1/3] drm/tegra: Fix lockup on a use of staging API Dmitry Osipenko
[not found] ` <20170512190044.17541-1-digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-12 19:00 ` [PATCH 2/3] drm/tegra: Correct idr_alloc() minimum id Dmitry Osipenko
[not found] ` <20170512190044.17541-2-digetx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-14 11:53 ` Mikko Perttunen
[not found] ` <b30acd8a-db8c-f43c-7c40-0064444466a0-/1wQRMveznE@public.gmane.org>
2017-05-14 13:02 ` Dmitry Osipenko
[not found] ` <b61d6877-cbfc-9b14-93d2-cf6432452fd8-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-14 19:47 ` Dmitry Osipenko
2017-05-14 11:33 ` [PATCH 1/3] drm/tegra: Fix lockup on a use of staging API Mikko Perttunen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.