dri-devel.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed
From: Sam Ravnborg <sam@ravnborg.org>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Daniel Vetter <daniel.vetter@intel.com>,
	Intel Graphics Development <intel-gfx@lists.freedesktop.org>,
	DRI Development <dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH 21/51] drm: Use drmm_ for drm_dev_init cleanup
Date: Tue, 24 Mar 2020 22:20:46 +0100	[thread overview]
Message-ID: <20200324212046.GA24902@ravnborg.org> (raw)
In-Reply-To: <20200323144950.3018436-22-daniel.vetter@ffwll.ch>

Hi Daniel.

On Mon, Mar 23, 2020 at 03:49:20PM +0100, Daniel Vetter wrote:
> Well for the simple stuff at least, vblank, gem and minor cleanup I
> want to further split up as a demonstration.
> 
> v2: We need to clear drm_device->dev otherwise the debug drm printing
> after our cleanup hook (e.g. in drm_manged_release) will chase
> released memory and result in a use-after-free. Not really pretty, but
> oh well.
> 
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
>  drivers/gpu/drm/drm_drv.c | 48 ++++++++++++++++++++-------------------
>  1 file changed, 25 insertions(+), 23 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> index c80ebc6811b1..a710c53d13a8 100644
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -580,6 +580,23 @@ static void drm_fs_inode_free(struct inode *inode)
>   *    used.
>   */
>  
> +static void drm_dev_init_release(struct drm_device *dev, void *res)
> +{
> +	drm_legacy_ctxbitmap_cleanup(dev);
> +	drm_legacy_remove_map_hash(dev);
> +	drm_fs_inode_free(dev->anon_inode);
> +
> +	put_device(dev->dev);
> +	/* Prevent use-after-free in drm_managed_release when debugging is
> +	 * enabled. Slightly awkward, but can't really be helped. */
> +	dev->dev = NULL;
> +	mutex_destroy(&dev->master_mutex);
> +	mutex_destroy(&dev->clientlist_mutex);
> +	mutex_destroy(&dev->filelist_mutex);
> +	mutex_destroy(&dev->struct_mutex);
> +	drm_legacy_destroy_members(dev);
> +}
> +
>  /**
>   * drm_dev_init - Initialise new DRM device
>   * @dev: DRM device
> @@ -647,11 +664,15 @@ int drm_dev_init(struct drm_device *dev,
>  	mutex_init(&dev->clientlist_mutex);
>  	mutex_init(&dev->master_mutex);
>  
> +	ret = drmm_add_action(dev, drm_dev_init_release, NULL);
> +	if (ret)
> +		return ret;
> +
>  	dev->anon_inode = drm_fs_inode_new();
>  	if (IS_ERR(dev->anon_inode)) {
>  		ret = PTR_ERR(dev->anon_inode);
>  		DRM_ERROR("Cannot allocate anonymous inode: %d\n", ret);
> -		goto err_free;
> +		goto err;
>  	}
>  
>  	if (drm_core_check_feature(dev, DRIVER_RENDER)) {
> @@ -688,19 +709,12 @@ int drm_dev_init(struct drm_device *dev,
>  	if (drm_core_check_feature(dev, DRIVER_GEM))
>  		drm_gem_destroy(dev);
>  err_ctxbitmap:
> -	drm_legacy_ctxbitmap_cleanup(dev);
> -	drm_legacy_remove_map_hash(dev);
>  err_minors:
>  	drm_minor_free(dev, DRM_MINOR_PRIMARY);
>  	drm_minor_free(dev, DRM_MINOR_RENDER);
> -	drm_fs_inode_free(dev->anon_inode);
> -err_free:
> -	put_device(dev->dev);
> -	mutex_destroy(&dev->master_mutex);
> -	mutex_destroy(&dev->clientlist_mutex);
> -	mutex_destroy(&dev->filelist_mutex);
> -	mutex_destroy(&dev->struct_mutex);
> -	drm_legacy_destroy_members(dev);
> +err:
> +	drm_managed_release(dev);
If for example drmm_add_action() fails this will call the following
functions without their init parts called:

    drm_legacy_ctxbitmap_cleanup(dev);

        This function do:
	    mutex_lock(&dev->struct_mutex);
            idr_destroy(&dev->ctx_idr);
            mutex_unlock(&dev->struct_mutex);
        Use of struct_mutex - OK
	Call to idr_destroy() - I could not convince myself this was OK.
	But I did not look too deep into idr_destroy() - thsi is unknown
	land for me.

    drm_legacy_remove_map_hash(dev);

        This function do:
	    drm_ht_remove(&dev->map_hash); =>
	        if ((&dev->map_hash)->table) {

        ->table is NULL is init fucntion is not called - OK


    drm_fs_inode_free(dev->anon_inode);

      NOP if anon_inode is NULL - OK

So if idr_destroy() call is OK then error handling looks OK
and the patch is:
Reviewed-by: Sam Ravnborg <sam@ravnborg.org>

The error handling is even nicer later in this series.
But I looked only at this patch for now.

	Sam



> +
>  	return ret;
>  }
>  EXPORT_SYMBOL(drm_dev_init);
> @@ -763,20 +777,8 @@ void drm_dev_fini(struct drm_device *dev)
>  	if (drm_core_check_feature(dev, DRIVER_GEM))
>  		drm_gem_destroy(dev);
>  
> -	drm_legacy_ctxbitmap_cleanup(dev);
> -	drm_legacy_remove_map_hash(dev);
> -	drm_fs_inode_free(dev->anon_inode);
> -
>  	drm_minor_free(dev, DRM_MINOR_PRIMARY);
>  	drm_minor_free(dev, DRM_MINOR_RENDER);
> -
> -	put_device(dev->dev);
> -
> -	mutex_destroy(&dev->master_mutex);
> -	mutex_destroy(&dev->clientlist_mutex);
> -	mutex_destroy(&dev->filelist_mutex);
> -	mutex_destroy(&dev->struct_mutex);
> -	drm_legacy_destroy_members(dev);
>  }
>  EXPORT_SYMBOL(drm_dev_fini);
>  
> -- 
> 2.25.1
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

  reply	other threads:[~2020-03-24 21:20 UTC|newest]

Thread overview: 78+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-23 14:48 [PATCH 00/51] drm_device managed resources, v5 Daniel Vetter
2020-03-23 14:49 ` [PATCH 01/51] mm/sl[uo]b: export __kmalloc_track(_node)_caller Daniel Vetter
2020-03-26 13:46   ` Daniel Vetter
2020-03-23 14:49 ` [PATCH 02/51] drm/i915: Don't clear drvdata in ->release Daniel Vetter
2020-03-25 18:20   ` [Intel-gfx] " Jani Nikula
2020-03-26 13:15     ` Jani Nikula
2020-03-23 14:49 ` [PATCH 03/51] drm: add managed resources tied to drm_device Daniel Vetter
2020-03-23 18:36   ` Sam Ravnborg
2020-03-24 12:45   ` [PATCH] " Daniel Vetter
2020-03-23 14:49 ` [PATCH 04/51] drm: Set final_kfree in drm_dev_alloc Daniel Vetter
2020-03-23 14:49 ` [PATCH 05/51] drm/mipi_dbi: Use drmm_add_final_kfree in all drivers Daniel Vetter
2020-03-23 14:49 ` [PATCH 06/51] drm/udl: Use drmm_add_final_kfree Daniel Vetter
2020-03-23 14:49 ` [PATCH 07/51] drm/qxl: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 08/51] drm/i915: " Daniel Vetter
2020-03-26 13:10   ` Jani Nikula
2020-03-26 13:33     ` Daniel Vetter
2020-03-23 14:49 ` [PATCH 09/51] drm/cirrus: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 10/51] drm/v3d: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 11/51] drm/tidss: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 12/51] drm/mcde: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 13/51] drm/vgem: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 14/51] drm/vkms: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 15/51] drm/repaper: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 16/51] drm/ingenic: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 17/51] drm/gm12u320: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 18/51] drm/<drivers>: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 19/51] drm: Cleanups after drmm_add_final_kfree rollout Daniel Vetter
2020-04-02  0:50   ` Laurent Pinchart
2020-04-02  5:17     ` Daniel Vetter
2020-04-02  9:39       ` Laurent Pinchart
2020-04-02  9:50         ` Daniel Vetter
2020-03-23 14:49 ` [PATCH 20/51] drm: Handle dev->unique with drmm_ Daniel Vetter
2020-03-23 14:49 ` [PATCH 21/51] drm: Use drmm_ for drm_dev_init cleanup Daniel Vetter
2020-03-24 21:20   ` Sam Ravnborg [this message]
2020-03-23 14:49 ` [PATCH 22/51] drm: manage drm_minor cleanup with drmm_ Daniel Vetter
2020-03-24  8:54   ` Thomas Zimmermann
2020-03-24 20:39   ` [PATCH] " Daniel Vetter
2020-03-24 21:42     ` Sam Ravnborg
2020-03-25  9:09       ` Daniel Vetter
2020-03-24 21:36   ` [PATCH 22/51] " Sam Ravnborg
2020-03-25  9:07     ` Daniel Vetter
2020-03-23 14:49 ` [PATCH 23/51] drm: Manage drm_gem_init " Daniel Vetter
2020-03-23 14:49 ` [PATCH 24/51] drm: Manage drm_vblank_cleanup " Daniel Vetter
2020-03-23 14:49 ` [PATCH 25/51] drm: Garbage collect drm_dev_fini Daniel Vetter
2020-03-23 14:49 ` [PATCH 26/51] drm: Manage drm_mode_config_init with drmm_ Daniel Vetter
2020-03-23 14:49 ` [PATCH 27/51] drm/bochs: Remove leftover drm_atomic_helper_shutdown Daniel Vetter
2020-03-23 14:49 ` [PATCH 28/51] drm/bochs: Drop explicit drm_mode_config_cleanup Daniel Vetter
2020-03-23 14:49 ` [PATCH 29/51] drm/cirrus: Drop explicit drm_mode_config_cleanup call Daniel Vetter
2020-03-23 14:49 ` [PATCH 30/51] drm/cirrus: Fully embrace devm_ Daniel Vetter
2020-03-23 14:49 ` [PATCH 31/51] drm/ingenic: Drop explicit drm_mode_config_cleanup call Daniel Vetter
2020-03-23 14:49 ` [PATCH 32/51] drm/mcde: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 33/51] drm/mcde: More devm_drm_dev_init Daniel Vetter
2020-03-23 14:49 ` [PATCH 34/51] drm/meson: Drop explicit drm_mode_config_cleanup call Daniel Vetter
2020-03-23 14:49 ` [PATCH 35/51] drm/pl111: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 36/51] drm/rcar-du: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 37/51] drm/rockchip: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 38/51] drm/stm: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 39/51] drm/shmob: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 40/51] drm/mtk: " Daniel Vetter
2020-03-23 15:27   ` Chun-Kuang Hu
2020-03-23 14:49 ` [PATCH 41/51] drm/tidss: " Daniel Vetter
2020-03-23 14:49 ` [PATCH 42/51] drm/gm12u320: More drmm_ Daniel Vetter
2020-03-23 14:49 ` [PATCH 43/51] drm/gm12u320: Use devm_drm_dev_init Daniel Vetter
2020-03-23 14:49 ` [PATCH 44/51] drm/gm12u320: Use helpers for shutdown/suspend/resume Daniel Vetter
2020-03-23 14:49 ` [PATCH 45/51] drm/gm12u320: Simplify upload work Daniel Vetter
2020-03-23 14:49 ` [PATCH 46/51] drm/repaper: Drop explicit drm_mode_config_cleanup call Daniel Vetter
2020-03-23 14:49 ` [PATCH 47/51] drm/mipi-dbi: Move drm_mode_config_init into mipi library Daniel Vetter
2020-03-23 14:49 ` [PATCH 48/51] drm/mipi-dbi: Drop explicit drm_mode_config_cleanup call Daniel Vetter
2020-03-23 14:49 ` [PATCH 49/51] drm/udl: " Daniel Vetter
2020-03-24  8:56   ` Thomas Zimmermann
2020-03-23 14:49 ` [PATCH 50/51] drm/udl: drop drm_driver.release hook Daniel Vetter
2020-03-23 14:49 ` [PATCH 51/51] drm: Add docs for managed resources Daniel Vetter
2020-03-26 15:10 ` [PATCH 00/51] drm_device managed resources, v5 Daniel Vetter
  -- strict thread matches above, loose matches on Subject: below --
2020-03-02 22:25 [PATCH 00/51] drm_device managed resources, v4 Daniel Vetter
2020-03-02 22:26 ` [PATCH 21/51] drm: Use drmm_ for drm_dev_init cleanup Daniel Vetter
2020-03-11  9:39   ` Thomas Zimmermann
2020-03-16  9:02     ` Daniel Vetter
2020-02-27 18:14 [PATCH 00/51] drm managed resources, v3 Daniel Vetter
2020-02-27 18:14 ` [PATCH 21/51] drm: Use drmm_ for drm_dev_init cleanup Daniel Vetter
2020-02-21 21:02 [PATCH 00/51] drm managed resources, v2 Daniel Vetter
2020-02-21 21:02 ` [PATCH 21/51] drm: Use drmm_ for drm_dev_init cleanup Daniel Vetter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200324212046.GA24902@ravnborg.org \
    --to=sam@ravnborg.org \
    --cc=daniel.vetter@ffwll.ch \
    --cc=daniel.vetter@intel.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=intel-gfx@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).