[Intel-gfx] [PATCH 01/12] drm/i915: Assert mutex_is_locked on context lookup
Ben Widawsky
ben at bwidawsk.net
Mon May 6 19:59:15 CEST 2013
On Mon, May 06, 2013 at 11:44:22AM +0200, Daniel Vetter wrote:
> On Mon, May 06, 2013 at 11:40:06AM +0200, Daniel Vetter wrote:
> > On Thu, May 02, 2013 at 01:27:32PM -0700, Jesse Barnes wrote:
> > > On Tue, 23 Apr 2013 23:15:29 -0700
> > > Ben Widawsky <ben at bwidawsk.net> wrote:
> > >
> > > > Because our context refcounting doesn't grab a ref at lookup time, it is
> > > > unsafe to do so without the lock.
> > > >
> > > > NOTE: We don't have an easy way to put the assertion in the lookup
> > > > function which is where this really belongs. Context switching is good
> > > > enough because it actually asserts even more correctness by protecting
> > > > the default_context.
> > > >
> > > > Signed-off-by: Ben Widawsky <ben at bwidawsk.net>
> > > > ---
> > > > drivers/gpu/drm/i915/i915_gem_context.c | 2 ++
> > > > 1 file changed, 2 insertions(+)
> > > >
> > > > diff --git a/drivers/gpu/drm/i915/i915_gem_context.c b/drivers/gpu/drm/i915/i915_gem_context.c
> > > > index a1e8ecb..411ace0 100644
> > > > --- a/drivers/gpu/drm/i915/i915_gem_context.c
> > > > +++ b/drivers/gpu/drm/i915/i915_gem_context.c
> > > > @@ -444,6 +444,8 @@ int i915_switch_context(struct intel_ring_buffer *ring,
> > > > if (dev_priv->hw_contexts_disabled)
> > > > return 0;
> > > >
> > > > + BUG_ON(!mutex_is_locked(&dev_priv->dev->struct_mutex));
> > > > +
> > > > if (ring != &dev_priv->ring[RCS])
> > > > return 0;
> > > >
> > >
> > > Simple enough.
> > >
> > > Reviewed-by: Jesse Barnes <jbarnes at virtuousgeek.org>
> > >
> > > We usually do WARN_ONs for this stuff though, in case a user actually
> > > does hit it, it may not be fatal so why crash the machine?
> > >
> > > But that's a minor distinction since we shouldn't hit this except in
> > > development anyway.
> >
> > Well, since this is a patch for upstream the focus should very much be on
> > supporting bug reporters and not developers. And for bug reporters a BUG
> > is much more annoying than a WARN and greatly reduces the chances that
> > we'll get a bug report.
>
> Some more details why a WARN massively beats a BUG for us: BUG kills the
> current process and ensures all locks are stuck. Usually that means X is
> dead and you can't vt-switch away to the console to take a quick look at
> dmesg.
>
> Now even when all rendering is down the toilet due to the follow-up damage
> after the WARN and the gpu a zombie, there's a non-zero chance that
> vt-switch (or sw rendering in X) will work long enough to grab log files
> and debugfs data.
>
> Hence the first rule to only use a BUG on if we have a guaranteed OOPS
> otherwise (which again will kill the process and make all locks stuck).
> -Daniel
>
> >
> > There are imo only very few cases where a BUG instead of a WARN is
> > justified:
> > - The kernel is _guaranteed_ to oops in the next few lines anyway, so a
> > BUG_ON will help in readability of the backtrace. Note that checking 3
> > different things for non-NULL in the same BUG actually reduces OOPS
> > readability (with an oops you can at least reconstruct the faulting
> > address and so probably the pointer). Also, this means the BUG should
> > have a neat description of what exactly blew up.
> >
> > The "a few lines" part is just a guideline with some big exceptions. A
> > prime example is refcount over/underflows since those will blow up, but
> > only sometimes later (and usually no one will have a clue why).
> >
> > - BUGs are justified if there's a potential security hole awaiting, e.g.
> > when something in the userspace input validation has gone wrong.
> >
> > - I'm wary of special error handling for WARNs, but if an early return
> > (with an error code if possible) transforms a BUG into a WARN I'm in.
> > But trying to fix up e.g. modeset state is usually futile, since we'll
> > end up with a black/fuzzy/corrupted screen most likely anyway.
> >
> > But the most important rule is: In case of doubt, just WARN, don't BUG.
> >
> > [I know, I violate it sometimes, too.]
> >
> > Patch applied with the s/BUG/WARN bikeshed.
> > -Daniel
Thanks for applying the patch, it's certainly better than what we have
currently.
Why I wanted a BUG: When you get a ref to an object without holding a
lock you get a potentially unsafe pointer (to which we will be writing).
If the context object memory is freed, and we write to it, we have a
potential to late scribble over <insert your file system of choice>
memory. There is probably a similar security implication there as well.
Many of us are used to, and capable of recovering from GPU hangs, but
less of us like to deal with FS recovery.
I actually believe all "get" code like this (backed with refcounts)
should BUG and not WARN.
--
Ben Widawsky, Intel Open Source Technology Center
More information about the Intel-gfx
mailing list