[Intel-gfx] [PATCH] tests/gem_userptr_blits: Race between close and invalidate
Michał Winiarski
michal.winiarski at intel.com
Tue Feb 3 06:39:17 PST 2015
It was possible for invalidate range start mmu notifier callback to race
with releasing userptr object. If the object is released prior to
taking a spinlock in the callback, we'll encounter a null pointer
dereference.
Cc: Chris Wilson <chris at chris-wilson.co.uk>
Signed-off-by: Michał Winiarski <michal.winiarski at intel.com>
---
tests/gem_userptr_blits.c | 68 +++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 66 insertions(+), 2 deletions(-)
diff --git a/tests/gem_userptr_blits.c b/tests/gem_userptr_blits.c
index be2fdf9..5864e4f 100644
--- a/tests/gem_userptr_blits.c
+++ b/tests/gem_userptr_blits.c
@@ -1179,6 +1179,8 @@ static void test_unmap_cycles(int fd, int expected)
test_unmap(fd, expected);
}
+#define MM_STRESS_LOOPS 100000
+
struct stress_thread_data {
unsigned int stop;
int exit_code;
@@ -1211,7 +1213,7 @@ static void test_stress_mm(int fd)
{
int ret;
pthread_t t;
- unsigned int loops = 100000;
+ unsigned int loops = MM_STRESS_LOOPS;
uint32_t handle;
void *ptr;
struct stress_thread_data stdata;
@@ -1239,6 +1241,62 @@ static void test_stress_mm(int fd)
igt_assert(stdata.exit_code == 0);
}
+struct userptr_close_thread_data {
+ int fd;
+ void *ptr;
+ bool overlap;
+ bool stop;
+};
+
+static void *mm_userptr_close_thread(void *data)
+{
+ int ret;
+ struct userptr_close_thread_data *t_data = (struct userptr_close_thread_data *)data;
+ int fd = t_data->fd;
+ void *ptr = t_data->ptr;
+ int handle_num = t_data->overlap ? 2 : 1;
+
+ uint32_t handle[handle_num];
+
+ while (!t_data->stop) {
+ for (int i = 0; i < handle_num; i++)
+ ret = gem_userptr(fd, ptr, PAGE_SIZE, 0, &handle[i]);
+ igt_assert(ret == 0);
+ for (int i = 0; i < handle_num; i++) {
+ gem_close(fd, handle[i]);
+ }
+ }
+
+ return NULL;
+}
+
+static void test_invalidate_close_race(int fd, bool overlap)
+{
+ int ret;
+ pthread_t t;
+ unsigned int loops = MM_STRESS_LOOPS;
+ struct userptr_close_thread_data t_data;
+
+ memset(&t_data, 0, sizeof(t_data));
+ t_data.fd = fd;
+ t_data.overlap = overlap;
+ igt_assert(posix_memalign(&t_data.ptr, PAGE_SIZE, PAGE_SIZE) == 0);
+
+ ret = pthread_create(&t, NULL, mm_userptr_close_thread, &t_data);
+ igt_assert(ret == 0);
+
+ while (loops--) {
+ mprotect(t_data.ptr, PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC);
+ mprotect(t_data.ptr, PAGE_SIZE, PROT_READ | PROT_WRITE);
+ }
+
+ t_data.stop = 1;
+
+ pthread_join(t, NULL);
+
+ free(t_data.ptr);
+}
+
unsigned int total_ram;
uint64_t aperture_size;
int fd, count;
@@ -1407,7 +1465,13 @@ int main(int argc, char **argv)
test_unmap_after_close(fd);
igt_subtest("stress-mm")
- test_stress_mm(fd);
+ test_stress_mm(fd);
+
+ igt_subtest("stress-mm-invalidate-close")
+ test_invalidate_close_race(fd, false);
+
+ igt_subtest("stress-mm-invalidate-close-overlap")
+ test_invalidate_close_race(fd, true);
igt_subtest("coherency-sync")
test_coherency(fd, count);
--
2.1.0
More information about the Intel-gfx
mailing list