[Intel-gfx] [PATCH] drm/i915: Prevent oops on req->engine in rcu-protected peeking

Daniel Vetter daniel at ffwll.ch
Fri Aug 5 19:24:35 UTC 2016


On Fri, Aug 05, 2016 at 06:38:13PM +0100, Chris Wilson wrote:
> On Fri, Aug 05, 2016 at 06:37:00PM +0200, Daniel Vetter wrote:
> > When only rcu-protected we might peek at a reinitializing request.
> > Prevent carnage by making sure we don't accidentally chase a NULL
> > pointer.
> > 
> > The proper fix for this is to drop the memset (with kzalloc) in the
> > request allocation function, since that avoids both the NULL check in
> > these fastpaths and makes request allocation a notch lighter. But it
> > also means we need to careful audit all the paths to make sure nothing
> > gets upset and runs into garbage. And that's a bit much on a late Friday
> > with Joonas already on w/e. Also, today is drm-intel-next tag day, and
> > this will be the tag for the first 4.9 pull request.
> > 
> > Hence this easier to review interim fix, which will be replaced early next
> > week by the proper fix Chris is working on.
> > 
> > Fixes: 0eafec6d3244 ("drm/i915: Enable lockless lookup of request...")
> > Cc: Chris Wilson <chris at chris-wilson.co.uk>
> > Cc: "Goel, Akash" <akash.goel at intel.com>
> > Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
> > Cc: Joonas Lahtinen <joonas.lahtinen at linux.intel.com>
> > Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> 
> This is not complete either since we do RCU lookups elsewhere as well.

Hunting throughout the code, the only other place I've found is in
i915_gpu_error.c. Only __active_get_engine_id looks at req->engine, and it
already has a NULL check.

I know that there's plenty of your patches pending which will add tons of
lockless request lockups, but I think for a short-term fix over the w/e
this is fine. Is there another place I've missed.

Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>
-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch


More information about the Intel-gfx mailing list