[Intel-gfx] [PATCH] drm/syncobj: Stop reusing the same struct file for all syncobj -> fd

Daniel Vetter daniel at ffwll.ch
Tue Dec 19 12:28:49 UTC 2017 

On Tue, Dec 19, 2017 at 12:07:00PM +0000, Chris Wilson wrote:
> The vk cts test:
> dEQP-VK.api.external.semaphore.opaque_fd.export_multiple_times_temporary
> 
> triggers a lot of
> VFS: Close: file count is 0
> 
> Dave pointed out that clearing the syncobj->file from
> drm_syncobj_file_release() was sufficient to silence the test, but that
> opens a can of worm since we assumed that the syncobj->file was never
> unset. Stop trying to reuse the same struct file for every fd pointing
> to the drm_syncobj, and allocate one file for each fd instead.

It's worse: syncobj->file points to a refcounted thing, and we never did
grab a reference for it. This is a classic use-after-free thing :-)

> Reported-by: Dave Airlie <airlied at redhat.com>
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Dave Airlie <airlied at redhat.com>

Assuming it doesn't break the vk testsuite:

Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>

Also an igt for this would be nice:
1. create syncobj
2. export to fd
3. close fd, note that now syncobj->file points to a freed struct file
4. reexport -> BOOM

Cheers, Daniel

> ---
>  drivers/gpu/drm/drm_syncobj.c | 74 +++++++++++++++----------------------------
>  include/drm/drm_syncobj.h     |  4 ---
>  2 files changed, 26 insertions(+), 52 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
> index 131695915acd..0cca2e792719 100644
> --- a/drivers/gpu/drm/drm_syncobj.c
> +++ b/drivers/gpu/drm/drm_syncobj.c
> @@ -399,23 +399,6 @@ static const struct file_operations drm_syncobj_file_fops = {
>  	.release = drm_syncobj_file_release,
>  };
>  
> -static int drm_syncobj_alloc_file(struct drm_syncobj *syncobj)
> -{
> -	struct file *file = anon_inode_getfile("syncobj_file",
> -					       &drm_syncobj_file_fops,
> -					       syncobj, 0);
> -	if (IS_ERR(file))
> -		return PTR_ERR(file);
> -
> -	drm_syncobj_get(syncobj);
> -	if (cmpxchg(&syncobj->file, NULL, file)) {
> -		/* lost the race */
> -		fput(file);
> -	}
> -
> -	return 0;
> -}
> -
>  /**
>   * drm_syncobj_get_fd - get a file descriptor from a syncobj
>   * @syncobj: Sync object to export
> @@ -427,21 +410,24 @@ static int drm_syncobj_alloc_file(struct drm_syncobj *syncobj)
>   */
>  int drm_syncobj_get_fd(struct drm_syncobj *syncobj, int *p_fd)
>  {
> -	int ret;
> +	struct file *file;
>  	int fd;
>  
>  	fd = get_unused_fd_flags(O_CLOEXEC);
>  	if (fd < 0)
>  		return fd;
>  
> -	if (!syncobj->file) {
> -		ret = drm_syncobj_alloc_file(syncobj);
> -		if (ret) {
> -			put_unused_fd(fd);
> -			return ret;
> -		}
> +	file = anon_inode_getfile("syncobj_file",
> +				  &drm_syncobj_file_fops,
> +				  syncobj, 0);
> +	if (IS_ERR(file)) {
> +		put_unused_fd(fd);
> +		return PTR_ERR(file);
>  	}
> -	fd_install(fd, syncobj->file);
> +
> +	drm_syncobj_get(syncobj);
> +	fd_install(fd, file);
> +
>  	*p_fd = fd;
>  	return 0;
>  }
> @@ -461,31 +447,24 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
>  	return ret;
>  }
>  
> -static struct drm_syncobj *drm_syncobj_fdget(int fd)
> -{
> -	struct file *file = fget(fd);
> -
> -	if (!file)
> -		return NULL;
> -	if (file->f_op != &drm_syncobj_file_fops)
> -		goto err;
> -
> -	return file->private_data;
> -err:
> -	fput(file);
> -	return NULL;
> -};
> -
>  static int drm_syncobj_fd_to_handle(struct drm_file *file_private,
>  				    int fd, u32 *handle)
>  {
> -	struct drm_syncobj *syncobj = drm_syncobj_fdget(fd);
> +	struct drm_syncobj *syncobj;
> +	struct file *file;
>  	int ret;
>  
> -	if (!syncobj)
> +	file = fget(fd);
> +	if (!file)
>  		return -EINVAL;
>  
> +	if (file->f_op != &drm_syncobj_file_fops) {
> +		fput(file);
> +		return -EINVAL;
> +	}
> +
>  	/* take a reference to put in the idr */
> +	syncobj = file->private_data;
>  	drm_syncobj_get(syncobj);
>  
>  	idr_preload(GFP_KERNEL);
> @@ -494,12 +473,11 @@ static int drm_syncobj_fd_to_handle(struct drm_file *file_private,
>  	spin_unlock(&file_private->syncobj_table_lock);
>  	idr_preload_end();
>  
> -	if (ret < 0) {
> -		fput(syncobj->file);
> -		return ret;
> -	}
> -	*handle = ret;
> -	return 0;
> +	if (ret > 0)
> +		*handle = ret;
> +
> +	fput(file);
> +	return ret;
>  }
>  
>  static int drm_syncobj_import_sync_file_fence(struct drm_file *file_private,
> diff --git a/include/drm/drm_syncobj.h b/include/drm/drm_syncobj.h
> index 3980602472c0..ca5bf7d12d0b 100644
> --- a/include/drm/drm_syncobj.h
> +++ b/include/drm/drm_syncobj.h
> @@ -56,10 +56,6 @@ struct drm_syncobj {
>  	 * @lock: Protects &cb_list and write-locks &fence.
>  	 */
>  	spinlock_t lock;
> -	/**
> -	 * @file: A file backing for this syncobj.
> -	 */
> -	struct file *file;
>  };
>  
>  typedef void (*drm_syncobj_func_t)(struct drm_syncobj *syncobj,
> -- 
> 2.15.1
> 
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gfx

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

More information about the Intel-gfx mailing list