[Intel-gfx] [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

Koenig, Christian Christian.Koenig at amd.com
Sat Aug 24 19:04:43 UTC 2019


Am 24.08.19 um 15:58 schrieb Chris Wilson:
> In order to allow dma-fence-array as a generic container for fences, we
> need to allow for it to contain other dma-fence-arrays. By giving each
> dma-fence-array construction their own lockclass, we allow different
> types of dma-fence-array to nest, but still do not allow on class of
> dma-fence-array to contain itself (even though they have distinct
> locks).
>
> In practice, this means that each subsystem gets its own dma-fence-array
> class and we can freely use dma-fence-arrays as containers within the
> dmabuf core without angering lockdep.

I've considered this for as well. E.g. to use the dma_fence_array 
implementation instead of coming up with the dma_fence_chain container.

But as it turned out when userspace can control nesting, it is trivial 
to chain enough dma_fence_arrays together to cause an in kernel stack 
overflow. Which in turn creates a really nice attack vector.

So as long as userspace has control over dma_fence_array nesting this is 
a clear NAK and actually extremely dangerous.

It actually took me quite a while to get the dma_fence_chain container 
recursion less to avoid stuff like this.

Regards,
Christian.

>
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Christian König <christian.koenig at amd.com>
> Cc: Daniel Vetter <daniel at ffwll.ch>
> ---
>   drivers/dma-buf/dma-fence-array.c | 13 ++++++++-----
>   include/linux/dma-fence-array.h   | 16 ++++++++++++----
>   2 files changed, 20 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/dma-buf/dma-fence-array.c b/drivers/dma-buf/dma-fence-array.c
> index d3fbd950be94..d9bcdbb66d46 100644
> --- a/drivers/dma-buf/dma-fence-array.c
> +++ b/drivers/dma-buf/dma-fence-array.c
> @@ -147,10 +147,11 @@ EXPORT_SYMBOL(dma_fence_array_ops);
>    * If @signal_on_any is true the fence array signals if any fence in the array
>    * signals, otherwise it signals when all fences in the array signal.
>    */
> -struct dma_fence_array *dma_fence_array_create(int num_fences,
> -					       struct dma_fence **fences,
> -					       u64 context, unsigned seqno,
> -					       bool signal_on_any)
> +struct dma_fence_array *__dma_fence_array_create(int num_fences,
> +						 struct dma_fence **fences,
> +						 u64 context, unsigned seqno,
> +						 bool signal_on_any,
> +						 struct lock_class_key *key)
>   {
>   	struct dma_fence_array *array;
>   	size_t size = sizeof(*array);
> @@ -162,6 +163,8 @@ struct dma_fence_array *dma_fence_array_create(int num_fences,
>   		return NULL;
>   
>   	spin_lock_init(&array->lock);
> +	lockdep_set_class(&array->lock, key);
> +
>   	dma_fence_init(&array->base, &dma_fence_array_ops, &array->lock,
>   		       context, seqno);
>   	init_irq_work(&array->work, irq_dma_fence_array_work);
> @@ -174,7 +177,7 @@ struct dma_fence_array *dma_fence_array_create(int num_fences,
>   
>   	return array;
>   }
> -EXPORT_SYMBOL(dma_fence_array_create);
> +EXPORT_SYMBOL(__dma_fence_array_create);
>   
>   /**
>    * dma_fence_match_context - Check if all fences are from the given context
> diff --git a/include/linux/dma-fence-array.h b/include/linux/dma-fence-array.h
> index 303dd712220f..1395f9428cdb 100644
> --- a/include/linux/dma-fence-array.h
> +++ b/include/linux/dma-fence-array.h
> @@ -74,10 +74,18 @@ to_dma_fence_array(struct dma_fence *fence)
>   	return container_of(fence, struct dma_fence_array, base);
>   }
>   
> -struct dma_fence_array *dma_fence_array_create(int num_fences,
> -					       struct dma_fence **fences,
> -					       u64 context, unsigned seqno,
> -					       bool signal_on_any);
> +#define dma_fence_array_create(num, fences, context, seqno, any) ({ \
> +	static struct lock_class_key __key;			\
> +								\
> +	__dma_fence_array_create((num), (fences), (context), (seqno), (any), \
> +		        	 &__key);			\
> +})
> +
> +struct dma_fence_array *__dma_fence_array_create(int num_fences,
> +						 struct dma_fence **fences,
> +						 u64 context, unsigned seqno,
> +						 bool signal_on_any,
> +						 struct lock_class_key *key);
>   
>   bool dma_fence_match_context(struct dma_fence *fence, u64 context);
>   



More information about the Intel-gfx mailing list