tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm/i915: Do not hold mutex when faulting in user addresses

Linus Torvalds found that it was rather trivial to trigger a system
freeze:

In fact, with lockdep, I don't even need to do the sysrq-d thing: it
shows the bug as it happens. It's the X server taking the same lock
recursively.

Here's the problem:

=============================================
[ INFO: possible recursive locking detected ]
2.6.37-rc2-00012-gbdbd01a #7
---------------------------------------------
Xorg/2816 is trying to acquire lock:
(&dev->struct_mutex){+.+.+.}, at: [<ffffffff812c626c>] i915_gem_fault+0x50/0x17e

but task is already holding lock:
(&dev->struct_mutex){+.+.+.}, at: [<ffffffff812c403b>] i915_mutex_lock_interruptible+0x28/0x4a

other info that might help us debug this:
2 locks held by Xorg/2816:
#0: (&dev->struct_mutex){+.+.+.}, at: [<ffffffff812c403b>] i915_mutex_lock_interruptible+0x28/0x4a
#1: (&mm->mmap_sem){++++++}, at: [<ffffffff81022d4f>] page_fault+0x156/0x37b

This recursion was introduced by rearranging the locking to avoid the
double locking on the fast path (4f27b5d and fbd5a26d) and the
introduction of the prefault to encourage the fast paths (b5e4f2b). In
order to undo the problem, we rearrange the code to perform the access
validation upfront, attempt to prefault and then fight for control of the
mutex. the best case scenario where the mutex is uncontended the
prefaulting is not wasted.

Reported-and-tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Chris Wilson 51311d0a 1bb95834

+27 -36
unified split
+27 -36
drivers/gpu/drm/i915/i915_gem.c
··· 547 547 struct drm_i915_gem_object *obj_priv; 548 548 int ret = 0; 549 549 550 + if (args->size == 0) 551 + return 0; 552 + 553 + if (!access_ok(VERIFY_WRITE, 554 + (char __user *)(uintptr_t)args->data_ptr, 555 + args->size)) 556 + return -EFAULT; 557 + 558 + ret = fault_in_pages_writeable((char __user *)(uintptr_t)args->data_ptr, 559 + args->size); 560 + if (ret) 561 + return -EFAULT; 562 + 550 563 ret = i915_mutex_lock_interruptible(dev); 551 564 if (ret) 552 565 return ret; ··· 574 561 /* Bounds check source. */ 575 562 if (args->offset > obj->size || args->size > obj->size - args->offset) { 576 563 ret = -EINVAL; 577 - goto out; 578 - } 579 - 580 - if (args->size == 0) 581 - goto out; 582 - 583 - if (!access_ok(VERIFY_WRITE, 584 - (char __user *)(uintptr_t)args->data_ptr, 585 - args->size)) { 586 - ret = -EFAULT; 587 - goto out; 588 - } 589 - 590 - ret = fault_in_pages_writeable((char __user *)(uintptr_t)args->data_ptr, 591 - args->size); 592 - if (ret) { 593 - ret = -EFAULT; 594 564 goto out; 595 565 } 596 566 ··· 977 981 struct drm_i915_gem_pwrite *args = data; 978 982 struct drm_gem_object *obj; 979 983 struct drm_i915_gem_object *obj_priv; 980 - int ret = 0; 984 + int ret; 985 + 986 + if (args->size == 0) 987 + return 0; 988 + 989 + if (!access_ok(VERIFY_READ, 990 + (char __user *)(uintptr_t)args->data_ptr, 991 + args->size)) 992 + return -EFAULT; 993 + 994 + ret = fault_in_pages_readable((char __user *)(uintptr_t)args->data_ptr, 995 + args->size); 996 + if (ret) 997 + return -EFAULT; 981 998 982 999 ret = i915_mutex_lock_interruptible(dev); 983 1000 if (ret) ··· 1003 994 } 1004 995 obj_priv = to_intel_bo(obj); 1005 996 1006 - 1007 997 /* Bounds check destination. */ 1008 998 if (args->offset > obj->size || args->size > obj->size - args->offset) { 1009 999 ret = -EINVAL; 1010 - goto out; 1011 - } 1012 - 1013 - if (args->size == 0) 1014 - goto out; 1015 - 1016 - if (!access_ok(VERIFY_READ, 1017 - (char __user *)(uintptr_t)args->data_ptr, 1018 - args->size)) { 1019 - ret = -EFAULT; 1020 - goto out; 1021 - } 1022 - 1023 - ret = fault_in_pages_readable((char __user *)(uintptr_t)args->data_ptr, 1024 - args->size); 1025 - if (ret) { 1026 - ret = -EFAULT; 1027 1000 goto out; 1028 1001 } 1029 1002