subject:"\[PATCH\] dma\-buf\: Give dma\-fence\-array distinct lockclasses"

Re: [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

2019-08-25 Thread Koenig, Christian

Am 24.08.19 um 21:12 schrieb Chris Wilson:
> Quoting Koenig, Christian (2019-08-24 20:04:43)
>> Am 24.08.19 um 15:58 schrieb Chris Wilson:
>>> In order to allow dma-fence-array as a generic container for fences, we
>>> need to allow for it to contain other dma-fence-arrays. By giving each
>>> dma-fence-array construction their own lockclass, we allow different
>>> types of dma-fence-array to nest, but still do not allow on class of
>>> dma-fence-array to contain itself (even though they have distinct
>>> locks).
>>>
>>> In practice, this means that each subsystem gets its own dma-fence-array
>>> class and we can freely use dma-fence-arrays as containers within the
>>> dmabuf core without angering lockdep.
>> I've considered this for as well. E.g. to use the dma_fence_array
>> implementation instead of coming up with the dma_fence_chain container.
>>
>> But as it turned out when userspace can control nesting, it is trivial
>> to chain enough dma_fence_arrays together to cause an in kernel stack
>> overflow. Which in turn creates a really nice attack vector.
>>
>> So as long as userspace has control over dma_fence_array nesting this is
>> a clear NAK and actually extremely dangerous.
> You are proposing to use recursive dma_fence_array containers for
> dma_resv...

Hui? Where? I've tried rather hard to avoid that.

That was certainly not intentional,
Christian.

>
>> It actually took me quite a while to get the dma_fence_chain container
>> recursion less to avoid stuff like this.
> Sure, we've been avoiding recursion for years.
> -Chris

___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

2019-08-24 Thread kbuild test robot

Hi Chris,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[cannot apply to v5.3-rc5 next-20190823]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Chris-Wilson/dma-buf-Give-dma-fence-array-distinct-lockclasses/20190825-045722
reproduce: make htmldocs

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot 

All warnings (new ones prefixed by >>):

   Warning: The Sphinx 'sphinx_rtd_theme' HTML theme was not found. Make sure 
you have the theme installed to produce pretty HTML output. Falling back to the 
default theme.
   WARNING: dot(1) not found, for better output quality install graphviz from 
http://www.graphviz.org
   WARNING: convert(1) not found, for SVG to PDF conversion install ImageMagick 
(https://www.imagemagick.org)
   include/linux/w1.h:272: warning: Function parameter or member 
'of_match_table' not described in 'w1_family'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'quotactl' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'quota_on' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'sb_free_mnt_opts' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'sb_eat_lsm_opts' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'sb_kern_mount' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'sb_show_options' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'sb_add_mnt_opt' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'd_instantiate' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'getprocattr' not described in 'security_list_options'
   include/linux/lsm_hooks.h:1811: warning: Function parameter or member 
'setprocattr' not described in 'security_list_options'
   lib/genalloc.c:1: warning: 'gen_pool_add_virt' not found
   lib/genalloc.c:1: warning: 'gen_pool_alloc' not found
   lib/genalloc.c:1: warning: 'gen_pool_free' not found
   lib/genalloc.c:1: warning: 'gen_pool_alloc_algo' not found
   include/linux/i2c.h:337: warning: Function parameter or member 'init_irq' 
not described in 'i2c_client'
   include/linux/spi/spi.h:190: warning: Function parameter or member 
'driver_override' not described in 'spi_device'
   drivers/usb/typec/bus.c:1: warning: 'typec_altmode_unregister_driver' not 
found
   drivers/usb/typec/bus.c:1: warning: 'typec_altmode_register_driver' not found
   drivers/usb/typec/class.c:1: warning: 'typec_altmode_register_notifier' not 
found
   drivers/usb/typec/class.c:1: warning: 'typec_altmode_unregister_notifier' 
not found
   fs/direct-io.c:258: warning: Excess function parameter 'offset' description 
in 'dio_complete'
   fs/libfs.c:496: warning: Excess function parameter 'available' description 
in 'simple_write_end'
   fs/posix_acl.c:647: warning: Function parameter or member 'inode' not 
described in 'posix_acl_update_mode'
   fs/posix_acl.c:647: warning: Function parameter or member 'mode_p' not 
described in 'posix_acl_update_mode'
   fs/posix_acl.c:647: warning: Function parameter or member 'acl' not 
described in 'posix_acl_update_mode'
   include/linux/regulator/machine.h:196: warning: Function parameter or member 
'max_uV_step' not described in 'regulation_constraints'
   include/linux/regulator/driver.h:223: warning: Function parameter or member 
'resume' not described in 'regulator_ops'
   include/linux/input/sparse-keymap.h:43: warning: Function parameter or 
member 'sw' not described in 'key_entry'
   include/linux/skbuff.h:893: warning: Function parameter or member 
'dev_scratch' not described in 'sk_buff'
   include/linux/skbuff.h:893: warning: Function parameter or member 'list' not 
described in 'sk_buff'
   include/linux/skbuff.h:893: warning: Function parameter or member 
'ip_defrag_offset' not described in 'sk_buff'
   include/linux/skbuff.h:893: warning: Function parameter or member 
'skb_mstamp_ns' not described in 'sk_buff'
   include/linux/skbuff.h:893: warning: Function parameter or member 
'__cloned_offset' not described in 'sk_buff'
   include/linux/skbuff.h:893: warning: Function parameter or member 
'head_frag' not described in 'sk_buff'
   include/linux/skbuff.h:893: warning: Function parameter or member 
'__pkt_type_offset' not described in 'sk_buff'
   include/linux/skbuff.h:893: warning: Function parameter or member 
'encapsulation' not described in 'sk_buff'
   include/linux/skbuff.h:893: warning: Function parameter or

Re: [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

2019-08-24 Thread Chris Wilson

Quoting Koenig, Christian (2019-08-24 20:04:43)
> Am 24.08.19 um 15:58 schrieb Chris Wilson:
> > In order to allow dma-fence-array as a generic container for fences, we
> > need to allow for it to contain other dma-fence-arrays. By giving each
> > dma-fence-array construction their own lockclass, we allow different
> > types of dma-fence-array to nest, but still do not allow on class of
> > dma-fence-array to contain itself (even though they have distinct
> > locks).
> >
> > In practice, this means that each subsystem gets its own dma-fence-array
> > class and we can freely use dma-fence-arrays as containers within the
> > dmabuf core without angering lockdep.
> 
> I've considered this for as well. E.g. to use the dma_fence_array 
> implementation instead of coming up with the dma_fence_chain container.
> 
> But as it turned out when userspace can control nesting, it is trivial 
> to chain enough dma_fence_arrays together to cause an in kernel stack 
> overflow. Which in turn creates a really nice attack vector.
> 
> So as long as userspace has control over dma_fence_array nesting this is 
> a clear NAK and actually extremely dangerous.

You are proposing to use recursive dma_fence_array containers for
dma_resv...

> It actually took me quite a while to get the dma_fence_chain container 
> recursion less to avoid stuff like this.

Sure, we've been avoiding recursion for years.
-Chris
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

2019-08-24 Thread Koenig, Christian

Am 24.08.19 um 15:58 schrieb Chris Wilson:
> In order to allow dma-fence-array as a generic container for fences, we
> need to allow for it to contain other dma-fence-arrays. By giving each
> dma-fence-array construction their own lockclass, we allow different
> types of dma-fence-array to nest, but still do not allow on class of
> dma-fence-array to contain itself (even though they have distinct
> locks).
>
> In practice, this means that each subsystem gets its own dma-fence-array
> class and we can freely use dma-fence-arrays as containers within the
> dmabuf core without angering lockdep.

I've considered this for as well. E.g. to use the dma_fence_array 
implementation instead of coming up with the dma_fence_chain container.

But as it turned out when userspace can control nesting, it is trivial 
to chain enough dma_fence_arrays together to cause an in kernel stack 
overflow. Which in turn creates a really nice attack vector.

So as long as userspace has control over dma_fence_array nesting this is 
a clear NAK and actually extremely dangerous.

It actually took me quite a while to get the dma_fence_chain container 
recursion less to avoid stuff like this.

Regards,
Christian.

>
> Signed-off-by: Chris Wilson 
> Cc: Christian König 
> Cc: Daniel Vetter 
> ---
>   drivers/dma-buf/dma-fence-array.c | 13 -
>   include/linux/dma-fence-array.h   | 16 
>   2 files changed, 20 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/dma-buf/dma-fence-array.c 
> b/drivers/dma-buf/dma-fence-array.c
> index d3fbd950be94..d9bcdbb66d46 100644
> --- a/drivers/dma-buf/dma-fence-array.c
> +++ b/drivers/dma-buf/dma-fence-array.c
> @@ -147,10 +147,11 @@ EXPORT_SYMBOL(dma_fence_array_ops);
>* If @signal_on_any is true the fence array signals if any fence in the 
> array
>* signals, otherwise it signals when all fences in the array signal.
>*/
> -struct dma_fence_array *dma_fence_array_create(int num_fences,
> -struct dma_fence **fences,
> -u64 context, unsigned seqno,
> -bool signal_on_any)
> +struct dma_fence_array *__dma_fence_array_create(int num_fences,
> +  struct dma_fence **fences,
> +  u64 context, unsigned seqno,
> +  bool signal_on_any,
> +  struct lock_class_key *key)
>   {
>   struct dma_fence_array *array;
>   size_t size = sizeof(*array);
> @@ -162,6 +163,8 @@ struct dma_fence_array *dma_fence_array_create(int 
> num_fences,
>   return NULL;
>   
>   spin_lock_init(>lock);
> + lockdep_set_class(>lock, key);
> +
>   dma_fence_init(>base, _fence_array_ops, >lock,
>  context, seqno);
>   init_irq_work(>work, irq_dma_fence_array_work);
> @@ -174,7 +177,7 @@ struct dma_fence_array *dma_fence_array_create(int 
> num_fences,
>   
>   return array;
>   }
> -EXPORT_SYMBOL(dma_fence_array_create);
> +EXPORT_SYMBOL(__dma_fence_array_create);
>   
>   /**
>* dma_fence_match_context - Check if all fences are from the given context
> diff --git a/include/linux/dma-fence-array.h b/include/linux/dma-fence-array.h
> index 303dd712220f..1395f9428cdb 100644
> --- a/include/linux/dma-fence-array.h
> +++ b/include/linux/dma-fence-array.h
> @@ -74,10 +74,18 @@ to_dma_fence_array(struct dma_fence *fence)
>   return container_of(fence, struct dma_fence_array, base);
>   }
>   
> -struct dma_fence_array *dma_fence_array_create(int num_fences,
> -struct dma_fence **fences,
> -u64 context, unsigned seqno,
> -bool signal_on_any);
> +#define dma_fence_array_create(num, fences, context, seqno, any) ({ \
> + static struct lock_class_key __key; \
> + \
> + __dma_fence_array_create((num), (fences), (context), (seqno), (any), \
> +  &__key);   \
> +})
> +
> +struct dma_fence_array *__dma_fence_array_create(int num_fences,
> +  struct dma_fence **fences,
> +  u64 context, unsigned seqno,
> +  bool signal_on_any,
> +  struct lock_class_key *key);
>   
>   bool dma_fence_match_context(struct dma_fence *fence, u64 context);
>   

___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[PATCH] dma-buf: Give dma-fence-array distinct lockclasses

2019-08-24 Thread Chris Wilson

In order to allow dma-fence-array as a generic container for fences, we
need to allow for it to contain other dma-fence-arrays. By giving each
dma-fence-array construction their own lockclass, we allow different
types of dma-fence-array to nest, but still do not allow on class of
dma-fence-array to contain itself (even though they have distinct
locks).

In practice, this means that each subsystem gets its own dma-fence-array
class and we can freely use dma-fence-arrays as containers within the
dmabuf core without angering lockdep.

Signed-off-by: Chris Wilson 
Cc: Christian König 
Cc: Daniel Vetter 
---
 drivers/dma-buf/dma-fence-array.c | 13 -
 include/linux/dma-fence-array.h   | 16 
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/drivers/dma-buf/dma-fence-array.c 
b/drivers/dma-buf/dma-fence-array.c
index d3fbd950be94..d9bcdbb66d46 100644
--- a/drivers/dma-buf/dma-fence-array.c
+++ b/drivers/dma-buf/dma-fence-array.c
@@ -147,10 +147,11 @@ EXPORT_SYMBOL(dma_fence_array_ops);
  * If @signal_on_any is true the fence array signals if any fence in the array
  * signals, otherwise it signals when all fences in the array signal.
  */
-struct dma_fence_array *dma_fence_array_create(int num_fences,
-  struct dma_fence **fences,
-  u64 context, unsigned seqno,
-  bool signal_on_any)
+struct dma_fence_array *__dma_fence_array_create(int num_fences,
+struct dma_fence **fences,
+u64 context, unsigned seqno,
+bool signal_on_any,
+struct lock_class_key *key)
 {
struct dma_fence_array *array;
size_t size = sizeof(*array);
@@ -162,6 +163,8 @@ struct dma_fence_array *dma_fence_array_create(int 
num_fences,
return NULL;
 
spin_lock_init(>lock);
+   lockdep_set_class(>lock, key);
+
dma_fence_init(>base, _fence_array_ops, >lock,
   context, seqno);
init_irq_work(>work, irq_dma_fence_array_work);
@@ -174,7 +177,7 @@ struct dma_fence_array *dma_fence_array_create(int 
num_fences,
 
return array;
 }
-EXPORT_SYMBOL(dma_fence_array_create);
+EXPORT_SYMBOL(__dma_fence_array_create);
 
 /**
  * dma_fence_match_context - Check if all fences are from the given context
diff --git a/include/linux/dma-fence-array.h b/include/linux/dma-fence-array.h
index 303dd712220f..1395f9428cdb 100644
--- a/include/linux/dma-fence-array.h
+++ b/include/linux/dma-fence-array.h
@@ -74,10 +74,18 @@ to_dma_fence_array(struct dma_fence *fence)
return container_of(fence, struct dma_fence_array, base);
 }
 
-struct dma_fence_array *dma_fence_array_create(int num_fences,
-  struct dma_fence **fences,
-  u64 context, unsigned seqno,
-  bool signal_on_any);
+#define dma_fence_array_create(num, fences, context, seqno, any) ({ \
+   static struct lock_class_key __key; \
+   \
+   __dma_fence_array_create((num), (fences), (context), (seqno), (any), \
+&__key);   \
+})
+
+struct dma_fence_array *__dma_fence_array_create(int num_fences,
+struct dma_fence **fences,
+u64 context, unsigned seqno,
+bool signal_on_any,
+struct lock_class_key *key);
 
 bool dma_fence_match_context(struct dma_fence *fence, u64 context);
 
-- 
2.23.0

___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

Re: [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

Re: [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

Re: [PATCH] dma-buf: Give dma-fence-array distinct lockclasses

[PATCH] dma-buf: Give dma-fence-array distinct lockclasses

5 matches

Site Navigation

Mail list logo

Footer information