1. 26 Jul, 2021 1 commit
  2. 25 Jul, 2021 9 commits
  3. 23 Jul, 2021 11 commits
  4. 22 Jul, 2021 1 commit
  5. 21 Jul, 2021 11 commits
  6. 20 Jul, 2021 7 commits
    • Juan A. Suarez Romero's avatar
      drm/v3d: Expose performance counters to userspace · 26a4dc29
      Juan A. Suarez Romero authored
      The V3D engine has several hardware performance counters that can of
      interest for userspace performance analysis tools.
      
      This exposes new ioctls to create and destroy performance monitor
      objects, as well as to query the counter values.
      
      Each created performance monitor object has an ID that can be attached
      to CL/CSD submissions, so the driver enables the requested counters when
      the job is submitted, and updates the performance monitor values when
      the job is done.
      
      It is up to the user to ensure all the jobs have been finished before
      getting the performance monitor values. It is also up to the user to
      properly synchronize BCL jobs when submitting jobs with different
      performance monitors attached.
      
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Emma Anholt <emma@anholt.net>
      To: dri-devel@lists.freedesktop.org
      Signed-off-by: default avatarJuan A. Suarez Romero <jasuarez@igalia.com>
      Acked-by: default avatarMelissa Wen <mwen@igalia.com>
      Signed-off-by: default avatarMelissa Wen <melissa.srw@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210608111541.461991-1-jasuarez@igalia.com
      26a4dc29
    • Desmond Cheong Zhi Xi's avatar
      drm: protect drm_master pointers in drm_lease.c · 56f0729a
      Desmond Cheong Zhi Xi authored
      drm_file->master pointers should be protected by
      drm_device.master_mutex or drm_file.master_lookup_lock when being
      dereferenced.
      
      However, in drm_lease.c, there are multiple instances where
      drm_file->master is accessed and dereferenced while neither lock is
      held. This makes drm_lease.c vulnerable to use-after-free bugs.
      
      We address this issue in 2 ways:
      
      1. Add a new drm_file_get_master() function that calls drm_master_get
      on drm_file->master while holding on to
      drm_file.master_lookup_lock. Since drm_master_get increments the
      reference count of master, this prevents master from being freed until
      we unreference it with drm_master_put.
      
      2. In each case where drm_file->master is directly accessed and
      eventually dereferenced in drm_lease.c, we wrap the access in a call
      to the new drm_file_get_master function, then unreference the master
      pointer once we are done using it.
      Reported-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarDesmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
      Reviewed-by: default avatarEmil Velikov <emil.l.velikov@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-6-desmondcheongzx@gmail.com
      56f0729a
    • Desmond Cheong Zhi Xi's avatar
      drm: serialize drm_file.master with a new spinlock · 0b0860a3
      Desmond Cheong Zhi Xi authored
      Currently, drm_file.master pointers should be protected by
      drm_device.master_mutex when being dereferenced. This is because
      drm_file.master is not invariant for the lifetime of drm_file. If
      drm_file is not the creator of master, then drm_file.is_master is
      false, and a call to drm_setmaster_ioctl will invoke
      drm_new_set_master, which then allocates a new master for drm_file and
      puts the old master.
      
      Thus, without holding drm_device.master_mutex, the old value of
      drm_file.master could be freed while it is being used by another
      concurrent process.
      
      However, it is not always possible to lock drm_device.master_mutex to
      dereference drm_file.master. Through the fbdev emulation code, this
      might occur in a deep nest of other locks. But drm_device.master_mutex
      is also the outermost lock in the nesting hierarchy, so this leads to
      potential deadlocks.
      
      To address this, we introduce a new spin lock at the bottom of the
      lock hierarchy that only serializes drm_file.master. With this change,
      the value of drm_file.master changes only when both
      drm_device.master_mutex and drm_file.master_lookup_lock are
      held. Hence, any process holding either of those locks can ensure that
      the value of drm_file.master will not change concurrently.
      
      Since no lock depends on the new drm_file.master_lookup_lock, when
      drm_file.master is dereferenced, but drm_device.master_mutex cannot be
      held, we can safely protect the master pointer with
      drm_file.master_lookup_lock.
      Reported-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarDesmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-5-desmondcheongzx@gmail.com
      0b0860a3
    • Desmond Cheong Zhi Xi's avatar
      drm: add a locked version of drm_is_current_master · 1f7ef07c
      Desmond Cheong Zhi Xi authored
      While checking the master status of the DRM file in
      drm_is_current_master(), the device's master mutex should be
      held. Without the mutex, the pointer fpriv->master may be freed
      concurrently by another process calling drm_setmaster_ioctl(). This
      could lead to use-after-free errors when the pointer is subsequently
      dereferenced in drm_lease_owner().
      
      The callers of drm_is_current_master() from drm_auth.c hold the
      device's master mutex, but external callers do not. Hence, we implement
      drm_is_current_master_locked() to be used within drm_auth.c, and
      modify drm_is_current_master() to grab the device's master mutex
      before checking the master status.
      Reported-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarDesmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
      Reviewed-by: default avatarEmil Velikov <emil.l.velikov@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-4-desmondcheongzx@gmail.com
      1f7ef07c
    • Desmond Cheong Zhi Xi's avatar
      drm: avoid blocking in drm_clients_info's rcu section · 5eff9585
      Desmond Cheong Zhi Xi authored
      Inside drm_clients_info, the rcu_read_lock is held to lock
      pid_task()->comm. However, within this protected section, a call to
      drm_is_current_master is made, which involves a mutex lock in a future
      patch. However, this is illegal because the mutex lock might block
      while in the RCU read-side critical section.
      
      Since drm_is_current_master isn't protected by rcu_read_lock, we avoid
      this by moving it out of the RCU critical section.
      
      The following report came from intel-gfx ci's
      igt@debugfs_test@read_all_entries testcase:
      
      =============================
      [ BUG: Invalid wait context ]
      5.13.0-CI-Patchwork_20515+ #1 Tainted: G        W
      -----------------------------
      debugfs_test/1101 is trying to lock:
      ffff888132d901a8 (&dev->master_mutex){+.+.}-{3:3}, at:
      drm_is_current_master+0x1e/0x50
      other info that might help us debug this:
      context-{4:4}
      3 locks held by debugfs_test/1101:
       #0: ffff88810fdffc90 (&p->lock){+.+.}-{3:3}, at:
       seq_read_iter+0x53/0x3b0
       #1: ffff888132d90240 (&dev->filelist_mutex){+.+.}-{3:3}, at:
       drm_clients_info+0x63/0x2a0
       #2: ffffffff82734220 (rcu_read_lock){....}-{1:2}, at:
       drm_clients_info+0x1b1/0x2a0
      stack backtrace:
      CPU: 8 PID: 1101 Comm: debugfs_test Tainted: G        W
      5.13.0-CI-Patchwork_20515+ #1
      Hardware name: Intel Corporation CometLake Client Platform/CometLake S
      UDIMM (ERB/CRB), BIOS CMLSFWR1.R00.1263.D00.1906260926 06/26/2019
      Call Trace:
       dump_stack+0x7f/0xad
       __lock_acquire.cold.78+0x2af/0x2ca
       lock_acquire+0xd3/0x300
       ? drm_is_current_master+0x1e/0x50
       ? __mutex_lock+0x76/0x970
       ? lockdep_hardirqs_on+0xbf/0x130
       __mutex_lock+0xab/0x970
       ? drm_is_current_master+0x1e/0x50
       ? drm_is_current_master+0x1e/0x50
       ? drm_is_current_master+0x1e/0x50
       drm_is_current_master+0x1e/0x50
       drm_clients_info+0x107/0x2a0
       seq_read_iter+0x178/0x3b0
       seq_read+0x104/0x150
       full_proxy_read+0x4e/0x80
       vfs_read+0xa5/0x1b0
       ksys_read+0x5a/0xd0
       do_syscall_64+0x39/0xb0
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      Signed-off-by: default avatarDesmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-3-desmondcheongzx@gmail.com
      5eff9585
    • Desmond Cheong Zhi Xi's avatar
      drm: avoid circular locks in drm_mode_getconnector · 869e76f7
      Desmond Cheong Zhi Xi authored
      In preparation for a future patch to take a lock on
      drm_device.master_mutex inside drm_is_current_master(), we first move
      the call to drm_is_current_master() in drm_mode_getconnector out from the
      section locked by &dev->mode_config.mutex. This avoids creating a
      circular lock dependency.
      
      Failing to avoid this lock dependency produces the following lockdep
      splat:
      
      ======================================================
      WARNING: possible circular locking dependency detected
      5.13.0-rc7-CI-CI_DRM_10254+ #1 Not tainted
      ------------------------------------------------------
      kms_frontbuffer/1087 is trying to acquire lock:
      ffff88810dcd01a8 (&dev->master_mutex){+.+.}-{3:3}, at: drm_is_current_master+0x1b/0x40
      but task is already holding lock:
      ffff88810dcd0488 (&dev->mode_config.mutex){+.+.}-{3:3}, at: drm_mode_getconnector+0x1c6/0x4a0
      which lock already depends on the new lock.
      the existing dependency chain (in reverse order) is:
      -> #2 (&dev->mode_config.mutex){+.+.}-{3:3}:
             __mutex_lock+0xab/0x970
             drm_client_modeset_probe+0x22e/0xca0
             __drm_fb_helper_initial_config_and_unlock+0x42/0x540
             intel_fbdev_initial_config+0xf/0x20 [i915]
             async_run_entry_fn+0x28/0x130
             process_one_work+0x26d/0x5c0
             worker_thread+0x37/0x380
             kthread+0x144/0x170
             ret_from_fork+0x1f/0x30
      -> #1 (&client->modeset_mutex){+.+.}-{3:3}:
             __mutex_lock+0xab/0x970
             drm_client_modeset_commit_locked+0x1c/0x180
             drm_client_modeset_commit+0x1c/0x40
             __drm_fb_helper_restore_fbdev_mode_unlocked+0x88/0xb0
             drm_fb_helper_set_par+0x34/0x40
             intel_fbdev_set_par+0x11/0x40 [i915]
             fbcon_init+0x270/0x4f0
             visual_init+0xc6/0x130
             do_bind_con_driver+0x1e5/0x2d0
             do_take_over_console+0x10e/0x180
             do_fbcon_takeover+0x53/0xb0
             register_framebuffer+0x22d/0x310
             __drm_fb_helper_initial_config_and_unlock+0x36c/0x540
             intel_fbdev_initial_config+0xf/0x20 [i915]
             async_run_entry_fn+0x28/0x130
             process_one_work+0x26d/0x5c0
             worker_thread+0x37/0x380
             kthread+0x144/0x170
             ret_from_fork+0x1f/0x30
      -> #0 (&dev->master_mutex){+.+.}-{3:3}:
             __lock_acquire+0x151e/0x2590
             lock_acquire+0xd1/0x3d0
             __mutex_lock+0xab/0x970
             drm_is_current_master+0x1b/0x40
             drm_mode_getconnector+0x37e/0x4a0
             drm_ioctl_kernel+0xa8/0xf0
             drm_ioctl+0x1e8/0x390
             __x64_sys_ioctl+0x6a/0xa0
             do_syscall_64+0x39/0xb0
             entry_SYSCALL_64_after_hwframe+0x44/0xae
      other info that might help us debug this:
      Chain exists of: &dev->master_mutex --> &client->modeset_mutex --> &dev->mode_config.mutex
       Possible unsafe locking scenario:
             CPU0                    CPU1
             ----                    ----
        lock(&dev->mode_config.mutex);
                                     lock(&client->modeset_mutex);
                                     lock(&dev->mode_config.mutex);
        lock(&dev->master_mutex);
      *** DEADLOCK ***
      1 lock held by kms_frontbuffer/1087:
       #0: ffff88810dcd0488 (&dev->mode_config.mutex){+.+.}-{3:3}, at: drm_mode_getconnector+0x1c6/0x4a0
      stack backtrace:
      CPU: 7 PID: 1087 Comm: kms_frontbuffer Not tainted 5.13.0-rc7-CI-CI_DRM_10254+ #1
      Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.3234.A01.1906141750 06/14/2019
      Call Trace:
       dump_stack+0x7f/0xad
       check_noncircular+0x12e/0x150
       __lock_acquire+0x151e/0x2590
       lock_acquire+0xd1/0x3d0
       __mutex_lock+0xab/0x970
       drm_is_current_master+0x1b/0x40
       drm_mode_getconnector+0x37e/0x4a0
       drm_ioctl_kernel+0xa8/0xf0
       drm_ioctl+0x1e8/0x390
       __x64_sys_ioctl+0x6a/0xa0
       do_syscall_64+0x39/0xb0
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      Reported-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarDesmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
      Reviewed-by: default avatarEmil Velikov <emil.l.velikov@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-2-desmondcheongzx@gmail.com
      869e76f7
    • Jim Cromie's avatar