torvalds/linux
3
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-03-22 07:27:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e2e2d9633706f79e6efaa826cf72cbc12cf531f8
linux/drivers/gpu/drm/xe/xe_wait_user_fence.c
Fei Yang e2e2d96337 drm/xe: timeout needs to be a signed value 
In xe_wait_user_fence_ioctl, the timeout is currently defined as
unsigned long. That could potentially pass a negative value to
the schedule_timeout() call because nsecs_to_jiffies() returns an
unsigned long which gets used as signed long.

[ 187.732238] schedule_timeout: wrong timeout value fffffffffffffc18
[ 187.733180] CPU: 0 PID: 792 Comm: test_thread_dim Tainted: G U 6.4.0-xe #1
[ 187.734251] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 187.735019] Call Trace:
[ 187.735373] <TASK>
[ 187.735687] dump_stack_lvl+0x92/0xb0
[ 187.736193] schedule_timeout+0x348/0x430
[ 187.736739] ? __might_fault+0x67/0xd0
[ 187.737255] ? check_chain_key+0x224/0x2d0
[ 187.737812] ? __pfx_schedule_timeout+0x10/0x10
[ 187.738429] ? __might_fault+0x6b/0xd0
[ 187.738946] ? __pfx_lock_release+0x10/0x10
[ 187.739512] ? __pfx_lock_release+0x10/0x10
[ 187.740080] wait_woken+0x86/0x100
[ 187.740556] xe_wait_user_fence_ioctl+0x34b/0xe00 [xe]
[ 187.741281] ? __pfx_xe_wait_user_fence_ioctl+0x10/0x10 [xe]
[ 187.742075] ? lock_acquire+0x169/0x3d0
[ 187.742601] ? check_chain_key+0x224/0x2d0
[ 187.743158] ? drm_dev_enter+0x9/0xe0 [drm]
[ 187.743740] ? __pfx_woken_wake_function+0x10/0x10
[ 187.744388] ? drm_dev_exit+0x11/0x50 [drm]
[ 187.744969] ? __pfx_lock_release+0x10/0x10
[ 187.745536] ? __might_fault+0x67/0xd0
[ 187.746052] ? check_chain_key+0x224/0x2d0
[ 187.746610] drm_ioctl_kernel+0x172/0x250 [drm]
[ 187.747242] ? __pfx_xe_wait_user_fence_ioctl+0x10/0x10 [xe]
[ 187.748037] ? __pfx_drm_ioctl_kernel+0x10/0x10 [drm]
[ 187.748729] ? __pfx_xe_wait_user_fence_ioctl+0x10/0x10 [xe]
[ 187.749524] ? __pfx_xe_wait_user_fence_ioctl+0x10/0x10 [xe]
[ 187.750319] drm_ioctl+0x35e/0x620 [drm]
[ 187.750871] ? __pfx_drm_ioctl+0x10/0x10 [drm]
[ 187.751495] ? restore_fpregs_from_fpstate+0x99/0x140
[ 187.752172] ? __pfx_restore_fpregs_from_fpstate+0x10/0x10
[ 187.752901] ? mark_held_locks+0x24/0x90
[ 187.753438] __x64_sys_ioctl+0xb4/0xf0
[ 187.753954] do_syscall_64+0x3f/0x90
[ 187.754450] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 187.755127] RIP: 0033:0x7f4e6651aaff
[ 187.755623] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[ 187.757995] RSP: 002b:00007fff05f37a50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 187.758995] RAX: ffffffffffffffda RBX: 000055eca47c8130 RCX: 00007f4e6651aaff
[ 187.759935] RDX: 00007fff05f37b60 RSI: 00000000c050644b RDI: 0000000000000004
[ 187.760874] RBP: 0000000000000017 R08: 0000000000000017 R09: 7fffffffffffffff
[ 187.761814] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 187.762753] R13: 0000000000000000 R14: 0000000000000000 R15: 00007f4e65d19ce0
[ 187.763694] </TASK>

Fixes: 5572a00468 ("drm/xe: Use nanoseconds instead of jiffies in uapi for user fence")
Signed-off-by: Fei Yang <fei.yang@intel.com>
Cc: Andi Shyti <andi.shyti@linux.intel.com>
Cc: Zbigniew Kempczyński <zbigniew.kempczynski@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/20230921220500.994558-2-fei.yang@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
2023-12-21 11:41:50 -05:00

255 lines
6.3 KiB
C
Raw Blame History

// SPDX-License-Identifier: MIT
/*
* Copyright © 2022 Intel Corporation
*/
#include "xe_wait_user_fence.h"
#include <drm/drm_device.h>
#include <drm/drm_file.h>
#include <drm/drm_utils.h>
#include <drm/xe_drm.h>
#include "xe_device.h"
#include "xe_gt.h"
#include "xe_macros.h"
#include "xe_vm.h"
static int do_compare(u64 addr, u64 value, u64 mask, u16 op)
{
u64 rvalue;
int err;
bool passed;
err = copy_from_user(&rvalue, u64_to_user_ptr(addr), sizeof(rvalue));
if (err)
return -EFAULT;
switch (op) {
case DRM_XE_UFENCE_WAIT_EQ:
passed = (rvalue & mask) == (value & mask);
break;
case DRM_XE_UFENCE_WAIT_NEQ:
passed = (rvalue & mask) != (value & mask);
break;
case DRM_XE_UFENCE_WAIT_GT:
passed = (rvalue & mask) > (value & mask);
break;
case DRM_XE_UFENCE_WAIT_GTE:
passed = (rvalue & mask) >= (value & mask);
break;
case DRM_XE_UFENCE_WAIT_LT:
passed = (rvalue & mask) < (value & mask);
break;
case DRM_XE_UFENCE_WAIT_LTE:
passed = (rvalue & mask) <= (value & mask);
break;
default:
XE_WARN_ON("Not possible");
}
return passed ? 0 : 1;
}
static const enum xe_engine_class user_to_xe_engine_class[] = {
[DRM_XE_ENGINE_CLASS_RENDER] = XE_ENGINE_CLASS_RENDER,
[DRM_XE_ENGINE_CLASS_COPY] = XE_ENGINE_CLASS_COPY,
[DRM_XE_ENGINE_CLASS_VIDEO_DECODE] = XE_ENGINE_CLASS_VIDEO_DECODE,
[DRM_XE_ENGINE_CLASS_VIDEO_ENHANCE] = XE_ENGINE_CLASS_VIDEO_ENHANCE,
[DRM_XE_ENGINE_CLASS_COMPUTE] = XE_ENGINE_CLASS_COMPUTE,
};
static int check_hw_engines(struct xe_device *xe,
struct drm_xe_engine_class_instance *eci,
int num_engines)
{
int i;
for (i = 0; i < num_engines; ++i) {
enum xe_engine_class user_class =
user_to_xe_engine_class[eci[i].engine_class];
if (eci[i].gt_id >= xe->info.tile_count)
return -EINVAL;
if (!xe_gt_hw_engine(xe_device_get_gt(xe, eci[i].gt_id),
user_class, eci[i].engine_instance, true))
return -EINVAL;
}
return 0;
}
#define VALID_FLAGS (DRM_XE_UFENCE_WAIT_SOFT_OP | \
DRM_XE_UFENCE_WAIT_ABSTIME | \
DRM_XE_UFENCE_WAIT_VM_ERROR)
#define MAX_OP DRM_XE_UFENCE_WAIT_LTE
static long to_jiffies_timeout(struct xe_device *xe,
struct drm_xe_wait_user_fence *args)
{
unsigned long long t;
long timeout;
/*
* For negative timeout we want to wait "forever" by setting
* MAX_SCHEDULE_TIMEOUT. But we have to assign this value also
* to args->timeout to avoid being zeroed on the signal delivery
* (see arithmetics after wait).
*/
if (args->timeout < 0) {
args->timeout = MAX_SCHEDULE_TIMEOUT;
return MAX_SCHEDULE_TIMEOUT;
}
if (args->timeout == 0)
return 0;
/*
* Save the timeout to an u64 variable because nsecs_to_jiffies
* might return a value that overflows s32 variable.
*/
if (args->flags & DRM_XE_UFENCE_WAIT_ABSTIME)
t = drm_timeout_abs_to_jiffies(args->timeout);
else
t = nsecs_to_jiffies(args->timeout);
/*
* Anything greater then MAX_SCHEDULE_TIMEOUT is meaningless,
* also we don't want to cap it at MAX_SCHEDULE_TIMEOUT because
* apparently user doesn't mean to wait forever, otherwise the
* args->timeout should have been set to a negative value.
*/
if (t > MAX_SCHEDULE_TIMEOUT)
timeout = MAX_SCHEDULE_TIMEOUT - 1;
else
timeout = t;
return timeout ?: 1;
}
int xe_wait_user_fence_ioctl(struct drm_device *dev, void *data,
struct drm_file *file)
{
struct xe_device *xe = to_xe_device(dev);
DEFINE_WAIT_FUNC(w_wait, woken_wake_function);
struct drm_xe_wait_user_fence *args = data;
struct drm_xe_engine_class_instance eci[XE_HW_ENGINE_MAX_INSTANCE];
struct drm_xe_engine_class_instance __user *user_eci =
u64_to_user_ptr(args->instances);
struct xe_vm *vm = NULL;
u64 addr = args->addr;
int err;
bool no_engines = args->flags & DRM_XE_UFENCE_WAIT_SOFT_OP ||
args->flags & DRM_XE_UFENCE_WAIT_VM_ERROR;
long timeout;
ktime_t start;
if (XE_IOCTL_DBG(xe, args->extensions) || XE_IOCTL_DBG(xe, args->pad) ||
XE_IOCTL_DBG(xe, args->reserved[0] || args->reserved[1]))
return -EINVAL;
if (XE_IOCTL_DBG(xe, args->flags & ~VALID_FLAGS))
return -EINVAL;
if (XE_IOCTL_DBG(xe, args->op > MAX_OP))
return -EINVAL;
if (XE_IOCTL_DBG(xe, no_engines &&
(args->num_engines || args->instances)))
return -EINVAL;
if (XE_IOCTL_DBG(xe, !no_engines && !args->num_engines))
return -EINVAL;
if (XE_IOCTL_DBG(xe, !(args->flags & DRM_XE_UFENCE_WAIT_VM_ERROR) &&
addr & 0x7))
return -EINVAL;
if (XE_IOCTL_DBG(xe, args->num_engines > XE_HW_ENGINE_MAX_INSTANCE))
return -EINVAL;
if (!no_engines) {
err = copy_from_user(eci, user_eci,
sizeof(struct drm_xe_engine_class_instance) *
args->num_engines);
if (XE_IOCTL_DBG(xe, err))
return -EFAULT;
if (XE_IOCTL_DBG(xe, check_hw_engines(xe, eci,
args->num_engines)))
return -EINVAL;
}
if (args->flags & DRM_XE_UFENCE_WAIT_VM_ERROR) {
if (XE_IOCTL_DBG(xe, args->vm_id >> 32))
return -EINVAL;
vm = xe_vm_lookup(to_xe_file(file), args->vm_id);
if (XE_IOCTL_DBG(xe, !vm))
return -ENOENT;
if (XE_IOCTL_DBG(xe, !vm->async_ops.error_capture.addr)) {
xe_vm_put(vm);
return -EOPNOTSUPP;
}
addr = vm->async_ops.error_capture.addr;
}
timeout = to_jiffies_timeout(xe, args);
start = ktime_get();
/*
* FIXME: Very simple implementation at the moment, single wait queue
* for everything. Could be optimized to have a wait queue for every
* hardware engine. Open coding as 'do_compare' can sleep which doesn't
* work with the wait_event_* macros.
*/
if (vm)
add_wait_queue(&vm->async_ops.error_capture.wq, &w_wait);
else
add_wait_queue(&xe->ufence_wq, &w_wait);
for (;;) {
if (vm && xe_vm_is_closed(vm)) {
err = -ENODEV;
break;
}
err = do_compare(addr, args->value, args->mask, args->op);
if (err <= 0)
break;
if (signal_pending(current)) {
err = -ERESTARTSYS;
break;
}
if (!timeout) {
err = -ETIME;
break;
}
timeout = wait_woken(&w_wait, TASK_INTERRUPTIBLE, timeout);
}
if (vm) {
remove_wait_queue(&vm->async_ops.error_capture.wq, &w_wait);
xe_vm_put(vm);
} else {
remove_wait_queue(&xe->ufence_wq, &w_wait);
}
if (!(args->flags & DRM_XE_UFENCE_WAIT_ABSTIME)) {
args->timeout -= ktime_to_ns(ktime_sub(ktime_get(), start));
if (args->timeout < 0)
args->timeout = 0;
}
if (XE_IOCTL_DBG(xe, err < 0))
return err;
else if (XE_IOCTL_DBG(xe, !timeout))
return -ETIME;
return 0;
}
Reference in New Issue View Git Blame Copy Permalink