2018-05-02 15:46:21 +02:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 OR MIT */
|
2009-12-06 21:46:24 +01:00
|
|
|
/**************************************************************************
|
|
|
|
|
*
|
2024-01-26 15:08:01 -05:00
|
|
|
* Copyright (c) 2009-2023 VMware, Inc., Palo Alto, CA., USA
|
2009-12-06 21:46:24 +01:00
|
|
|
* All Rights Reserved.
|
|
|
|
|
*
|
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
|
|
|
* copy of this software and associated documentation files (the
|
|
|
|
|
* "Software"), to deal in the Software without restriction, including
|
|
|
|
|
* without limitation the rights to use, copy, modify, merge, publish,
|
|
|
|
|
* distribute, sub license, and/or sell copies of the Software, and to
|
|
|
|
|
* permit persons to whom the Software is furnished to do so, subject to
|
|
|
|
|
* the following conditions:
|
|
|
|
|
*
|
|
|
|
|
* The above copyright notice and this permission notice (including the
|
|
|
|
|
* next paragraph) shall be included in all copies or substantial portions
|
|
|
|
|
* of the Software.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
|
|
|
|
|
* THE COPYRIGHT HOLDERS, AUTHORS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM,
|
|
|
|
|
* DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
|
|
|
|
* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
|
|
|
|
|
* USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
|
*
|
|
|
|
|
**************************************************************************/
|
|
|
|
|
/*
|
|
|
|
|
* Authors: Thomas Hellstrom <thellstrom-at-vmware-dot-com>
|
2013-11-13 01:48:31 -08:00
|
|
|
*
|
|
|
|
|
* While no substantial code is shared, the prime code is inspired by
|
|
|
|
|
* drm_prime.c, with
|
|
|
|
|
* Authors:
|
|
|
|
|
* Dave Airlie <airlied@redhat.com>
|
|
|
|
|
* Rob Clark <rob.clark@linaro.org>
|
2009-12-06 21:46:24 +01:00
|
|
|
*/
|
|
|
|
|
/** @file ttm_ref_object.c
|
|
|
|
|
*
|
|
|
|
|
* Base- and reference object implementation for the various
|
|
|
|
|
* ttm objects. Implements reference counting, minimal security checks
|
|
|
|
|
* and release on file close.
|
|
|
|
|
*/
|
|
|
|
|
|
2013-11-13 01:48:31 -08:00
|
|
|
|
2021-01-15 18:16:01 +00:00
|
|
|
#define pr_fmt(fmt) "[TTM] " fmt
|
|
|
|
|
|
2022-10-22 00:02:23 -04:00
|
|
|
#include "ttm_object.h"
|
|
|
|
|
#include "vmwgfx_drv.h"
|
|
|
|
|
|
2021-01-15 18:16:01 +00:00
|
|
|
#include <linux/list.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/atomic.h>
|
2021-10-10 14:46:28 +02:00
|
|
|
#include <linux/module.h>
|
2022-10-22 00:02:29 -04:00
|
|
|
#include <linux/hashtable.h>
|
2021-01-15 18:16:01 +00:00
|
|
|
|
module: Convert symbol namespace to string literal
Clean up the existing export namespace code along the same lines of
commit 33def8498fdd ("treewide: Convert macro and uses of __section(foo)
to __section("foo")") and for the same reason, it is not desired for the
namespace argument to be a macro expansion itself.
Scripted using
git grep -l -e MODULE_IMPORT_NS -e EXPORT_SYMBOL_NS | while read file;
do
awk -i inplace '
/^#define EXPORT_SYMBOL_NS/ {
gsub(/__stringify\(ns\)/, "ns");
print;
next;
}
/^#define MODULE_IMPORT_NS/ {
gsub(/__stringify\(ns\)/, "ns");
print;
next;
}
/MODULE_IMPORT_NS/ {
$0 = gensub(/MODULE_IMPORT_NS\(([^)]*)\)/, "MODULE_IMPORT_NS(\"\\1\")", "g");
}
/EXPORT_SYMBOL_NS/ {
if ($0 ~ /(EXPORT_SYMBOL_NS[^(]*)\(([^,]+),/) {
if ($0 !~ /(EXPORT_SYMBOL_NS[^(]*)\(([^,]+), ([^)]+)\)/ &&
$0 !~ /(EXPORT_SYMBOL_NS[^(]*)\(\)/ &&
$0 !~ /^my/) {
getline line;
gsub(/[[:space:]]*\\$/, "");
gsub(/[[:space:]]/, "", line);
$0 = $0 " " line;
}
$0 = gensub(/(EXPORT_SYMBOL_NS[^(]*)\(([^,]+), ([^)]+)\)/,
"\\1(\\2, \"\\3\")", "g");
}
}
{ print }' $file;
done
Requested-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://mail.google.com/mail/u/2/#inbox/FMfcgzQXKWgMmjdFwwdsfgxzKpVHWPlc
Acked-by: Greg KH <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2024-12-02 15:59:47 +01:00
|
|
|
MODULE_IMPORT_NS("DMA_BUF");
|
2021-10-10 14:46:28 +02:00
|
|
|
|
2022-10-22 00:02:29 -04:00
|
|
|
#define VMW_TTM_OBJECT_REF_HT_ORDER 10
|
|
|
|
|
|
2009-12-06 21:46:24 +01:00
|
|
|
/**
|
|
|
|
|
* struct ttm_object_file
|
|
|
|
|
*
|
|
|
|
|
* @tdev: Pointer to the ttm_object_device.
|
|
|
|
|
*
|
|
|
|
|
* @lock: Lock that protects the ref_list list and the
|
|
|
|
|
* ref_hash hash tables.
|
|
|
|
|
*
|
|
|
|
|
* @ref_list: List of ttm_ref_objects to be destroyed at
|
|
|
|
|
* file release.
|
|
|
|
|
*
|
|
|
|
|
* @ref_hash: Hash tables of ref objects, one per ttm_ref_type,
|
|
|
|
|
* for fast lookup of ref objects given a base object.
|
2021-01-15 18:16:01 +00:00
|
|
|
*
|
|
|
|
|
* @refcount: reference/usage count
|
2009-12-06 21:46:24 +01:00
|
|
|
*/
|
|
|
|
|
struct ttm_object_file {
|
|
|
|
|
struct ttm_object_device *tdev;
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spinlock_t lock;
|
2009-12-06 21:46:24 +01:00
|
|
|
struct list_head ref_list;
|
2022-10-22 00:02:29 -04:00
|
|
|
DECLARE_HASHTABLE(ref_hash, VMW_TTM_OBJECT_REF_HT_ORDER);
|
2009-12-06 21:46:24 +01:00
|
|
|
struct kref refcount;
|
|
|
|
|
};
|
|
|
|
|
|
2021-01-15 18:15:41 +00:00
|
|
|
/*
|
2009-12-06 21:46:24 +01:00
|
|
|
* struct ttm_object_device
|
|
|
|
|
*
|
2022-10-22 00:02:23 -04:00
|
|
|
* @object_lock: lock that protects idr.
|
2009-12-06 21:46:24 +01:00
|
|
|
*
|
|
|
|
|
* This is the per-device data structure needed for ttm object management.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
struct ttm_object_device {
|
2012-11-06 11:31:50 +00:00
|
|
|
spinlock_t object_lock;
|
2013-11-13 01:48:31 -08:00
|
|
|
struct dma_buf_ops ops;
|
|
|
|
|
void (*dmabuf_release)(struct dma_buf *dma_buf);
|
2018-09-26 15:50:13 +02:00
|
|
|
struct idr idr;
|
2009-12-06 21:46:24 +01:00
|
|
|
};
|
|
|
|
|
|
2021-01-15 18:15:41 +00:00
|
|
|
/*
|
2009-12-06 21:46:24 +01:00
|
|
|
* struct ttm_ref_object
|
|
|
|
|
*
|
|
|
|
|
* @hash: Hash entry for the per-file object reference hash.
|
|
|
|
|
*
|
|
|
|
|
* @head: List entry for the per-file list of ref-objects.
|
|
|
|
|
*
|
|
|
|
|
* @kref: Ref count.
|
|
|
|
|
*
|
|
|
|
|
* @obj: Base object this ref object is referencing.
|
|
|
|
|
*
|
|
|
|
|
* @ref_type: Type of ref object.
|
|
|
|
|
*
|
|
|
|
|
* This is similar to an idr object, but it also has a hash table entry
|
|
|
|
|
* that allows lookup with a pointer to the referenced object as a key. In
|
|
|
|
|
* that way, one can easily detect whether a base object is referenced by
|
|
|
|
|
* a particular ttm_object_file. It also carries a ref count to avoid creating
|
|
|
|
|
* multiple ref objects if a ttm_object_file references the same base
|
|
|
|
|
* object more than once.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
struct ttm_ref_object {
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
struct rcu_head rcu_head;
|
2021-11-29 10:48:40 +01:00
|
|
|
struct vmwgfx_hash_item hash;
|
2009-12-06 21:46:24 +01:00
|
|
|
struct list_head head;
|
|
|
|
|
struct kref kref;
|
2010-01-26 17:10:48 +00:00
|
|
|
struct ttm_base_object *obj;
|
2009-12-06 21:46:24 +01:00
|
|
|
struct ttm_object_file *tfile;
|
|
|
|
|
};
|
|
|
|
|
|
2013-11-13 01:48:31 -08:00
|
|
|
static void ttm_prime_dmabuf_release(struct dma_buf *dma_buf);
|
|
|
|
|
|
2009-12-06 21:46:24 +01:00
|
|
|
static inline struct ttm_object_file *
|
|
|
|
|
ttm_object_file_ref(struct ttm_object_file *tfile)
|
|
|
|
|
{
|
|
|
|
|
kref_get(&tfile->refcount);
|
|
|
|
|
return tfile;
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-22 00:02:29 -04:00
|
|
|
static int ttm_tfile_find_ref_rcu(struct ttm_object_file *tfile,
|
|
|
|
|
uint64_t key,
|
|
|
|
|
struct vmwgfx_hash_item **p_hash)
|
|
|
|
|
{
|
|
|
|
|
struct vmwgfx_hash_item *hash;
|
|
|
|
|
|
|
|
|
|
hash_for_each_possible_rcu(tfile->ref_hash, hash, head, key) {
|
|
|
|
|
if (hash->key == key) {
|
|
|
|
|
*p_hash = hash;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ttm_tfile_find_ref(struct ttm_object_file *tfile,
|
|
|
|
|
uint64_t key,
|
|
|
|
|
struct vmwgfx_hash_item **p_hash)
|
|
|
|
|
{
|
|
|
|
|
struct vmwgfx_hash_item *hash;
|
|
|
|
|
|
|
|
|
|
hash_for_each_possible(tfile->ref_hash, hash, head, key) {
|
|
|
|
|
if (hash->key == key) {
|
|
|
|
|
*p_hash = hash;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-06 21:46:24 +01:00
|
|
|
static void ttm_object_file_destroy(struct kref *kref)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_object_file *tfile =
|
|
|
|
|
container_of(kref, struct ttm_object_file, refcount);
|
|
|
|
|
|
|
|
|
|
kfree(tfile);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static inline void ttm_object_file_unref(struct ttm_object_file **p_tfile)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_object_file *tfile = *p_tfile;
|
|
|
|
|
|
|
|
|
|
*p_tfile = NULL;
|
|
|
|
|
kref_put(&tfile->refcount, ttm_object_file_destroy);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int ttm_base_object_init(struct ttm_object_file *tfile,
|
|
|
|
|
struct ttm_base_object *base,
|
|
|
|
|
bool shareable,
|
|
|
|
|
enum ttm_object_type object_type,
|
2021-12-06 12:26:12 -05:00
|
|
|
void (*refcount_release) (struct ttm_base_object **))
|
2009-12-06 21:46:24 +01:00
|
|
|
{
|
|
|
|
|
struct ttm_object_device *tdev = tfile->tdev;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
base->shareable = shareable;
|
|
|
|
|
base->tfile = ttm_object_file_ref(tfile);
|
|
|
|
|
base->refcount_release = refcount_release;
|
|
|
|
|
base->object_type = object_type;
|
|
|
|
|
kref_init(&base->refcount);
|
2018-09-26 15:50:13 +02:00
|
|
|
idr_preload(GFP_KERNEL);
|
2012-11-20 12:16:51 +00:00
|
|
|
spin_lock(&tdev->object_lock);
|
2019-05-07 11:10:10 +02:00
|
|
|
ret = idr_alloc(&tdev->idr, base, 1, 0, GFP_NOWAIT);
|
2012-11-06 11:31:50 +00:00
|
|
|
spin_unlock(&tdev->object_lock);
|
2018-09-26 15:50:13 +02:00
|
|
|
idr_preload_end();
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
2009-12-06 21:46:24 +01:00
|
|
|
|
2018-09-26 15:50:13 +02:00
|
|
|
base->handle = ret;
|
2021-12-06 12:26:12 -05:00
|
|
|
ret = ttm_ref_object_add(tfile, base, NULL, false);
|
2009-12-06 21:46:24 +01:00
|
|
|
if (unlikely(ret != 0))
|
|
|
|
|
goto out_err1;
|
|
|
|
|
|
|
|
|
|
ttm_base_object_unref(&base);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
out_err1:
|
2012-11-20 12:16:50 +00:00
|
|
|
spin_lock(&tdev->object_lock);
|
2018-09-26 15:50:13 +02:00
|
|
|
idr_remove(&tdev->idr, base->handle);
|
2012-11-20 12:16:50 +00:00
|
|
|
spin_unlock(&tdev->object_lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void ttm_release_base(struct kref *kref)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_base_object *base =
|
|
|
|
|
container_of(kref, struct ttm_base_object, refcount);
|
|
|
|
|
struct ttm_object_device *tdev = base->tfile->tdev;
|
|
|
|
|
|
2012-11-06 11:31:50 +00:00
|
|
|
spin_lock(&tdev->object_lock);
|
2018-09-26 15:50:13 +02:00
|
|
|
idr_remove(&tdev->idr, base->handle);
|
2012-11-06 11:31:50 +00:00
|
|
|
spin_unlock(&tdev->object_lock);
|
2012-11-20 12:16:51 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Note: We don't use synchronize_rcu() here because it's far
|
|
|
|
|
* too slow. It's up to the user to free the object using
|
|
|
|
|
* call_rcu() or ttm_base_object_kfree().
|
|
|
|
|
*/
|
|
|
|
|
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
ttm_object_file_unref(&base->tfile);
|
|
|
|
|
if (base->refcount_release)
|
2009-12-06 21:46:24 +01:00
|
|
|
base->refcount_release(&base);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ttm_base_object_unref(struct ttm_base_object **p_base)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_base_object *base = *p_base;
|
|
|
|
|
|
|
|
|
|
*p_base = NULL;
|
|
|
|
|
|
2011-02-27 01:34:08 +01:00
|
|
|
kref_put(&base->refcount, ttm_release_base);
|
2009-12-06 21:46:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct ttm_base_object *ttm_base_object_lookup(struct ttm_object_file *tfile,
|
2022-10-22 00:02:29 -04:00
|
|
|
uint64_t key)
|
2009-12-06 21:46:24 +01:00
|
|
|
{
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
struct ttm_base_object *base = NULL;
|
2021-11-29 10:48:40 +01:00
|
|
|
struct vmwgfx_hash_item *hash;
|
2009-12-06 21:46:24 +01:00
|
|
|
int ret;
|
|
|
|
|
|
2022-12-07 12:29:07 -05:00
|
|
|
spin_lock(&tfile->lock);
|
|
|
|
|
ret = ttm_tfile_find_ref(tfile, key, &hash);
|
2009-12-06 21:46:24 +01:00
|
|
|
|
|
|
|
|
if (likely(ret == 0)) {
|
2022-10-22 00:02:30 -04:00
|
|
|
base = hlist_entry(hash, struct ttm_ref_object, hash)->obj;
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
if (!kref_get_unless_zero(&base->refcount))
|
|
|
|
|
base = NULL;
|
2009-12-06 21:46:24 +01:00
|
|
|
}
|
2022-12-07 12:29:07 -05:00
|
|
|
spin_unlock(&tfile->lock);
|
|
|
|
|
|
2009-12-06 21:46:24 +01:00
|
|
|
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
return base;
|
|
|
|
|
}
|
2009-12-06 21:46:24 +01:00
|
|
|
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
struct ttm_base_object *
|
2022-10-22 00:02:29 -04:00
|
|
|
ttm_base_object_lookup_for_ref(struct ttm_object_device *tdev, uint64_t key)
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
{
|
2018-09-26 15:50:13 +02:00
|
|
|
struct ttm_base_object *base;
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2018-09-26 15:50:13 +02:00
|
|
|
base = idr_find(&tdev->idr, key);
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
|
2018-09-26 15:50:13 +02:00
|
|
|
if (base && !kref_get_unless_zero(&base->refcount))
|
|
|
|
|
base = NULL;
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
rcu_read_unlock();
|
2009-12-06 21:46:24 +01:00
|
|
|
|
|
|
|
|
return base;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int ttm_ref_object_add(struct ttm_object_file *tfile,
|
|
|
|
|
struct ttm_base_object *base,
|
2021-12-06 12:26:12 -05:00
|
|
|
bool *existed,
|
2017-03-27 11:21:25 +02:00
|
|
|
bool require_existed)
|
2009-12-06 21:46:24 +01:00
|
|
|
{
|
|
|
|
|
struct ttm_ref_object *ref;
|
2021-11-29 10:48:40 +01:00
|
|
|
struct vmwgfx_hash_item *hash;
|
2009-12-06 21:46:24 +01:00
|
|
|
int ret = -EINVAL;
|
|
|
|
|
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
if (base->tfile != tfile && !base->shareable)
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
2009-12-06 21:46:24 +01:00
|
|
|
if (existed != NULL)
|
|
|
|
|
*existed = true;
|
|
|
|
|
|
|
|
|
|
while (ret == -EINVAL) {
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
rcu_read_lock();
|
2022-10-22 00:02:29 -04:00
|
|
|
ret = ttm_tfile_find_ref_rcu(tfile, base->handle, &hash);
|
2009-12-06 21:46:24 +01:00
|
|
|
|
|
|
|
|
if (ret == 0) {
|
2022-10-22 00:02:30 -04:00
|
|
|
ref = hlist_entry(hash, struct ttm_ref_object, hash);
|
2014-01-24 08:49:45 +01:00
|
|
|
if (kref_get_unless_zero(&ref->kref)) {
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
break;
|
|
|
|
|
}
|
2009-12-06 21:46:24 +01:00
|
|
|
}
|
|
|
|
|
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
rcu_read_unlock();
|
2017-03-27 11:21:25 +02:00
|
|
|
if (require_existed)
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
2009-12-06 21:46:24 +01:00
|
|
|
ref = kmalloc(sizeof(*ref), GFP_KERNEL);
|
|
|
|
|
if (unlikely(ref == NULL)) {
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-26 15:50:13 +02:00
|
|
|
ref->hash.key = base->handle;
|
2009-12-06 21:46:24 +01:00
|
|
|
ref->obj = base;
|
|
|
|
|
ref->tfile = tfile;
|
|
|
|
|
kref_init(&ref->kref);
|
|
|
|
|
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spin_lock(&tfile->lock);
|
2022-10-22 00:02:29 -04:00
|
|
|
hash_add_rcu(tfile->ref_hash, &ref->hash.head, ref->hash.key);
|
|
|
|
|
ret = 0;
|
2009-12-06 21:46:24 +01:00
|
|
|
|
2022-10-22 00:02:29 -04:00
|
|
|
list_add_tail(&ref->head, &tfile->ref_list);
|
|
|
|
|
kref_get(&base->refcount);
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spin_unlock(&tfile->lock);
|
2022-10-22 00:02:29 -04:00
|
|
|
if (existed != NULL)
|
|
|
|
|
*existed = false;
|
2009-12-06 21:46:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-26 20:15:36 +02:00
|
|
|
static void __releases(tfile->lock) __acquires(tfile->lock)
|
|
|
|
|
ttm_ref_object_release(struct kref *kref)
|
2009-12-06 21:46:24 +01:00
|
|
|
{
|
|
|
|
|
struct ttm_ref_object *ref =
|
|
|
|
|
container_of(kref, struct ttm_ref_object, kref);
|
|
|
|
|
struct ttm_object_file *tfile = ref->tfile;
|
|
|
|
|
|
2022-10-22 00:02:29 -04:00
|
|
|
hash_del_rcu(&ref->hash.head);
|
2009-12-06 21:46:24 +01:00
|
|
|
list_del(&ref->head);
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spin_unlock(&tfile->lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
|
|
|
|
|
ttm_base_object_unref(&ref->obj);
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
kfree_rcu(ref, rcu_head);
|
|
|
|
|
spin_lock(&tfile->lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int ttm_ref_object_base_unref(struct ttm_object_file *tfile,
|
2021-12-06 12:26:12 -05:00
|
|
|
unsigned long key)
|
2009-12-06 21:46:24 +01:00
|
|
|
{
|
|
|
|
|
struct ttm_ref_object *ref;
|
2021-11-29 10:48:40 +01:00
|
|
|
struct vmwgfx_hash_item *hash;
|
2009-12-06 21:46:24 +01:00
|
|
|
int ret;
|
|
|
|
|
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spin_lock(&tfile->lock);
|
2022-10-22 00:02:29 -04:00
|
|
|
ret = ttm_tfile_find_ref(tfile, key, &hash);
|
2009-12-06 21:46:24 +01:00
|
|
|
if (unlikely(ret != 0)) {
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spin_unlock(&tfile->lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
2022-10-22 00:02:30 -04:00
|
|
|
ref = hlist_entry(hash, struct ttm_ref_object, hash);
|
2009-12-06 21:46:24 +01:00
|
|
|
kref_put(&ref->kref, ttm_ref_object_release);
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spin_unlock(&tfile->lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ttm_object_file_release(struct ttm_object_file **p_tfile)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_ref_object *ref;
|
|
|
|
|
struct list_head *list;
|
|
|
|
|
struct ttm_object_file *tfile = *p_tfile;
|
|
|
|
|
|
|
|
|
|
*p_tfile = NULL;
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spin_lock(&tfile->lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Since we release the lock within the loop, we have to
|
|
|
|
|
* restart it from the beginning each time.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
while (!list_empty(&tfile->ref_list)) {
|
|
|
|
|
list = tfile->ref_list.next;
|
|
|
|
|
ref = list_entry(list, struct ttm_ref_object, head);
|
|
|
|
|
ttm_ref_object_release(&ref->kref);
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-27 12:38:25 +02:00
|
|
|
spin_unlock(&tfile->lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
|
|
|
|
|
ttm_object_file_unref(&tfile);
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-22 00:02:29 -04:00
|
|
|
struct ttm_object_file *ttm_object_file_init(struct ttm_object_device *tdev)
|
2009-12-06 21:46:24 +01:00
|
|
|
{
|
|
|
|
|
struct ttm_object_file *tfile = kmalloc(sizeof(*tfile), GFP_KERNEL);
|
|
|
|
|
|
|
|
|
|
if (unlikely(tfile == NULL))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
drm/ttm: ttm object security fixes for render nodes
When a client looks up a ttm object, don't look it up through the device hash
table, but rather from the file hash table. That makes sure that the client
has indeed put a reference on the object, or in gem terms, has opened
the object; either using prime or using the global "name".
To avoid a performance loss, make sure the file hash table entries can be
looked up from under an RCU lock, and as a consequence, replace the rwlock
with a spinlock, since we never need to take it in read mode only anymore.
Finally add a ttm object lookup function for the device hash table, that is
intended to be used when we put a ref object on a base object or, in gem terms,
when we open the object.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
2013-12-18 14:13:29 +01:00
|
|
|
spin_lock_init(&tfile->lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
tfile->tdev = tdev;
|
|
|
|
|
kref_init(&tfile->refcount);
|
|
|
|
|
INIT_LIST_HEAD(&tfile->ref_list);
|
|
|
|
|
|
2022-10-22 00:02:29 -04:00
|
|
|
hash_init(tfile->ref_hash);
|
2009-12-06 21:46:24 +01:00
|
|
|
|
|
|
|
|
return tfile;
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-13 01:48:31 -08:00
|
|
|
struct ttm_object_device *
|
2022-10-22 00:02:23 -04:00
|
|
|
ttm_object_device_init(const struct dma_buf_ops *ops)
|
2009-12-06 21:46:24 +01:00
|
|
|
{
|
|
|
|
|
struct ttm_object_device *tdev = kmalloc(sizeof(*tdev), GFP_KERNEL);
|
|
|
|
|
|
|
|
|
|
if (unlikely(tdev == NULL))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2012-11-06 11:31:50 +00:00
|
|
|
spin_lock_init(&tdev->object_lock);
|
2009-12-06 21:46:24 +01:00
|
|
|
|
2021-12-06 12:26:12 -05:00
|
|
|
/*
|
|
|
|
|
* Our base is at VMWGFX_NUM_MOB + 1 because we want to create
|
|
|
|
|
* a seperate namespace for GEM handles (which are
|
|
|
|
|
* 1..VMWGFX_NUM_MOB) and the surface handles. Some ioctl's
|
|
|
|
|
* can take either handle as an argument so we want to
|
|
|
|
|
* easily be able to tell whether the handle refers to a
|
|
|
|
|
* GEM buffer or a surface.
|
|
|
|
|
*/
|
|
|
|
|
idr_init_base(&tdev->idr, VMWGFX_NUM_MOB + 1);
|
2013-11-13 01:48:31 -08:00
|
|
|
tdev->ops = *ops;
|
|
|
|
|
tdev->dmabuf_release = tdev->ops.release;
|
|
|
|
|
tdev->ops.release = ttm_prime_dmabuf_release;
|
|
|
|
|
return tdev;
|
2009-12-06 21:46:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ttm_object_device_release(struct ttm_object_device **p_tdev)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_object_device *tdev = *p_tdev;
|
|
|
|
|
|
|
|
|
|
*p_tdev = NULL;
|
|
|
|
|
|
2018-09-26 15:50:13 +02:00
|
|
|
WARN_ON_ONCE(!idr_is_empty(&tdev->idr));
|
|
|
|
|
idr_destroy(&tdev->idr);
|
2009-12-06 21:46:24 +01:00
|
|
|
|
|
|
|
|
kfree(tdev);
|
|
|
|
|
}
|
2013-11-13 01:48:31 -08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* get_dma_buf_unless_doomed - get a dma_buf reference if possible.
|
|
|
|
|
*
|
2021-01-15 18:15:41 +00:00
|
|
|
* @dmabuf: Non-refcounted pointer to a struct dma-buf.
|
2013-11-13 01:48:31 -08:00
|
|
|
*
|
|
|
|
|
* Obtain a file reference from a lookup structure that doesn't refcount
|
|
|
|
|
* the file, but synchronizes with its release method to make sure it has
|
|
|
|
|
* not been freed yet. See for example kref_get_unless_zero documentation.
|
|
|
|
|
* Returns true if refcounting succeeds, false otherwise.
|
|
|
|
|
*
|
|
|
|
|
* Nobody really wants this as a public API yet, so let it mature here
|
|
|
|
|
* for some time...
|
|
|
|
|
*/
|
|
|
|
|
static bool __must_check get_dma_buf_unless_doomed(struct dma_buf *dmabuf)
|
|
|
|
|
{
|
fs: port files to file_ref
Port files to rely on file_ref reference to improve scaling and gain
overflow protection.
- We continue to WARN during get_file() in case a file that is already
marked dead is revived as get_file() is only valid if the caller
already holds a reference to the file. This hasn't changed just the
check changes.
- The semantics for epoll and ttm's dmabuf usage have changed. Both
epoll and ttm synchronize with __fput() to prevent the underlying file
from beeing freed.
(1) epoll
Explaining epoll is straightforward using a simple diagram.
Essentially, the mutex of the epoll instance needs to be taken in both
__fput() and around epi_fget() preventing the file from being freed
while it is polled or preventing the file from being resurrected.
CPU1 CPU2
fput(file)
-> __fput(file)
-> eventpoll_release(file)
-> eventpoll_release_file(file)
mutex_lock(&ep->mtx)
epi_item_poll()
-> epi_fget()
-> file_ref_get(file)
mutex_unlock(&ep->mtx)
mutex_lock(&ep->mtx);
__ep_remove()
mutex_unlock(&ep->mtx);
-> kmem_cache_free(file)
(2) ttm dmabuf
This explanation is a bit more involved. A regular dmabuf file stashed
the dmabuf in file->private_data and the file in dmabuf->file:
file->private_data = dmabuf;
dmabuf->file = file;
The generic release method of a dmabuf file handles file specific
things:
f_op->release::dma_buf_file_release()
while the generic dentry release method of a dmabuf handles dmabuf
freeing including driver specific things:
dentry->d_release::dma_buf_release()
During ttm dmabuf initialization in ttm_object_device_init() the ttm
driver copies the provided struct dma_buf_ops into a private location:
struct ttm_object_device {
spinlock_t object_lock;
struct dma_buf_ops ops;
void (*dmabuf_release)(struct dma_buf *dma_buf);
struct idr idr;
};
ttm_object_device_init(const struct dma_buf_ops *ops)
{
// copy original dma_buf_ops in private location
tdev->ops = *ops;
// stash the release method of the original struct dma_buf_ops
tdev->dmabuf_release = tdev->ops.release;
// override the release method in the copy of the struct dma_buf_ops
// with ttm's own dmabuf release method
tdev->ops.release = ttm_prime_dmabuf_release;
}
When a new dmabuf is created the struct dma_buf_ops with the overriden
release method set to ttm_prime_dmabuf_release is passed in exp_info.ops:
DEFINE_DMA_BUF_EXPORT_INFO(exp_info);
exp_info.ops = &tdev->ops;
exp_info.size = prime->size;
exp_info.flags = flags;
exp_info.priv = prime;
The call to dma_buf_export() then sets
mutex_lock_interruptible(&prime->mutex);
dma_buf = dma_buf_export(&exp_info)
{
dmabuf->ops = exp_info->ops;
}
mutex_unlock(&prime->mutex);
which creates a new dmabuf file and then install a file descriptor to
it in the callers file descriptor table:
ret = dma_buf_fd(dma_buf, flags);
When that dmabuf file is closed we now get:
fput(file)
-> __fput(file)
-> f_op->release::dma_buf_file_release()
-> dput()
-> d_op->d_release::dma_buf_release()
-> dmabuf->ops->release::ttm_prime_dmabuf_release()
mutex_lock(&prime->mutex);
if (prime->dma_buf == dma_buf)
prime->dma_buf = NULL;
mutex_unlock(&prime->mutex);
Where we can see that prime->dma_buf is set to NULL. So when we have
the following diagram:
CPU1 CPU2
fput(file)
-> __fput(file)
-> f_op->release::dma_buf_file_release()
-> dput()
-> d_op->d_release::dma_buf_release()
-> dmabuf->ops->release::ttm_prime_dmabuf_release()
ttm_prime_handle_to_fd()
mutex_lock_interruptible(&prime->mutex)
dma_buf = prime->dma_buf
dma_buf && get_dma_buf_unless_doomed(dma_buf)
-> file_ref_get(dma_buf->file)
mutex_unlock(&prime->mutex);
mutex_lock(&prime->mutex);
if (prime->dma_buf == dma_buf)
prime->dma_buf = NULL;
mutex_unlock(&prime->mutex);
-> kmem_cache_free(file)
The logic of the mechanism is the same as for epoll: sync with
__fput() preventing the file from being freed. Here the
synchronization happens through the ttm instance's prime->mutex.
Basically, the lifetime of the dma_buf and the file are tighly
coupled.
Both (1) and (2) used to call atomic_inc_not_zero() to check whether
the file has already been marked dead and then refuse to revive it.
This is only safe because both (1) and (2) sync with __fput() and thus
prevent kmem_cache_free() on the file being called and thus prevent
the file from being immediately recycled due to SLAB_TYPESAFE_BY_RCU.
Both (1) and (2) have been ported from atomic_inc_not_zero() to
file_ref_get(). That means a file that is already in the process of
being marked as FILE_REF_DEAD:
file_ref_put()
cnt = atomic_long_dec_return()
-> __file_ref_put(cnt)
if (cnt == FIlE_REF_NOREF)
atomic_long_try_cmpxchg_release(cnt, FILE_REF_DEAD)
can be revived again:
CPU1 CPU2
file_ref_put()
cnt = atomic_long_dec_return()
-> __file_ref_put(cnt)
if (cnt == FIlE_REF_NOREF)
file_ref_get()
// Brings reference back to FILE_REF_ONEREF
atomic_long_add_negative()
atomic_long_try_cmpxchg_release(cnt, FILE_REF_DEAD)
This is fine and inherent to the file_ref_get()/file_ref_put()
semantics. For both (1) and (2) this is safe because __fput() is
prevented from making progress if file_ref_get() fails due to the
aforementioned synchronization mechanisms.
Two cases need to be considered that affect both (1) epoll and (2) ttm
dmabuf:
(i) fput()'s file_ref_put() and marks the file as FILE_REF_NOREF but
before that fput() can mark the file as FILE_REF_DEAD someone
manages to sneak in a file_ref_get() and brings the refcount back
from FILE_REF_NOREF to FILE_REF_ONEREF. In that case the original
fput() doesn't call __fput(). For epoll the poll will finish and
for ttm dmabuf the file can be used again. For ttm dambuf this is
actually an advantage because it avoids immediately allocating
a new dmabuf object.
CPU1 CPU2
file_ref_put()
cnt = atomic_long_dec_return()
-> __file_ref_put(cnt)
if (cnt == FIlE_REF_NOREF)
file_ref_get()
// Brings reference back to FILE_REF_ONEREF
atomic_long_add_negative()
atomic_long_try_cmpxchg_release(cnt, FILE_REF_DEAD)
(ii) fput()'s file_ref_put() marks the file FILE_REF_NOREF and
also suceeds in actually marking it FILE_REF_DEAD and then calls
into __fput() to free the file.
When either (1) or (2) call file_ref_get() they fail as
atomic_long_add_negative() will return true.
At the same time, both (1) and (2) all file_ref_get() under
mutexes that __fput() must also acquire preventing
kmem_cache_free() from freeing the file.
So while this might be treated as a change in semantics for (1) and
(2) it really isn't. It if should end up causing issues this can be
fixed by adding a helper that does something like:
long cnt = atomic_long_read(&ref->refcnt);
do {
if (cnt < 0)
return false;
} while (!atomic_long_try_cmpxchg(&ref->refcnt, &cnt, cnt + 1));
return true;
which would block FILE_REF_NOREF to FILE_REF_ONEREF transitions.
- Jann correctly pointed out that kmem_cache_zalloc() cannot be used
anymore once files have been ported to file_ref_t.
The kmem_cache_zalloc() call will memset() the whole struct file to
zero when it is reallocated. This will also set file->f_ref to zero
which mens that a concurrent file_ref_get() can return true:
CPU1 CPU2
__get_file_rcu()
rcu_dereference_raw()
close()
[frees file]
alloc_empty_file()
kmem_cache_zalloc()
[reallocates same file]
memset(..., 0, ...)
file_ref_get()
[increments 0->1, returns true]
init_file()
file_ref_init(..., 1)
[sets to 0]
rcu_dereference_raw()
fput()
file_ref_put()
[decrements 0->FILE_REF_NOREF, frees file]
[UAF]
causing a concurrent __get_file_rcu() call to acquire a reference to
the file that is about to be reallocated and immediately freeing it
on realizing that it has been recycled. This causes a UAF for the
task that reallocated/recycled the file.
This is prevented by switching from kmem_cache_zalloc() to
kmem_cache_alloc() and initializing the fields manually. With
file->f_ref initialized last.
Note that a memset() also isn't guaranteed to atomically update an
unsigned long so it's theoretically possible to see torn and
therefore bogus counter values.
Link: https://lore.kernel.org/r/20241007-brauner-file-rcuref-v2-3-387e24dc9163@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-10-07 16:23:59 +02:00
|
|
|
return file_ref_get(&dmabuf->file->f_ref);
|
2013-11-13 01:48:31 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ttm_prime_refcount_release - refcount release method for a prime object.
|
|
|
|
|
*
|
|
|
|
|
* @p_base: Pointer to ttm_base_object pointer.
|
|
|
|
|
*
|
|
|
|
|
* This is a wrapper that calls the refcount_release founction of the
|
|
|
|
|
* underlying object. At the same time it cleans up the prime object.
|
|
|
|
|
* This function is called when all references to the base object we
|
|
|
|
|
* derive from are gone.
|
|
|
|
|
*/
|
|
|
|
|
static void ttm_prime_refcount_release(struct ttm_base_object **p_base)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_base_object *base = *p_base;
|
|
|
|
|
struct ttm_prime_object *prime;
|
|
|
|
|
|
|
|
|
|
*p_base = NULL;
|
|
|
|
|
prime = container_of(base, struct ttm_prime_object, base);
|
|
|
|
|
BUG_ON(prime->dma_buf != NULL);
|
|
|
|
|
mutex_destroy(&prime->mutex);
|
|
|
|
|
if (prime->refcount_release)
|
|
|
|
|
prime->refcount_release(&base);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ttm_prime_dmabuf_release - Release method for the dma-bufs we export
|
|
|
|
|
*
|
|
|
|
|
* @dma_buf:
|
|
|
|
|
*
|
|
|
|
|
* This function first calls the dma_buf release method the driver
|
|
|
|
|
* provides. Then it cleans up our dma_buf pointer used for lookup,
|
|
|
|
|
* and finally releases the reference the dma_buf has on our base
|
|
|
|
|
* object.
|
|
|
|
|
*/
|
|
|
|
|
static void ttm_prime_dmabuf_release(struct dma_buf *dma_buf)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_prime_object *prime =
|
|
|
|
|
(struct ttm_prime_object *) dma_buf->priv;
|
|
|
|
|
struct ttm_base_object *base = &prime->base;
|
|
|
|
|
struct ttm_object_device *tdev = base->tfile->tdev;
|
|
|
|
|
|
|
|
|
|
if (tdev->dmabuf_release)
|
|
|
|
|
tdev->dmabuf_release(dma_buf);
|
|
|
|
|
mutex_lock(&prime->mutex);
|
|
|
|
|
if (prime->dma_buf == dma_buf)
|
|
|
|
|
prime->dma_buf = NULL;
|
|
|
|
|
mutex_unlock(&prime->mutex);
|
|
|
|
|
ttm_base_object_unref(&base);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ttm_prime_fd_to_handle - Get a base object handle from a prime fd
|
|
|
|
|
*
|
|
|
|
|
* @tfile: A struct ttm_object_file identifying the caller.
|
|
|
|
|
* @fd: The prime / dmabuf fd.
|
|
|
|
|
* @handle: The returned handle.
|
|
|
|
|
*
|
|
|
|
|
* This function returns a handle to an object that previously exported
|
|
|
|
|
* a dma-buf. Note that we don't handle imports yet, because we simply
|
|
|
|
|
* have no consumers of that implementation.
|
|
|
|
|
*/
|
|
|
|
|
int ttm_prime_fd_to_handle(struct ttm_object_file *tfile,
|
|
|
|
|
int fd, u32 *handle)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_object_device *tdev = tfile->tdev;
|
|
|
|
|
struct dma_buf *dma_buf;
|
|
|
|
|
struct ttm_prime_object *prime;
|
|
|
|
|
struct ttm_base_object *base;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
dma_buf = dma_buf_get(fd);
|
|
|
|
|
if (IS_ERR(dma_buf))
|
|
|
|
|
return PTR_ERR(dma_buf);
|
|
|
|
|
|
|
|
|
|
if (dma_buf->ops != &tdev->ops)
|
|
|
|
|
return -ENOSYS;
|
|
|
|
|
|
|
|
|
|
prime = (struct ttm_prime_object *) dma_buf->priv;
|
|
|
|
|
base = &prime->base;
|
2018-09-26 15:50:13 +02:00
|
|
|
*handle = base->handle;
|
2021-12-06 12:26:12 -05:00
|
|
|
ret = ttm_ref_object_add(tfile, base, NULL, false);
|
2013-11-13 01:48:31 -08:00
|
|
|
|
|
|
|
|
dma_buf_put(dma_buf);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ttm_prime_handle_to_fd - Return a dma_buf fd from a ttm prime object
|
|
|
|
|
*
|
|
|
|
|
* @tfile: Struct ttm_object_file identifying the caller.
|
|
|
|
|
* @handle: Handle to the object we're exporting from.
|
|
|
|
|
* @flags: flags for dma-buf creation. We just pass them on.
|
|
|
|
|
* @prime_fd: The returned file descriptor.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
int ttm_prime_handle_to_fd(struct ttm_object_file *tfile,
|
|
|
|
|
uint32_t handle, uint32_t flags,
|
|
|
|
|
int *prime_fd)
|
|
|
|
|
{
|
|
|
|
|
struct ttm_object_device *tdev = tfile->tdev;
|
|
|
|
|
struct ttm_base_object *base;
|
|
|
|
|
struct dma_buf *dma_buf;
|
|
|
|
|
struct ttm_prime_object *prime;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
base = ttm_base_object_lookup(tfile, handle);
|
|
|
|
|
if (unlikely(base == NULL ||
|
|
|
|
|
base->object_type != ttm_prime_type)) {
|
|
|
|
|
ret = -ENOENT;
|
|
|
|
|
goto out_unref;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
prime = container_of(base, struct ttm_prime_object, base);
|
|
|
|
|
if (unlikely(!base->shareable)) {
|
|
|
|
|
ret = -EPERM;
|
|
|
|
|
goto out_unref;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = mutex_lock_interruptible(&prime->mutex);
|
|
|
|
|
if (unlikely(ret != 0)) {
|
|
|
|
|
ret = -ERESTARTSYS;
|
|
|
|
|
goto out_unref;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dma_buf = prime->dma_buf;
|
|
|
|
|
if (!dma_buf || !get_dma_buf_unless_doomed(dma_buf)) {
|
2015-01-23 12:53:43 +05:30
|
|
|
DEFINE_DMA_BUF_EXPORT_INFO(exp_info);
|
|
|
|
|
exp_info.ops = &tdev->ops;
|
|
|
|
|
exp_info.size = prime->size;
|
|
|
|
|
exp_info.flags = flags;
|
|
|
|
|
exp_info.priv = prime;
|
2013-11-13 01:48:31 -08:00
|
|
|
|
|
|
|
|
/*
|
2021-12-06 12:26:09 -05:00
|
|
|
* Need to create a new dma_buf
|
2013-11-13 01:48:31 -08:00
|
|
|
*/
|
|
|
|
|
|
2015-01-23 12:53:43 +05:30
|
|
|
dma_buf = dma_buf_export(&exp_info);
|
2013-11-13 01:48:31 -08:00
|
|
|
if (IS_ERR(dma_buf)) {
|
|
|
|
|
ret = PTR_ERR(dma_buf);
|
|
|
|
|
mutex_unlock(&prime->mutex);
|
|
|
|
|
goto out_unref;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* dma_buf has taken the base object reference
|
|
|
|
|
*/
|
|
|
|
|
base = NULL;
|
|
|
|
|
prime->dma_buf = dma_buf;
|
|
|
|
|
}
|
|
|
|
|
mutex_unlock(&prime->mutex);
|
|
|
|
|
|
|
|
|
|
ret = dma_buf_fd(dma_buf, flags);
|
|
|
|
|
if (ret >= 0) {
|
|
|
|
|
*prime_fd = ret;
|
|
|
|
|
ret = 0;
|
|
|
|
|
} else
|
|
|
|
|
dma_buf_put(dma_buf);
|
|
|
|
|
|
|
|
|
|
out_unref:
|
|
|
|
|
if (base)
|
|
|
|
|
ttm_base_object_unref(&base);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ttm_prime_object_init - Initialize a ttm_prime_object
|
|
|
|
|
*
|
|
|
|
|
* @tfile: struct ttm_object_file identifying the caller
|
|
|
|
|
* @size: The size of the dma_bufs we export.
|
|
|
|
|
* @prime: The object to be initialized.
|
|
|
|
|
* @type: See ttm_base_object_init
|
|
|
|
|
* @refcount_release: See ttm_base_object_init
|
|
|
|
|
*
|
|
|
|
|
* Initializes an object which is compatible with the drm_prime model
|
|
|
|
|
* for data sharing between processes and devices.
|
|
|
|
|
*/
|
|
|
|
|
int ttm_prime_object_init(struct ttm_object_file *tfile, size_t size,
|
2024-01-26 15:08:01 -05:00
|
|
|
struct ttm_prime_object *prime,
|
2013-11-13 01:48:31 -08:00
|
|
|
enum ttm_object_type type,
|
2021-12-06 12:26:12 -05:00
|
|
|
void (*refcount_release) (struct ttm_base_object **))
|
2013-11-13 01:48:31 -08:00
|
|
|
{
|
2024-01-26 15:08:01 -05:00
|
|
|
bool shareable = !!(type == VMW_RES_SURFACE);
|
2013-11-13 01:48:31 -08:00
|
|
|
mutex_init(&prime->mutex);
|
|
|
|
|
prime->size = PAGE_ALIGN(size);
|
|
|
|
|
prime->real_type = type;
|
|
|
|
|
prime->dma_buf = NULL;
|
|
|
|
|
prime->refcount_release = refcount_release;
|
|
|
|
|
return ttm_base_object_init(tfile, &prime->base, shareable,
|
|
|
|
|
ttm_prime_type,
|
2021-12-06 12:26:12 -05:00
|
|
|
ttm_prime_refcount_release);
|
2013-11-13 01:48:31 -08:00
|
|
|
}
|