From owner-freebsd-x11@FreeBSD.ORG Mon Jul 16 12:22:57 2007 Return-Path: X-Original-To: x11@freebsd.org Delivered-To: freebsd-x11@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E5BE16A402 for ; Mon, 16 Jul 2007 12:22:57 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from relay01.kiev.sovam.com (relay01.kiev.sovam.com [62.64.120.200]) by mx1.freebsd.org (Postfix) with ESMTP id 30C5813C4A7 for ; Mon, 16 Jul 2007 12:22:57 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from [89.162.146.170] (helo=skuns.kiev.zoral.com.ua) by relay01.kiev.sovam.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from ) id 1IAOCp-0009Ox-Uz for x11@freebsd.org; Mon, 16 Jul 2007 13:53:33 +0300 Received: from deviant.kiev.zoral.com.ua (root@[10.1.1.148]) by skuns.kiev.zoral.com.ua (8.14.1/8.14.1) with ESMTP id l6GArHJ2019606 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Jul 2007 13:53:18 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.1/8.14.1) with ESMTP id l6GArHqR087207; Mon, 16 Jul 2007 13:53:17 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.1/8.14.1/Submit) id l6GArGWd087206; Mon, 16 Jul 2007 13:53:16 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 16 Jul 2007 13:53:16 +0300 From: Kostik Belousov To: Ganbold Message-ID: <20070716105316.GT2200@deviant.kiev.zoral.com.ua> References: <469B17BB.9050305@micom.mng.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4QsEYJIjMB+yaydW" Content-Disposition: inline In-Reply-To: <469B17BB.9050305@micom.mng.net> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: ClamAV version 0.90.3, clamav-milter version 0.90.3 on skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on skuns.kiev.zoral.com.ua X-Scanner-Signature: 7e4b90b1bf9187ce17d34ee26eea9ec0 X-DrWeb-checked: yes X-SpamTest-Envelope-From: kostikbel@gmail.com X-SpamTest-Group-ID: 00000000 X-SpamTest-Header: Not Detected X-SpamTest-Info: Profiles 1223 [July 16 2007] X-SpamTest-Info: helo_type=3 X-SpamTest-Method: none X-SpamTest-Rate: 0 X-SpamTest-Status: Not detected X-SpamTest-Status-Extended: not_detected X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0255], KAS30/Release Cc: x11@freebsd.org Subject: Re: LOR when running google-earth X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2007 12:22:57 -0000 --4QsEYJIjMB+yaydW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [Redirected to x11@] On Mon, Jul 16, 2007 at 03:01:15PM +0800, Ganbold wrote: > Hi, >=20 > I'm having LOR when I try to run google-earth. I have Intel 945GM=20 > graphic card. >=20 > devil# uname -an > FreeBSD devil.micom.mng.net 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Tue Jul= =20 > 10 10:44:42 ULAT 2007 =20 > root@devil.micom.mng.net:/usr/obj/usr/src/sys/DEVIL i386 > devil# >=20 >=20 > lock order reversal: (sleepable after non-sleepable) > 1st 0xc3c06cd8 drm device (drm device) @=20 > /usr/src/sys/modules/drm/drm/../../../dev/drm/drm_drv.c:907 > 2nd 0xc3e6ea3c user map (user map) @ /usr/src/sys/vm/vm_glue.c:182 > KDB: stack backtrace: > db_trace_self_wrapper(c08a3fa4,e6450a44,c066992e,c08a6485,c3e6ea3c,...)= =20 > at db_trace_self_wrapper+0x26 > kdb_backtrace(c08a6485,c3e6ea3c,c08be517,c08be517,c08bdfed,...) at=20 > kdb_backtrace+0x29 > witness_checkorder(c3e6ea3c,9,c08bdfed,b6,c435a000,...) at=20 > witness_checkorder+0x6de > _sx_xlock(c3e6ea3c,0,c08bdfed,b6,e6450aa8,...) at _sx_xlock+0x7d > _vm_map_lock_read(c3e6e9f8,c08bdfed,b6,c435a000,a60,...) at=20 > _vm_map_lock_read+0x50 > useracc(4ce1ede8,8,1,f5,c09ce1bc,...) at useracc+0x65 > i915_cmdbuffer(c3bf3800,8018644b,c43814a0,3,c435a000,...) at=20 > i915_cmdbuffer+0x10f > drm_ioctl(c3bf3800,8018644b,c43814a0,3,c435a000,...) at drm_ioctl+0x357 > giant_ioctl(c3bf3800,8018644b,c43814a0,3,c435a000,...) at giant_ioctl+0x56 > devfs_ioctl_f(c4cdd1b0,8018644b,c43814a0,c4356700,c435a000,...) at=20 > devfs_ioctl_f+0xc9 > kern_ioctl(c435a000,9,8018644b,c43814a0,450c4c,...) at kern_ioctl+0x243 > ioctl(c435a000,e6450cfc,e6450c80,c4022e4a,c435a000,...) at ioctl+0x134 > linux_ioctl_drm(c435a000,e6450cfc,c4030c45,a2f,c435a000,...) at=20 > linux_ioctl_drm+0x2f > linux_ioctl(c435a000,e6450cfc,e6450cf8,e6450d1c,c4032dd0,...) at=20 > linux_ioctl+0xca > syscall(e6450d38) at syscall+0x2b3 > Xint0x80_syscall() at Xint0x80_syscall+0x20 > --- syscall (54, Linux ELF, linux_ioctl), eip =3D 0x49ea95f4, esp =3D=20 > 0xbfbfdf44, ebp =3D 0xbfbfdf64 --- > KDB: enter: witness_checkorder > [thread pid 899 tid 100122 ] > Stopped at kdb_enter+0x32: leave > db> bt > Tracing pid 899 tid 100122 td 0xc435a000 > kdb_enter(c0861150,c3e6ea3c,c08be517,c08be517,c08bdfed,...) at=20 > kdb_enter+0x32 > witness_checkorder(c3e6ea3c,9,c08bdfed,b6,c435a000,...) at=20 > witness_checkorder+0x6f3 > _sx_xlock(c3e6ea3c,0,c08bdfed,b6,e6450aa8,...) at _sx_xlock+0x7d > _vm_map_lock_read(c3e6e9f8,c08bdfed,b6,c435a000,a60,...) at=20 > _vm_map_lock_read+0x50 > useracc(4ce1ede8,8,1,f5,c09ce1bc,...) at useracc+0x65 > i915_cmdbuffer(c3bf3800,8018644b,c43814a0,3,c435a000,...) at=20 > i915_cmdbuffer+0x10f > drm_ioctl(c3bf3800,8018644b,c43814a0,3,c435a000,...) at drm_ioctl+0x357 > giant_ioctl(c3bf3800,8018644b,c43814a0,3,c435a000,...) at giant_ioctl+0x56 > devfs_ioctl_f(c4cdd1b0,8018644b,c43814a0,c4356700,c435a000,...) at=20 > devfs_ioctl_f+0xc9 > kern_ioctl(c435a000,9,8018644b,c43814a0,450c4c,...) at kern_ioctl+0x243 > ioctl(c435a000,e6450cfc,e6450c80,c4022e4a,c435a000,...) at ioctl+0x134 > linux_ioctl_drm(c435a000,e6450cfc,c4030c45,a2f,c435a000,...) at=20 > linux_ioctl_drm+0x2f > linux_ioctl(c435a000,e6450cfc,e6450cf8,e6450d1c,c4032dd0,...) at=20 > linux_ioctl+0xca > syscall(e6450d38) at syscall+0x2b3 > Xint0x80_syscall() at Xint0x80_syscall+0x20 > --- syscall (54, Linux ELF, linux_ioctl), eip =3D 0x49ea95f4, esp =3D=20 > 0xbfbfdf44, ebp =3D 0xbfbfdf64 --- > db> c The use of useracc() seems to be racy and not complete. Below is the patch that could fix the LOR and add missing checks, hopefully, in race free way. Patch wires the ranges that are accessed under the drm lock with the help of the vslock(). Patch was only compile-tested. diff --git a/sys/dev/drm/i915_dma.c b/sys/dev/drm/i915_dma.c index dfaf334..431a2f9 100644 --- a/sys/dev/drm/i915_dma.c +++ b/sys/dev/drm/i915_dma.c @@ -367,20 +367,14 @@ static int i915_emit_cmds(drm_device_t * dev, int __u= ser * buffer, int dwords) for (i =3D 0; i < dwords;) { int cmd, sz; =20 - if (DRM_COPY_FROM_USER_UNCHECKED(&cmd, &buffer[i], sizeof(cmd))) { - - return DRM_ERR(EINVAL); - } + cmd =3D buffer[i]; if ((sz =3D validate_cmd(cmd)) =3D=3D 0 || i + sz > dwords) return DRM_ERR(EINVAL); =20 OUT_RING(cmd); =20 while (++i, --sz) { - if (DRM_COPY_FROM_USER_UNCHECKED(&cmd, &buffer[i], - sizeof(cmd))) { - return DRM_ERR(EINVAL); - } + cmd =3D buffer[i]; OUT_RING(cmd); } } @@ -401,10 +395,7 @@ static int i915_emit_box(drm_device_t * dev, drm_clip_rect_t box; RING_LOCALS; =20 - if (DRM_COPY_FROM_USER_UNCHECKED(&box, &boxes[i], sizeof(box))) { - return EFAULT; - } - + box =3D boxes[i]; if (box.y2 <=3D box.y1 || box.x2 <=3D box.x1 || box.y2 <=3D 0 || box.x2 <= =3D 0) { DRM_ERROR("Bad box %d,%d..%d,%d\n", box.x1, box.y1, box.x2, box.y2); @@ -604,6 +595,7 @@ static int i915_batchbuffer(DRM_IOCTL_ARGS) drm_i915_sarea_t *sarea_priv =3D (drm_i915_sarea_t *) dev_priv->sarea_priv; drm_i915_batchbuffer_t batch; + size_t cliplen; int ret; =20 if (!dev_priv->allow_batchbuffer) { @@ -619,12 +611,22 @@ static int i915_batchbuffer(DRM_IOCTL_ARGS) =20 LOCK_TEST_WITH_RETURN(dev, filp); =20 + DRM_UNLOCK(); + cliplen =3D batch.num_cliprects * sizeof(drm_clip_rect_t);=09 if (batch.num_cliprects && DRM_VERIFYAREA_READ(batch.cliprects, - batch.num_cliprects * - sizeof(drm_clip_rect_t))) + cliplen)) { + DRM_LOCK(); return DRM_ERR(EFAULT); - + } + ret =3D vslock(batch.cliprects, cliplen); + if (ret) { + DRM_ERROR("Fault wiring cliprects\n"); + DRM_LOCK(); + return DRM_ERR(EFAULT); + } + DRM_LOCK(); ret =3D i915_dispatch_batchbuffer(dev, &batch); + vsunlock(batch.cliprects, cliplen); =20 sarea_priv->last_dispatch =3D (int)hw_status[5]; return ret; @@ -638,6 +640,7 @@ static int i915_cmdbuffer(DRM_IOCTL_ARGS) drm_i915_sarea_t *sarea_priv =3D (drm_i915_sarea_t *) dev_priv->sarea_priv; drm_i915_cmdbuffer_t cmdbuf; + size_t cliplen; int ret; =20 DRM_COPY_FROM_USER_IOCTL(cmdbuf, (drm_i915_cmdbuffer_t __user *) data, @@ -648,15 +651,31 @@ static int i915_cmdbuffer(DRM_IOCTL_ARGS) =20 LOCK_TEST_WITH_RETURN(dev, filp); =20 + DRM_UNLOCK(); + cliplen =3D cmdbuf.num_cliprects * sizeof(drm_clip_rect_t); if (cmdbuf.num_cliprects && - DRM_VERIFYAREA_READ(cmdbuf.cliprects, - cmdbuf.num_cliprects * - sizeof(drm_clip_rect_t))) { + DRM_VERIFYAREA_READ(cmdbuf.cliprects, cliplen)) { DRM_ERROR("Fault accessing cliprects\n"); + DRM_LOCK(); return DRM_ERR(EFAULT); } - + ret =3D vslock(cmdbuf.cliprects, cliplen); + if (ret) { + DRM_ERROR("Fault wiring cliprects\n"); + DRM_LOCK(); + return DRM_ERR(EFAULT); + } + ret =3D vslock(cmdbuf.buf, cmdbuf.sz); + if (ret) { + vsunlock(cmdbuf.cliprects, cliplen); + DRM_ERROR("Fault wiring cmds\n"); + DRM_LOCK(); + return DRM_ERR(EFAULT); + } + DRM_LOCK(); ret =3D i915_dispatch_cmdbuffer(dev, &cmdbuf); + vsunlock(cmdbuf.buf, cmdbuf.sz); + vsunlock(cmdbuf.cliprects, cliplen); if (ret) { DRM_ERROR("i915_dispatch_cmdbuffer failed\n"); return ret; --4QsEYJIjMB+yaydW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGm04bC3+MBN1Mb4gRArugAJwIZn1piJR61eTQLUQjVBSp40GuLACfWrIZ spxxfoxtQAE6+Hpa1lrc8G0= =Si95 -----END PGP SIGNATURE----- --4QsEYJIjMB+yaydW--