Date: Fri, 6 Nov 2015 16:48:33 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r290454 - in stable: 10/sys/dev/drm2/i915 9/sys/dev/drm2/i915 Message-ID: <201511061648.tA6GmXa9076059@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Fri Nov 6 16:48:33 2015 New Revision: 290454 URL: https://svnweb.freebsd.org/changeset/base/290454 Log: MFC 288452,289719: 288452: Most error cases in i915_gem_do_execbuffer() jump to one of two labels to release resources (such as unholding pages) when errors occur. Some recently added error checks return immediately instead of jumping to a label resulting in leaks. Fix these to jump to a label to do cleanup instead. Note that stable/9 does not have the "recently added" error checks, but it does have some older error checks (that were are no longer present in stable/10 and head) that have the same bug and this fixes those instead. 289719: i915_gem_do_execbuffer() holds the pages backing each relocation region for various reasons while executing user commands. After these commands are completed, the pages backing the relocation regions are unheld. Since relocation regions do not have to be page aligned, the code in validate_exec_list() allocates 2 extra page pointers in the array of held pages populated by vm_fault_quick_hold_pages(). However, the cleanup code that unheld the pages always assumed that only the buffer size / PAGE_SIZE pages were used. This meant that non-page aligned buffers would not unheld the last 1 or 2 pages in the list. Fix this by saving the number of held pages returned by vm_fault_quick_hold_pages() for each relocation region and using this count during cleanup. Modified: stable/9/sys/dev/drm2/i915/i915_gem_execbuffer.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/dev/ (props changed) Changes in other areas also in this revision: Modified: stable/10/sys/dev/drm2/i915/i915_gem_execbuffer.c Directory Properties: stable/10/ (props changed) Modified: stable/9/sys/dev/drm2/i915/i915_gem_execbuffer.c ============================================================================== --- stable/9/sys/dev/drm2/i915/i915_gem_execbuffer.c Fri Nov 6 16:43:22 2015 (r290453) +++ stable/9/sys/dev/drm2/i915/i915_gem_execbuffer.c Fri Nov 6 16:48:33 2015 (r290454) @@ -953,13 +953,15 @@ i915_gem_check_execbuffer(struct drm_i91 static int validate_exec_list(struct drm_i915_gem_exec_object2 *exec, int count, - vm_page_t ***map) + vm_page_t ***map, int **maplen) { vm_page_t *ma; int i, length, page_count; /* XXXKIB various limits checking is missing there */ *map = malloc(count * sizeof(*ma), DRM_I915_GEM, M_WAITOK | M_ZERO); + *maplen = malloc(count * sizeof(*maplen), DRM_I915_GEM, M_WAITOK | + M_ZERO); for (i = 0; i < count; i++) { /* First check for malicious input causing overflow */ if (exec[i].relocation_count > @@ -981,9 +983,10 @@ validate_exec_list(struct drm_i915_gem_e page_count = howmany(length, PAGE_SIZE) + 2; ma = (*map)[i] = malloc(page_count * sizeof(vm_page_t), DRM_I915_GEM, M_WAITOK | M_ZERO); - if (vm_fault_quick_hold_pages(&curproc->p_vmspace->vm_map, - exec[i].relocs_ptr, length, VM_PROT_READ | VM_PROT_WRITE, - ma, page_count) == -1) { + (*maplen)[i] = vm_fault_quick_hold_pages( + &curproc->p_vmspace->vm_map, exec[i].relocs_ptr, length, + VM_PROT_READ | VM_PROT_WRITE, ma, page_count); + if ((*maplen)[i] == -1) { free(ma, DRM_I915_GEM); (*map)[i] = NULL; return (-EFAULT); @@ -1130,6 +1133,7 @@ i915_gem_do_execbuffer(struct drm_device struct drm_clip_rect *cliprects = NULL; struct intel_ring_buffer *ring; vm_page_t **relocs_ma; + int *relocs_len; u32 exec_start, exec_len; u32 seqno; u32 mask; @@ -1143,7 +1147,8 @@ i915_gem_do_execbuffer(struct drm_device if (args->batch_len == 0) return (0); - ret = validate_exec_list(exec, args->buffer_count, &relocs_ma); + ret = validate_exec_list(exec, args->buffer_count, &relocs_ma, + &relocs_len); if (ret != 0) goto pre_struct_lock_err; @@ -1155,14 +1160,16 @@ i915_gem_do_execbuffer(struct drm_device case I915_EXEC_BSD: if (!HAS_BSD(dev)) { DRM_DEBUG("execbuf with invalid ring (BSD)\n"); - return -EINVAL; + ret = -EINVAL; + goto pre_struct_lock_err; } ring = &dev_priv->rings[VCS]; break; case I915_EXEC_BLT: if (!HAS_BLT(dev)) { DRM_DEBUG("execbuf with invalid ring (BLT)\n"); - return -EINVAL; + ret = -EINVAL; + goto pre_struct_lock_err; } ring = &dev_priv->rings[BCS]; break; @@ -1390,13 +1397,11 @@ struct_lock_err: pre_struct_lock_err: for (i = 0; i < args->buffer_count; i++) { if (relocs_ma[i] != NULL) { - vm_page_unhold_pages(relocs_ma[i], howmany( - exec[i].relocation_count * - sizeof(struct drm_i915_gem_relocation_entry), - PAGE_SIZE)); + vm_page_unhold_pages(relocs_ma[i], relocs_len[i]); free(relocs_ma[i], DRM_I915_GEM); } } + free(relocs_len, DRM_I915_GEM); free(relocs_ma, DRM_I915_GEM); free(cliprects, DRM_I915_GEM); return ret;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201511061648.tA6GmXa9076059>