linux-hardened/include/drm
Daniel Vetter a8e11d1c43 drm/gem: fix up flink name create race
This is the 2nd attempt, I've always been a bit dissatisified with the
tricky nature of the first one:

http://lists.freedesktop.org/archives/dri-devel/2012-July/025451.html

The issue is that the flink ioctl can race with calling gem_close on
the last gem handle. In that case we'll end up with a zero handle
count, but an flink name (and it's corresponding reference). Which
results in a neat space leak.

In my first attempt I've solved this by rechecking the handle count.
But fundamentally the issue is that ->handle_count isn't your usual
refcount - it can be resurrected from 0 among other things.

For those special beasts atomic_t often suggest way more ordering that
it actually guarantees. To prevent being tricked by those hairy
semantics take the easy way out and simply protect the handle with the
existing dev->object_name_lock.

With that change implemented it's dead easy to fix the flink vs. gem
close reace: When we try to create the name we simply have to check
whether there's still officially a gem handle around and if not refuse
to create the flink name. Since the handle count decrement and flink
name destruction is now also protected by that lock the reace is gone
and we can't ever leak the flink reference again.

Outside of the drm core only the exynos driver looks at the handle
count, and tbh I have no idea why (it's just for debug dmesg output
luckily).

I've considered inlining the drm_gem_object_handle_free, but I plan to
add more name-like things (like the exported dma_buf) to this scheme,
so it's clearer to leave the handle freeing in its own function.

This is exercised by the new gem_flink_race i-g-t testcase, which on
my snb leaks gem objects at a rate of roughly 1k objects/s.

v2: Fix up the error path handling in handle_create and make it more
robust by simply calling object_handle_unreference.

v3: Fix up the handle_unreference logic bug - atomic_dec_and_test
retursn 1 for 0. Oops.

v4: Squash in inlining of drm_gem_object_handle_reference as suggested
by Dave Airlie and add a note that we now have a testcase.

Cc: Dave Airlie <airlied@gmail.com>
Cc: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-08-21 12:53:45 +10:00
..
i2c drm/i2c: tda998x: add video and audio input configuration 2013-08-19 09:10:32 +10:00
ttm drm/ttm: convert to unified vma offset manager 2013-07-25 20:47:07 +10:00
drm_agpsupport.h drm: provide agp dummies for CONFIG_AGP=n 2013-08-09 07:22:11 +10:00
drm_buffer.h UAPI: (Scripted) Convert #include "..." to #include <path/...> in kernel system headers 2012-10-02 18:01:25 +01:00
drm_cache.h drm/ttm: consolidate cache flushing code in one place. 2009-08-27 09:53:47 +10:00
drm_core.h drm: Fix support for PCI domains 2010-08-10 08:20:20 +10:00
drm_crtc.h drm: Remove 2 unused defines 2013-08-21 12:47:36 +10:00
drm_crtc_helper.h drm: extract drm_kms_helper_hotplug_event 2012-11-20 15:50:32 +10:00
drm_dp_helper.h drm: Added SDP and VSC structures for handling PSR for eDP 2013-07-18 09:59:21 +02:00
drm_edid.h drm: add drm_edid_to_eld helper extracting SADs from EDID (v2) 2013-04-23 18:03:58 -04:00
drm_encoder_slave.h drm: i2c encoder helper wrappers 2013-02-17 17:55:42 -05:00
drm_fb_cma_helper.h drm: Make drm_fb_cma_describe() static 2013-08-21 12:47:41 +10:00
drm_fb_helper.h drm: Remove pointless '-' characters from drm_fb_helper documentation 2013-05-10 14:46:11 +10:00
drm_fixed.h drm: add some additional fixed point helpers (v3) 2013-06-27 19:16:37 -04:00
drm_flip_work.h drm: add flip-work helper 2013-08-19 10:32:26 +10:00
drm_gem_cma_helper.h drm/gem: create drm_gem_dumb_destroy 2013-08-07 09:59:24 +10:00
drm_global.h drm: move ttm global code to core drm 2010-08-04 09:46:06 +10:00
drm_hashtab.h drm: Add a hash-tab rcu-safe API 2012-11-28 18:36:05 +10:00
drm_mem_util.h introduce SIZE_MAX 2012-05-31 17:49:26 -07:00
drm_memory.h UAPI: (Scripted) Convert #include "..." to #include <path/...> in kernel system headers 2012-10-02 18:01:25 +01:00
drm_mm.h drm/mm: remove unused API 2013-08-07 10:16:50 +10:00
drm_os_linux.h drm: Remove mtrr_add and mtrr_del fallback hack for non-MTRR systems 2013-05-31 13:37:37 +10:00
drm_pciids.h drm: Remove unused PCI ids 2013-08-21 12:47:45 +10:00
drm_rect.h drm: Fix drm_rect documentation 2013-05-23 12:51:32 +02:00
drm_sysfs.h drm: Enable drm drivers to add drm sysfs devices. 2009-08-19 16:08:51 +10:00
drm_usb.h drm: add usb framework 2011-02-07 13:09:42 +10:00
drm_vma_manager.h drm/vma: provide drm_vma_node_unmap() helper 2013-07-25 20:47:08 +10:00
drmP.h drm/gem: fix up flink name create race 2013-08-21 12:53:45 +10:00
exynos_drm.h drm/exynos: change file license to GPL 2013-01-04 15:54:32 +09:00
gma_drm.h gma500: fix ioctl confict 2012-03-10 13:06:04 +00:00
i915_drm.h UAPI: (Scripted) Disintegrate include/drm 2012-10-04 18:21:50 +01:00
i915_powerwell.h i915/drm: Add private api for power well usage 2013-06-06 17:32:16 +02:00
intel-gtt.h drm/i915: Fix gen2 mappable calculations 2013-02-15 10:30:38 +01:00