Skip to content

Commit 9ad6d99

Browse files
vsyrjaladanvet
vsyrjala
authored and
danvet
committed
drm/i915: Make i915_pipe_crc_read() oops proof
Currently i915_pipe_crc_read() will drop pipe_crc->lock for the entire duration of the copy_to_user() loop, which means it'll access pipe_crc->entries without any protection. If another thread sneaks in and frees pipe_crc->entries the code will oops. Reorganize the code to hold the lock around everything except copy_to_user(). After the copy the lock is reacquired and the the number of available entries is rechecked. Since this is a debug feature simplify the error handling a bit by consuming the crc entry even if copy_to_user() would fail. Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
1 parent 3cf54b3 commit 9ad6d99

File tree

1 file changed

+22
-17
lines changed

1 file changed

+22
-17
lines changed

drivers/gpu/drm/i915/i915_debugfs.c

Lines changed: 22 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -2858,7 +2858,7 @@ i915_pipe_crc_read(struct file *filep, char __user *user_buf, size_t count,
28582858
struct drm_i915_private *dev_priv = dev->dev_private;
28592859
struct intel_pipe_crc *pipe_crc = &dev_priv->pipe_crc[info->pipe];
28602860
char buf[PIPE_CRC_BUFFER_LEN];
2861-
int head, tail, n_entries, n;
2861+
int n_entries;
28622862
ssize_t bytes_read;
28632863

28642864
/*
@@ -2890,36 +2890,39 @@ i915_pipe_crc_read(struct file *filep, char __user *user_buf, size_t count,
28902890
}
28912891

28922892
/* We now have one or more entries to read */
2893-
head = pipe_crc->head;
2894-
tail = pipe_crc->tail;
2895-
n_entries = min((size_t)CIRC_CNT(head, tail, INTEL_PIPE_CRC_ENTRIES_NR),
2896-
count / PIPE_CRC_LINE_LEN);
2897-
spin_unlock_irq(&pipe_crc->lock);
2893+
n_entries = count / PIPE_CRC_LINE_LEN;
28982894

28992895
bytes_read = 0;
2900-
n = 0;
2901-
do {
2902-
struct intel_pipe_crc_entry *entry = &pipe_crc->entries[tail];
2896+
while (n_entries > 0) {
2897+
struct intel_pipe_crc_entry *entry =
2898+
&pipe_crc->entries[pipe_crc->tail];
29032899
int ret;
29042900

2901+
if (CIRC_CNT(pipe_crc->head, pipe_crc->tail,
2902+
INTEL_PIPE_CRC_ENTRIES_NR) < 1)
2903+
break;
2904+
2905+
BUILD_BUG_ON_NOT_POWER_OF_2(INTEL_PIPE_CRC_ENTRIES_NR);
2906+
pipe_crc->tail = (pipe_crc->tail + 1) & (INTEL_PIPE_CRC_ENTRIES_NR - 1);
2907+
29052908
bytes_read += snprintf(buf, PIPE_CRC_BUFFER_LEN,
29062909
"%8u %8x %8x %8x %8x %8x\n",
29072910
entry->frame, entry->crc[0],
29082911
entry->crc[1], entry->crc[2],
29092912
entry->crc[3], entry->crc[4]);
29102913

2911-
ret = copy_to_user(user_buf + n * PIPE_CRC_LINE_LEN,
2912-
buf, PIPE_CRC_LINE_LEN);
2914+
spin_unlock_irq(&pipe_crc->lock);
2915+
2916+
ret = copy_to_user(user_buf, buf, PIPE_CRC_LINE_LEN);
29132917
if (ret == PIPE_CRC_LINE_LEN)
29142918
return -EFAULT;
29152919

2916-
BUILD_BUG_ON_NOT_POWER_OF_2(INTEL_PIPE_CRC_ENTRIES_NR);
2917-
tail = (tail + 1) & (INTEL_PIPE_CRC_ENTRIES_NR - 1);
2918-
n++;
2919-
} while (--n_entries);
2920+
user_buf += PIPE_CRC_LINE_LEN;
2921+
n_entries--;
2922+
2923+
spin_lock_irq(&pipe_crc->lock);
2924+
}
29202925

2921-
spin_lock_irq(&pipe_crc->lock);
2922-
pipe_crc->tail = tail;
29232926
spin_unlock_irq(&pipe_crc->lock);
29242927

29252928
return bytes_read;
@@ -3458,6 +3461,8 @@ static int pipe_crc_set_source(struct drm_device *dev, enum pipe pipe,
34583461
spin_lock_irq(&pipe_crc->lock);
34593462
entries = pipe_crc->entries;
34603463
pipe_crc->entries = NULL;
3464+
pipe_crc->head = 0;
3465+
pipe_crc->tail = 0;
34613466
spin_unlock_irq(&pipe_crc->lock);
34623467

34633468
kfree(entries);

0 commit comments

Comments
 (0)