winsys/radeon: fix radeon_winsys_bo_from_handle() related race condition

This change prevents the reuse of the bo when the counter is already
zero. At zero, the bo is in a state where the deletion is pending,
and this implementation relying on an atomic counter can't be safely
stopped. In other words, the previous fix ccd3bb4548 lower the
probability of this race condition, but doesn't fix it.

This change prevents a race condition which has a high probability
on r600 with the test below. This change was tested with the thread
sanitizer.

For instance, this issue is triggered on r600 with
"piglit/bin/ext_image_dma_buf_import-refcount-multithread -auto":
==9876==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000021a20 at pc 0x7f2c9f59f748 bp 0x7f2c8f3aa600 sp 0x7f2c8f3aa5f8
READ of size 4 at 0x60d000021a20 thread T6
    #0 0x7f2c9f59f747 in pipe_is_referenced ../src/gallium/auxiliary/util/u_inlines.h:65
    #1 0x7f2c9f59f747 in radeon_bo_destroy ../src/gallium/winsys/radeon/drm/radeon_drm_bo.c:342
    #2 0x7f2c9f63b541 in radeon_bo_reference ../src/gallium/include/winsys/radeon_winsys.h:794
    #3 0x7f2c9f63b541 in r600_texture_destroy ../src/gallium/drivers/r600/r600_texture.c:571
    #4 0x7f2c9d65662d in pipe_resource_destroy ../src/gallium/auxiliary/util/u_inlines.h:146
    #5 0x7f2c9d65662d in pipe_resource_reference ../src/gallium/auxiliary/util/u_inlines.h:163
    #6 0x7f2c9d65662d in st_FreeTextureImageBuffer ../src/mesa/state_tracker/st_cb_texture.c:459
    #7 0x7f2c9d5b6991 in _mesa_delete_texture_image ../src/mesa/main/teximage.c:226
    #8 0x7f2c9d5f2593 in _mesa_delete_texture_object ../src/mesa/main/texobj.c:532
    #9 0x7f2c9d5f2be7 in _mesa_reference_texobj_ ../src/mesa/main/texobj.c:639
    #10 0x7f2c9d5f3773 in _mesa_reference_texobj ../src/mesa/main/texobj.h:92
    #11 0x7f2c9d5f3773 in delete_textures ../src/mesa/main/texobj.c:1578

0x60d000021a20 is located 0 bytes inside of 144-byte region [0x60d000021a20,0x60d000021ab0)
freed by thread T5 here:
    #0 0x7f2ca8b2b4f7 in free (/usr/lib64/libasan.so.6+0xb14f7)
    #1 0x7f2c9f59efb3 in radeon_bo_destroy ../src/gallium/winsys/radeon/drm/radeon_drm_bo.c:401
    #2 0x7f2c9f63b541 in radeon_bo_reference ../src/gallium/include/winsys/radeon_winsys.h:794
    #3 0x7f2c9f63b541 in r600_texture_destroy ../src/gallium/drivers/r600/r600_texture.c:571
    #4 0x7f2c9d65662d in pipe_resource_destroy ../src/gallium/auxiliary/util/u_inlines.h:146
    #5 0x7f2c9d65662d in pipe_resource_reference ../src/gallium/auxiliary/util/u_inlines.h:163
    #6 0x7f2c9d65662d in st_FreeTextureImageBuffer ../src/mesa/state_tracker/st_cb_texture.c:459
    #7 0x7f2c9d5b6991 in _mesa_delete_texture_image ../src/mesa/main/teximage.c:226
    #8 0x7f2c9d5f2593 in _mesa_delete_texture_object ../src/mesa/main/texobj.c:532
    #9 0x7f2c9d5f2be7 in _mesa_reference_texobj_ ../src/mesa/main/texobj.c:639
    #10 0x7f2c9d5f3773 in _mesa_reference_texobj ../src/mesa/main/texobj.h:92
    #11 0x7f2c9d5f3773 in delete_textures ../src/mesa/main/texobj.c:1578

previously allocated by thread T6 here:
    #0 0x7f2ca8b2b9a7 in calloc (/usr/lib64/libasan.so.6+0xb19a7)
    #1 0x7f2c9f5a36d5 in radeon_winsys_bo_from_handle ../src/gallium/winsys/radeon/drm/radeon_drm_bo.c:1198
    #2 0x7f2c9f641b2a in r600_texture_from_handle ../src/gallium/drivers/r600/r600_texture.c:1105
    #3 0x7f2c9d47550a in dri_create_image_from_winsys ../src/gallium/frontends/dri/dri2.c:1007
    #4 0x7f2c9d47eeb9 in dri2_from_dma_bufs ../src/gallium/frontends/dri/dri2.c:1629
    #5 0x7f2ca8854360 in dri2_create_image_dma_buf ../src/egl/drivers/dri2/egl_dri2.c:2564
    #6 0x7f2ca8854f45 in dri2_create_image_khr ../src/egl/drivers/dri2/egl_dri2.c:2817
    #7 0x7f2ca8846f2c in dri2_create_image ../src/egl/drivers/dri2/egl_dri2.c:1864
    #8 0x7f2ca87f9dd8 in _eglCreateImageCommon ../src/egl/main/eglapi.c:1850

Fixes: ccd3bb4548 ("winsys/radeon: fix a race between bo import and destroy")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/32896>

This commit is contained in:

Patrick Lerda

2025-01-03 13:23:09 +01:00

committed by

Marge Bot

parent 9f08c8bd0f

commit c6bcf88949

1 changed files with 6 additions and 7 deletions

									
										13

src/gallium/winsys/radeon/drm/radeon_drm_bo.c
									
												View File
												
				@@ -338,11 +338,6 @@ void radeon_bo_destroy(void *winsys, struct pb_buffer_lean *_buf)

				   memset(&args, 0, sizeof(args));

				   mtx_lock(&rws->bo_handles_mutex);

				   /* radeon_winsys_bo_from_handle might have revived the bo */

				   if (pipe_is_referenced(&bo->base.reference)) {

				      mtx_unlock(&rws->bo_handles_mutex);

				      return;

				   }

				   _mesa_hash_table_remove_key(rws->bo_handles, (void*)(uintptr_t)bo->handle);

				   if (bo->flink_name) {

				      _mesa_hash_table_remove_key(rws->bo_names,

				@@ -1190,8 +1185,12 @@ static struct pb_buffer_lean *radeon_winsys_bo_from_handle(struct radeon_winsys

				   if (bo) {

				      /* Increase the refcount. */

				      p_atomic_inc(&bo->base.reference.count);

				      goto done;

				      if (unlikely(p_atomic_inc_return(&bo->base.reference.count) == 1)) {

				         p_atomic_dec(&bo->base.reference.count);

				         assert(p_atomic_read(&bo->base.reference.count) == 0);

				      } else {

				         goto done;

				      }

				   }

				   /* There isn't, create a new one. */

winsys/radeon: fix radeon_winsys_bo_from_handle() related race condition

13 src/gallium/winsys/radeon/drm/radeon_drm_bo.c Unescape Escape View File

13

src/gallium/winsys/radeon/drm/radeon_drm_bo.c

View File