On Mon, 23 Oct 2023 14:16:06 +0200
Boris Brezillon <boris.brezil...@collabora.com> wrote:
> Hi,
>
> On Tue, 17 Oct 2023 08:09:56 -0700
> Matthew Brost <matthew.br...@intel.com> wrote:
>
> > +static void drm_sched_run_job_work(struct work_struct *w)
> > +{
> > + struct drm_gpu_scheduler *sched =
> > + container_of(w, struct drm_gpu_scheduler, work_run_job);
> > + struct drm_sched_entity *entity;
> > + struct dma_fence *fence;
> > + struct drm_sched_fence *s_fence;
> > + struct drm_sched_job *sched_job;
> > + int r;
> >
> > - atomic_inc(&sched->hw_rq_count);
> > - drm_sched_job_begin(sched_job);
> > + if (READ_ONCE(sched->pause_submit))
> > + return;
> > +
> > + entity = drm_sched_select_entity(sched, true);
> > + if (!entity)
> > + return;
> >
> > - trace_drm_run_job(sched_job, entity);
> > - fence = sched->ops->run_job(sched_job);
> > + sched_job = drm_sched_entity_pop_job(entity);
> > + if (!sched_job) {
> > complete_all(&entity->entity_idle);
> > - drm_sched_fence_scheduled(s_fence, fence);
> > + return; /* No more work */
> > + }
> >
> > - if (!IS_ERR_OR_NULL(fence)) {
> > - /* Drop for original kref_init of the fence */
> > - dma_fence_put(fence);
> > + s_fence = sched_job->s_fence;
> >
> > - r = dma_fence_add_callback(fence, &sched_job->cb,
> > - drm_sched_job_done_cb);
> > - if (r == -ENOENT)
> > - drm_sched_job_done(sched_job, fence->error);
> > - else if (r)
> > - DRM_DEV_ERROR(sched->dev, "fence add callback
> > failed (%d)\n",
> > - r);
> > - } else {
> > - drm_sched_job_done(sched_job, IS_ERR(fence) ?
> > - PTR_ERR(fence) : 0);
> > - }
> > + atomic_inc(&sched->hw_rq_count);
> > + drm_sched_job_begin(sched_job);
> >
> > - wake_up(&sched->job_scheduled);
> > + trace_drm_run_job(sched_job, entity);
> > + fence = sched->ops->run_job(sched_job);
> > + complete_all(&entity->entity_idle);
> > + drm_sched_fence_scheduled(s_fence, fence);
> > +
> > + if (!IS_ERR_OR_NULL(fence)) {
> > + /* Drop for original kref_init of the fence */
> > + dma_fence_put(fence);
> > +
> > + r = dma_fence_add_callback(fence, &sched_job->cb,
> > + drm_sched_job_done_cb);
> > + if (r == -ENOENT)
> > + drm_sched_job_done(sched_job, fence->error);
> > + else if (r)
> > + DRM_DEV_ERROR(sched->dev, "fence add callback failed
> > (%d)\n", r);
> > + } else {
> > + drm_sched_job_done(sched_job, IS_ERR(fence) ?
> > + PTR_ERR(fence) : 0);
> > }
>
> Just ran into a race condition when using a non-ordered workqueue
> for drm_sched:
>
> thread A thread B
>
> drm_sched_run_job_work()
> drm_sched_job_begin()
> // inserts jobA in pending_list
>
>
> drm_sched_free_job_work()
>
> drm_sched_get_cleanup_job()
> // check
> first job in pending list
> // if
> s_fence->parent == NULL, consider
> // for
> cleanup
>
> ->free_job(jobA)
>
> drm_sched_job_cleanup()
> // set
> sched_job->s_fence = NULL
>
> ->run_job()
> drm_sched_fence_scheduled()
Correction: the NULL pointer deref happens in drm_sched_job_done()
(when the driver returns an error directly) not in
drm_sched_fence_scheduled(), but the problem remains the same.
> // sched_job->s_fence->parent = parent_fence
> // BOOM => NULL pointer deref
>
> For now, I'll just use a dedicated ordered wq, but if we claim
> multi-threaded workqueues are supported, this is probably worth fixing.
> I know there's been some discussions about when the timeout should be
> started, and the job insertion in the pending_list is kinda related.
> If we want this insertion to happen before ->run_job() is called, we
> need a way to flag when a job is inserted, but not fully submitted yet.
>
> Regards,
>
> Boris
