drm: Fix a race in drm_fstub_do_mmap() #2325

markjdb · 2025-02-12T22:17:59Z

This should fix a crash reported by Graeme. The race is very clear from the crashdump. We have the panicking thread:

#3  0xffff000000589c70 in panic (fmt=0xffff000000ae7087 [rR,0xffff000000ae7087-0xffff000000ae70b4] (invalid) "vm_object_reference: Referenced dead object.") at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_shutdown.c:916
#4  0xffff0000008de56c in vm_object_reference (object=0xffffa08755d0fba0 [rwRW,0xffffa08755d0fba0-0xffffa08755d0fd90] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_object.c:516
#5  0xffff0000001d8b58 in drm_fstub_do_mmap (file=<optimized out>, fops=<optimized out>, foff=0xffff000132a310a8 [rwxRWE,0xffff000132a310a8-0xffff000132a310b0] (invalid), size=4096, obj=0xffff000132a31080 [rwxRWE,0xffff000132a31080-0xffff000132a31090] (invalid), prot=0 '\000', 
    td=0xffff000183382000 [rwRW,0xffff000183382000-0xffff000183382970] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/dev/drm/freebsd/drm_os_freebsd.c:485
#6  0xffff0000001d8760 in drm_fstub_mmap (file=0xffffa0801517fbd0 [rwRW,0xffffa0801517fbd0-0xffffa0801517fc60] (invalid), map=0xffff000183304a40 [rwRW,0xffff000183304a40-0xffff000183304d20] (invalid), addr=0xffff000132a31220 [rwxRWE,0xffff000132a31220-0xffff000132a31230] (invalid), max_addr=18446639070354074448, 
    size=18446462598749952016, prot=208 '\320', cap_maxprot=<optimized out>, flags=1, foff=5446848512, td=0xffff000183382000 [rwRW,0xffff000183382000-0xffff000183382970] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/dev/drm/freebsd/drm_os_freebsd.c:606
#7  0xffff0000008db198 in fo_mmap (fp=0x1, map=0xffff00000116b1d0 <dumping> [rwRW,0xffff00000116b1d0-0xffff00000116b1d4] (invalid), addr=0xffff000001051810 <dumper_configs> [rwRW,0xffff000001051810-0xffff000001051830] (invalid), max_addr=281474976710656, size=4096, flags=1048577, foff=18446462598744086143, 
    td=0xffff000183382000 [rwRW,0xffff000183382000-0xffff000183382970] (invalid), prot=<optimized out>, cap_maxprot=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/sys/file.h:449
#8  kern_mmap (td=0xffff000183382000 [rwRW,0xffff000183382000-0xffff000183382970] (invalid), mrp=0xffff000132a31340 [rwxRWE,0xffff000132a31340-0xffff000132a31390] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_mmap.c:744

and one of the other on-CPU threads was invoking the VM object destructor:

#0  0xffff00000092ce5c in ipi_stop (dummy=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/arm64/arm64/mp_machdep.c:339
#1  0xffff0000009220e4 in arm_gic_v3_intr (arg=0xffffa0800940a300 [rwRW,0xffffa0800940a300-0xffffa0800940a480] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/arm64/arm64/gic_v3.c:637
#2  0xffff000000905b90 in intr_irq_handler (tf=0xffff000132a7df90 [rwxRWE,0xffff000132a7a000-0xffff000132a80000] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/subr_intr.c:345
#3  <signal handler called>
#4  lock_delay (la=0xffff000132a7e300 [rwxRWE,0xffff000132a7e300-0xffff000132a7e320] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/subr_lock.c:125
#5  0xffff00000059601c in _sx_xlock_hard (sx=0xffff00000132c8a0 <drm_vma_lock> [rwRW,0xffff00000132c8a0-0xffff00000132c8e0] (invalid), x=0xffff000183382000 [rwRW,0xffff000183382000-0xffff000183382970] (invalid) , opts=<optimized out>, file=<optimized out>, line=<optimized out>)
    at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_sx.c:689
#6  0xffff0000005959e4 in _sx_xlock (sx=0xffff00000132c8a0 <drm_vma_lock> [rwRW,0xffff00000132c8a0-0xffff00000132c8e0] (invalid), opts=18275328, 
    file=0xffff000000ae1e13 [rR,0xffff000000ae1e13-0xffff000000ae1e7a] (invalid) "/local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/dev/drm/freebsd/drm_os_freebsd.c", line=1) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_sx.c:329
#7  0xffff0000001d8ccc in drm_cdev_pager_dtor (handle=0xffffa0861eb09c00 [rwRW,0xffffa0861eb09c00-0xffffa0861eb0a000] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/dev/drm/freebsd/drm_os_freebsd.c:391
#8  0xffff0000008ae3d0 in phys_pager_dealloc (object=0xffffa08755d0fba0 [rwRW,0xffffa08755d0fba0-0xffffa08755d0fd90] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/phys_pager.c:164
#9  0xffff0000008decbc in vm_object_terminate (object=0xffffa08755d0fba0 [rwRW,0xffffa08755d0fba0-0xffffa08755d0fd90] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_object.c:976
#10 0xffff0000008de8c8 in vm_object_deallocate (object=0xffffa08755d0fba0 [rwRW,0xffffa08755d0fba0-0xffffa08755d0fd90] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_object.c:696
#11 0xffff0000008cc0a8 in vm_map_entry_deallocate (entry=0xffffa0875b325dd0 [rwRW,0xffffa0875b325dd0-0xffffa0875b325ea0] (invalid), system_map=0) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_map.c:4571
#12 vm_map_process_deferred () at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_map.c:714
#13 0xffff0000008d5fc4 in _vm_map_unlock (map=0xffff00018331c180 [rwRW,0xffff00018331c180-0xffff00018331c460] (invalid), file=0xffff000000b5eb2e [rR,0xffff000000b5eb2e-0xffff000000b5eb80] (invalid) "/local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_map.c", line=4887)
    at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_map.c:777
#14 vm_map_clear (map=0xffff00018331c180 [rwRW,0xffff00018331c180-0xffff00018331c460] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/vm/vm_map.c:4887
#15 0xffff00000052d940 in exec_new_vmspace (imgp=0xffff000132a7ee80 [rwxRWE,0xffff000132a7ee80-0xffff000132a7f0b0] (invalid), sv=0xffff0000010dd1b0 <elf64_freebsd_sysvec> [rwRW,0xffff0000010dd1b0-0xffff0000010dd490] (invalid))
    at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_exec.c:1179
#16 0xffff0000004f5a28 in exec_elf64c_imgact (imgp=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/imgact_elf.c:1516

sys/dev/drm/freebsd/drm_os_freebsd.c

When a VM object's reference count drops to 0, vm_object_deallocate() grabs the VM object write lock, decrements the counter, then sets OBJ_DEAD. For device objects, the pgo_dealloc implementation will drop the object lock and invoke the device-specific destructor, which in this case removes the DRM object from the global list. This races with lookups, which synchronize using the drm_vma_lock and treat any object on the global list as live. In the absence of a vm_object_try_reference() which atomically acquires a VM object reference only if the current value is non-zero, we need to use the VM object lock to synchronize with vm_object_deallocate().

bsdjhb approved these changes Feb 13, 2025

View reviewed changes

sys/dev/drm/freebsd/drm_os_freebsd.c Outdated Show resolved Hide resolved

markjdb force-pushed the dev-drm-race branch from f81b725 to 6f48852 Compare February 13, 2025 15:28

bsdjhb approved these changes Feb 13, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

drm: Fix a race in drm_fstub_do_mmap() #2325

drm: Fix a race in drm_fstub_do_mmap() #2325

markjdb commented Feb 12, 2025

drm: Fix a race in drm_fstub_do_mmap() #2325

Are you sure you want to change the base?

drm: Fix a race in drm_fstub_do_mmap() #2325

Conversation

markjdb commented Feb 12, 2025