You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
162 lines
4.8 KiB
162 lines
4.8 KiB
/*
|
|
* Copyright © 2012 Intel Corporation
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the "Software"),
|
|
* to deal in the Software without restriction, including without limitation
|
|
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
* and/or sell copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice (including the next
|
|
* paragraph) shall be included in all copies or substantial portions of the
|
|
* Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
* IN THE SOFTWARE.
|
|
*
|
|
* Authors:
|
|
* Daniel Vetter <daniel.vetter@ffwll.ch>
|
|
*
|
|
*/
|
|
|
|
/** @file gem_unfence_active_buffers.c
|
|
*
|
|
* Testcase: Check for use-after free in the fence stealing code
|
|
*
|
|
* If we're stealing the fence of a active object where the active list is the
|
|
* only thing holding a reference, we need to be careful not to access the old
|
|
* object we're stealing the fence from after that reference has been dropped by
|
|
* retire_requests.
|
|
*
|
|
* Note that this needs slab poisoning enabled in the kernel to reliably hit the
|
|
* problem - the race window is too small.
|
|
*/
|
|
|
|
#include "igt.h"
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <fcntl.h>
|
|
#include <inttypes.h>
|
|
#include <errno.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/time.h>
|
|
#include <stdbool.h>
|
|
#include "drm.h"
|
|
#include "intel_bufmgr.h"
|
|
|
|
IGT_TEST_DESCRIPTION("Check for use-after-free in the fence stealing code.");
|
|
|
|
static drm_intel_bufmgr *bufmgr;
|
|
struct intel_batchbuffer *batch;
|
|
uint32_t devid;
|
|
|
|
#define TEST_SIZE (1024*1024)
|
|
#define TEST_STRIDE (4*1024)
|
|
|
|
uint32_t data[TEST_SIZE/4];
|
|
|
|
igt_simple_main
|
|
{
|
|
int i, ret, fd, num_fences;
|
|
drm_intel_bo *busy_bo, *test_bo;
|
|
uint32_t tiling = I915_TILING_X;
|
|
|
|
igt_skip_on_simulation();
|
|
|
|
for (i = 0; i < 1024*256; i++)
|
|
data[i] = i;
|
|
|
|
fd = drm_open_driver(DRIVER_INTEL);
|
|
igt_require_gem(fd);
|
|
|
|
bufmgr = drm_intel_bufmgr_gem_init(fd, 4096);
|
|
drm_intel_bufmgr_gem_enable_reuse(bufmgr);
|
|
devid = intel_get_drm_devid(fd);
|
|
batch = intel_batchbuffer_alloc(bufmgr, devid);
|
|
|
|
igt_info("filling ring\n");
|
|
busy_bo = drm_intel_bo_alloc(bufmgr, "busy bo bo", 16*1024*1024, 4096);
|
|
|
|
for (i = 0; i < 250; i++) {
|
|
BLIT_COPY_BATCH_START(0);
|
|
OUT_BATCH((3 << 24) | /* 32 bits */
|
|
(0xcc << 16) | /* copy ROP */
|
|
2*1024*4);
|
|
OUT_BATCH(0 << 16 | 1024);
|
|
OUT_BATCH((2048) << 16 | (2048));
|
|
OUT_RELOC_FENCED(busy_bo, I915_GEM_DOMAIN_RENDER, I915_GEM_DOMAIN_RENDER, 0);
|
|
OUT_BATCH(0 << 16 | 0);
|
|
OUT_BATCH(2*1024*4);
|
|
OUT_RELOC_FENCED(busy_bo, I915_GEM_DOMAIN_RENDER, 0, 0);
|
|
ADVANCE_BATCH();
|
|
|
|
if (batch->gen >= 6) {
|
|
BEGIN_BATCH(3, 0);
|
|
OUT_BATCH(XY_SETUP_CLIP_BLT_CMD);
|
|
OUT_BATCH(0);
|
|
OUT_BATCH(0);
|
|
ADVANCE_BATCH();
|
|
}
|
|
}
|
|
intel_batchbuffer_flush(batch);
|
|
|
|
num_fences = gem_available_fences(fd);
|
|
igt_info("creating havoc on %i fences\n", num_fences);
|
|
|
|
for (i = 0; i < num_fences*2; i++) {
|
|
test_bo = drm_intel_bo_alloc(bufmgr, "test_bo",
|
|
TEST_SIZE, 4096);
|
|
ret = drm_intel_bo_set_tiling(test_bo, &tiling, TEST_STRIDE);
|
|
igt_assert(ret == 0);
|
|
|
|
drm_intel_bo_disable_reuse(test_bo);
|
|
|
|
BLIT_COPY_BATCH_START(0);
|
|
OUT_BATCH((3 << 24) | /* 32 bits */
|
|
(0xcc << 16) | /* copy ROP */
|
|
TEST_STRIDE);
|
|
OUT_BATCH(0 << 16 | 0);
|
|
OUT_BATCH((1) << 16 | (1));
|
|
OUT_RELOC_FENCED(test_bo, I915_GEM_DOMAIN_RENDER, I915_GEM_DOMAIN_RENDER, 0);
|
|
OUT_BATCH(0 << 16 | 0);
|
|
OUT_BATCH(TEST_STRIDE);
|
|
OUT_RELOC_FENCED(test_bo, I915_GEM_DOMAIN_RENDER, 0, 0);
|
|
ADVANCE_BATCH();
|
|
intel_batchbuffer_flush(batch);
|
|
igt_info("test bo offset: %#lx\n", test_bo->offset);
|
|
|
|
drm_intel_bo_unreference(test_bo);
|
|
}
|
|
|
|
/* launch a few batchs to ensure the damaged slab objects get reused. */
|
|
for (i = 0; i < 10; i++) {
|
|
BLIT_COPY_BATCH_START(0);
|
|
OUT_BATCH((3 << 24) | /* 32 bits */
|
|
(0xcc << 16) | /* copy ROP */
|
|
2*1024*4);
|
|
OUT_BATCH(0 << 16 | 1024);
|
|
OUT_BATCH((1) << 16 | (1));
|
|
OUT_RELOC_FENCED(busy_bo, I915_GEM_DOMAIN_RENDER, I915_GEM_DOMAIN_RENDER, 0);
|
|
OUT_BATCH(0 << 16 | 0);
|
|
OUT_BATCH(2*1024*4);
|
|
OUT_RELOC_FENCED(busy_bo, I915_GEM_DOMAIN_RENDER, 0, 0);
|
|
ADVANCE_BATCH();
|
|
|
|
if (batch->gen >= 8) {
|
|
BEGIN_BATCH(3, 0);
|
|
OUT_BATCH(XY_SETUP_CLIP_BLT_CMD);
|
|
OUT_BATCH(0);
|
|
OUT_BATCH(0);
|
|
ADVANCE_BATCH();
|
|
}
|
|
}
|
|
intel_batchbuffer_flush(batch);
|
|
}
|