Skip to content

v3d, vc4, panfrost: Fix race condition in BO imports

Asahi Lina requested to merge asahilina/mesa:fixes/bo-import-races into main

When importing a BO, if it is already imported, then the handle will alias an existing BO instance. It is possible for the existing owner to free the BO after the import and leave a dangling handle before we get a chance to increase the refcount, so we need to lock the BO table mutex before importing, to make sure nobody else goes through the free path during that window.

Thanks to @danvet for pointing out this race in !20397 (merged) (which came from the panfrost and asahi (downstream) instances of the bug).

I took a quick look at other drivers and this is what I found:

  • etnaviv: Already locks properly
  • freedreno: Already locks properly
  • tu_drm: Already locks properly
  • iris: Already locks properly
  • crocus: Already locks properly
  • lima: Already locks properly
  • radeon: Already locks properly
  • v3dv: Doesn't have a lock at all, so even racier.
  • tegra: Doesn't have a lock at all, so even racier.
  • amdgpu: This one is quite complicated and there are multiple locks involved... I'll leave it to someone else to figure out if it's done properly or not ^^

v3dv and tegra probably need quite a bit of work on the thread-safety front, unless I missed a big lock somewhere...

Edited by Asahi Lina

Merge request reports