Received: by 10.223.185.116 with SMTP id b49csp2485691wrg;
        Mon, 5 Mar 2018 03:51:13 -0800 (PST)
X-Google-Smtp-Source: AG47ELsXXhrgFatUxLUcU8Zt4DvtMfSCL6NgRTXlNOEoFqoZEd/KTi41N0/XVkiPuhM08AlmgqvY
X-Received: by 10.98.155.194 with SMTP id e63mr14974223pfk.95.1520250673061;
        Mon, 05 Mar 2018 03:51:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520250673; cv=none;
        d=google.com; s=arc-20160816;
        b=fuU+M+HvKTu5hACT4s93qW/4+2Hiefzj9x0JQS9oXgsXlw0DpkbLcpEBeUoJ1zI8+q
         4vti+4Iv9YXSg6ui9eDeWyAbu9+e3EYLWDoxo0CGkxpPP4/DC+6M16KxcKmpWb+OIo8z
         LB0m+QxaVlgnjVoefqJMOIyK8ju4H0VWxUTpLvXt9pw3Aay3f2BjRxfSA2dBfCp9rp1i
         10VNnorY8nVoiROtj3QfKkAJqE9VKCNdhBOiTqn+a/3cURn3emt2+nXLTl8LAuc1NKrS
         I89mj856WO5ucTHDJRLClzrPbZ7OjIVqf83WTdX24GcBnzdqdvmeNsYRybC4hMiPQXFk
         cdYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:reply-to:dkim-signature
         :arc-authentication-results;
        bh=p5muxzSnH+B7L5ERBW/Detg7k07Zcx03waso1WV0YO4=;
        b=TVBtwBSnjdW/8e/TsaseSr4IAUCwc7H6iL/CO8TFK0B9ng97ljsMMb5AcOrY6Vnb/Q
         Tt+6vDLcn9CREg20H7Worv0/EMs4G3TED7pukHVJWKt3FJYZ/8MzYFTkULLy07lCnkbz
         lpc5FxLO8mx9S357F66FQUpvcIrbFPuggll7tMozHgzGyqhvT3ubMot76xNJcW8VAdpV
         i1/EVq7dYm6jOXa2xNdUfMqE4ElflI8pTZMbUU3BwyH86eXxIFftXL0DZMctilLhs8tv
         0EBx/qTkrgbm0UevxMeJoOvkttvVeN8tX6ZHktM5EA+N548qgCvq4kj9i7C7z3N+Q3Lf
         /u0w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=vRD+hRtA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 91-v6si9245775plh.296.2018.03.05.03.50.58;
        Mon, 05 Mar 2018 03:51:13 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=vRD+hRtA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934001AbeCELW2 (ORCPT <rfc822;testajctc@gmail.com> + 99 others);
        Mon, 5 Mar 2018 06:22:28 -0500
Received: from mail-wm0-f50.google.com ([74.125.82.50]:40251 "EHLO
        mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933540AbeCELWY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 5 Mar 2018 06:22:24 -0500
Received: by mail-wm0-f50.google.com with SMTP id t6so14749491wmt.5
        for <linux-kernel@vger.kernel.org>; Mon, 05 Mar 2018 03:22:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=reply-to:subject:to:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding:content-language;
        bh=p5muxzSnH+B7L5ERBW/Detg7k07Zcx03waso1WV0YO4=;
        b=vRD+hRtALw2qLpIjR4t3JdakRRcgrzEMJpcgMQziy+GgVr6l9j0vEefuWsuwpyeSB3
         NMk+khF5cwBOYjWCNALHXLQS6xlgQusnLGej8aIVdLlsH24I1LcEMDHsKo9kgVm0zy4a
         pnulm9Ak6OJrvkn0vaMSRcpuYXbkZwAwnsSEcon0ZsZmlxx/S2ffeWCYpM/Qi//6VA0u
         Xhko4YR0JzyLhLfSo7cs++yq+AT67uUgZDMRLffJj3+5VV3weNk58gWg/pnDlbbaME7F
         oHRuHIeNG4ecBoE1OWVCl5Fwuequa/EAon2qlkEeN1KO74LyBHXk4HBMKUlQ+oLc4r2n
         Ch8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:reply-to:subject:to:references:from:message-id
         :date:user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=p5muxzSnH+B7L5ERBW/Detg7k07Zcx03waso1WV0YO4=;
        b=ZFnBxgKKgQfouzCYFi3hJ/iT+lWgyW+kXERqce4kgtyDSnxDju6znxuuyAck6bDLe9
         vdscPG7gO0fffu4JTiv6QWqX+jZb5LBlt2xfmPChgtwZFf55j/vEko4K2EoghEtlzRMQ
         4C2q+n9DiN5erJK9w3pGuwn5AiVJG/GCfBiiJZtWFwwJ3Wxa52xqqzw8eB9UYcz7rA5a
         SbNY/3zx/izSsUgJvpm1UyjkiOI3spezlCTji898WISgKo7Va+dEzhIHs/sc9E52qgz6
         Yf5yHVcm5qt1KeOSMFx1Vt9LPvklP8pRMQntdbSsOX0pLyktP+AYUfi/GSFwjUf/neaU
         NzVA==
X-Gm-Message-State: AElRT7FGYSvWD5aRVWIGTm5ljjn8Rlqsdo4RLJjhcSWBCaQPm7TkeRXE
        IFGZNm9Bh0Y3wpIAOtYYFGMXneVM
X-Received: by 10.28.206.75 with SMTP id e72mr8660822wmg.100.1520248942729;
        Mon, 05 Mar 2018 03:22:22 -0800 (PST)
Received: from ?IPv6:2a02:908:1251:8fc0:4c6d:7233:b7e1:3b88? ([2a02:908:1251:8fc0:4c6d:7233:b7e1:3b88])
        by smtp.gmail.com with ESMTPSA id m7sm31969101wrm.35.2018.03.05.03.22.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 05 Mar 2018 03:22:22 -0800 (PST)
Reply-To: christian.koenig@amd.com
Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged when slot
 available
To:     "Liu, Monk" <Monk.Liu@amd.com>,
        "Koenig, Christian" <Christian.Koenig@amd.com>,
        "dri-devel@lists.freedesktop.org" <dri-devel@lists.freedesktop.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
References: <1519800242-2442-1-git-send-email-Monk.Liu@amd.com>
 <fa9f8ade-000f-a9b5-0bc9-0dd3f10d9722@gmail.com>
 <BLUPR12MB04494D7F15FC7D557D58488484DA0@BLUPR12MB0449.namprd12.prod.outlook.com>
From:   =?UTF-8?Q?Christian_K=c3=b6nig?= <ckoenig.leichtzumerken@gmail.com>
Message-ID: <f40975c4-c5df-c06c-9a6a-a96705232461@gmail.com>
Date:   Mon, 5 Mar 2018 12:22:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <BLUPR12MB04494D7F15FC7D557D58488484DA0@BLUPR12MB0449.namprd12.prod.outlook.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Am 05.03.2018 um 08:55 schrieb Liu, Monk:
> Hi Christian
>
> You are right on that part of obj-staged is set to NULL in add_fence,
> So my following question will be why we kfree(obj->staged) in reserve_shared() if staged is always NULL in that point ?

Good question, I haven't wrote code that so I can't fully answer.

Maybe Chris or Maarten know more about that.

Christian.

>
> Thanks
> /Monk
>
> -----Original Message-----
> From: Christian König [mailto:ckoenig.leichtzumerken@gmail.com]
> Sent: 2018年2月28日 16:27
> To: Liu, Monk <Monk.Liu@amd.com>; dri-devel@lists.freedesktop.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged when slot available
>
> Am 28.02.2018 um 07:44 schrieb Monk Liu:
>> under below scenario the obj->fence would refer to a wild pointer:
>>
>> 1,call reservation_object_reserved_shared
>> 2,call reservation_object_add_shared_fence
>> 3,call reservation_object_reserved_shared
>> 4,call reservation_object_add_shared_fence
>>
>> in step 1, staged is allocated,
>>
>> in step 2, code path will go reservation_object_add_shared_replace()
>> and obj->fence would be assigned as staged (through RCU_INIT_POINTER)
>>
>> in step 3, obj->staged will be freed(by simple kfree), which make
>> obj->fence point to a wild pointer...
>
> Well that explanation is still nonsense. See
> reservation_object_add_shared_fence:
>>          obj->staged = NULL;
> Among the first things reservation_object_add_shared_fence() does is it
> sets obj->staged to NULL.
>
> So step 3 will not free anything and we never have a wild pointer.
>
> Regards,
> Christian.
>
>> in step 4, code path will go reservation_object_add_shared_inplace()
>> and inside it the @fobj (which equals to @obj->staged, set by above steps)
>> is already a wild pointer
>>
>> should remov the kfree on staged in reservation_object_reserve_shared()
>>
>> Change-Id: If7c01f1b4be3d3d8a81efa90216841f79ab1fc1c
>> Signed-off-by: Monk Liu <Monk.Liu@amd.com>
>> ---
>>    drivers/dma-buf/reservation.c | 7 ++-----
>>    1 file changed, 2 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/dma-buf/reservation.c b/drivers/dma-buf/reservation.c
>> index 375de41..b473ccc 100644
>> --- a/drivers/dma-buf/reservation.c
>> +++ b/drivers/dma-buf/reservation.c
>> @@ -74,12 +74,9 @@ int reservation_object_reserve_shared(struct reservation_object *obj)
>>    	old = reservation_object_get_list(obj);
>>    
>>    	if (old && old->shared_max) {
>> -		if (old->shared_count < old->shared_max) {
>> -			/* perform an in-place update */
>> -			kfree(obj->staged);
>> -			obj->staged = NULL;
>> +		if (old->shared_count < old->shared_max)
>>    			return 0;
>> -		} else
>> +		else
>>    			max = old->shared_max * 2;
>>    	} else
>>    		max = 4;
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel