Received: by 10.223.185.116 with SMTP id b49csp2625298wrg; Mon, 5 Mar 2018 06:13:09 -0800 (PST) X-Google-Smtp-Source: AG47ELsJRwxyB95sRvR8nkkNezh9Da1h2C+NmnMhTZq2qARsfe2GfPQvt/KFk93SlViLHmXDF7yL X-Received: by 2002:a17:902:b212:: with SMTP id t18-v6mr12371373plr.17.1520259189573; Mon, 05 Mar 2018 06:13:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520259189; cv=none; d=google.com; s=arc-20160816; b=N9ctBxuV6a6ym40P3pU8kus64CcnX6HpI5GG8WXGd2+DUcPRodBRty8X3B4CTecGTk 786y+jdaUFGrTdUZ8dFMqr9tvqYiQ14yVMikZEPWl2HIsUj2qJoOY1IrpUF4BTJNYdjc qH5UZYmGf0ygBSmUXdoCpbXWaTKFex3pN1wcNfb6YKXPBL1aG2HBz427rO5TMXijX13/ T7EeLGly4BFhOVo+ctUXQq5qdqu1OwJ24nvFn3xuTpm0RF6m05vRw8GdCMQor3LUsmoW GIN1i2R+IFbMeBMFLNDgo5W82HuvpVF1flElY7MIA/7qSsMA4T5jl2veJ6kHhNVkZZ61 FozA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:reply-to:dkim-signature :arc-authentication-results; bh=4Cekpbedmeopf7BBSXPQBaopkjtR/cFaaqlghNj1MT0=; b=Lz+MJc+dpueO4/cRPIQUCdmpjOGABRbL3aC/zyu7Bi4hkC1wNei9KNUI3GwbgWoCJU pJz13knnjnhbSOClo75sUfT81xcQNHkjQ8k3G5a1xGJEpaI96GqLy/eIW672E3HkjbCA j9ePMnhn6x2u8mp51A1YBC23cR/Us3oXyjZip8RyEgIpGRD1k+PLUJMGX1JDvIixnZqO zEfi6Znd1isieKRa5UITIlWlrVnRgNwqc8auTofRaXvZGdSdO9je+WkrPemNN3UzvKQd OgYgqyanmhZNJiNY7WIxPEFBrSTAZUMXXYI4OYUp/d70Xf6f17vE0yMDUealQw77/p0H jstw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SymS0cRU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 12si8376700pgb.389.2018.03.05.06.12.55; Mon, 05 Mar 2018 06:13:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SymS0cRU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933934AbeCELvL (ORCPT + 99 others); Mon, 5 Mar 2018 06:51:11 -0500 Received: from mail-wr0-f180.google.com ([209.85.128.180]:44767 "EHLO mail-wr0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933027AbeCELvK (ORCPT ); Mon, 5 Mar 2018 06:51:10 -0500 Received: by mail-wr0-f180.google.com with SMTP id v65so16918928wrc.11 for ; Mon, 05 Mar 2018 03:51:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=reply-to:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=4Cekpbedmeopf7BBSXPQBaopkjtR/cFaaqlghNj1MT0=; b=SymS0cRU77qu/YTiC9ic8xZZtVZpz5hTQph0oqLNIKhCPzA7gdd0pkDFSBK23fuEXb ZMgdaibkOPRy1dLUw5Fh+4G9vNXZGyG5gYt0MVqxl0+NsBSWzblDxL1EYfr15RTjZYgw MWRbXxhT8RgIzPYSTtoey5EAjoO3OoL4j6syvKXZpsTGMKA73oxPY+Geq2AokADQQhNU YjZEOcLAo5nVcORgJlioVv2aufeXAqwHCo0MGt3FzVUVh/q94HxuGm16U7fgrS/Pkxe0 QGSy/iF/YRLI4aIqqedUH12DQZV3+d5OqniokvzGYUiE7K+Q+EOmxbrtrRanwTWb6Y/y 9NkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=4Cekpbedmeopf7BBSXPQBaopkjtR/cFaaqlghNj1MT0=; b=a6QT/rItrSlk1F4/CjFrfbQSLuI/HWbgfJ9bcfXUQxxU8Zota7BdmCi7/+ucaPzzvr ZzpnyGuidT45gTThjYTPIqnr8XvBxI5ku5lw3gbUCIm3+FMiZuP2g9Zd1GPydPfDQ3hN rF4jGCFK57O1GMERZdJLazE3GIZvAhCcl9QK3EMwtbZgZhe8Uhaes0PLZUmR3lGiTp1R QbgnG1hxayPAhWoGfWDLbhM9echyB2YN69fxl0urS2aifzpFF+4+3SxfiuqLuDNjyYVi o6kAJ/1nGmXYZ5n9lAWaaPgPU9pHV4VFTVgfsP330B+6UPBYp34eMk2qkidBbXtntzd/ XpwA== X-Gm-Message-State: APf1xPCC9nIbqx5BM556YIFv+TQtWcEXAnNPuGplieRobfLyJc8oQoRE HFLPXaYSxgL88ok7AZb/8Y7Z2cEV X-Received: by 10.223.136.44 with SMTP id d41mr13134698wrd.127.1520250669065; Mon, 05 Mar 2018 03:51:09 -0800 (PST) Received: from ?IPv6:2a02:908:1251:8fc0:4c6d:7233:b7e1:3b88? ([2a02:908:1251:8fc0:4c6d:7233:b7e1:3b88]) by smtp.gmail.com with ESMTPSA id b185sm6649855wmb.24.2018.03.05.03.51.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Mar 2018 03:51:08 -0800 (PST) Reply-To: christian.koenig@amd.com Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged when slot available To: "Liu, Monk" , "Koenig, Christian" , "dri-devel@lists.freedesktop.org" , "linux-kernel@vger.kernel.org" References: <1519800242-2442-1-git-send-email-Monk.Liu@amd.com> <210b7a03-f309-8ab6-0f23-17377660e664@amd.com> <3baa1046-79b1-7c6d-644f-9aa921733ad2@amd.com> From: =?UTF-8?Q?Christian_K=c3=b6nig?= Message-ID: <67d0d2de-ae45-4e46-33fc-48d9c0a53ea1@gmail.com> Date: Mon, 5 Mar 2018 12:51:07 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Well, not really. It's just that reservation_object_reserve_shared() is called multiple times without actually adding fences. That is a perfectly normal use case, so nothing special here. Christian. Am 05.03.2018 um 12:47 schrieb Liu, Monk: > Can you give more details ? thanks > > /Monk > > -----Original Message----- > From: Koenig, Christian > Sent: 2018年3月5日 19:39 > To: Liu, Monk ; dri-devel@lists.freedesktop.org; linux-kernel@vger.kernel.org > Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged when slot available > > Am 05.03.2018 um 12:37 schrieb Liu, Monk: >> But the thing confuse me is according to the design, if driver keep >> calling reserve_shared() prior to add_fence(), and with lock held of cause, That BUG() shouldn't hit, so there are two things in face looks weired to me: >> 1) by design in reserve_shared(), obj->staged should be already NULL, >> so why we kfree on it > No, that is not correct. > >> 2) in fact, amdgpu can hit the case that obj->staged is not NULL in >> reserved_shared(), don't know how it lead here > We reserved a fence slot without using it, so it is still there when > reserve_shared() is called. > > Christian. > >> >> Any thought ? >> >> /Monk >> >> -----Original Message----- >> From: Koenig, Christian >> Sent: 2018年3月5日 19:29 >> To: Liu, Monk ; dri-devel@lists.freedesktop.org; >> linux-kernel@vger.kernel.org >> Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged when >> slot available >> >> Am 05.03.2018 um 12:25 schrieb Liu, Monk: >>> And by the way, I add "if (staged!=NULL) BUG();" prior to >>> "kfree(obj->staged)" in reserve_shared() routine, and this BUG() is actually hit, The stack dump shows it is hit during the vm_bo_update() in gem_va_update()... >> That is expected. The staged handling just makes sure that there is room available, it doesn't guarantee that it is actually used. >> >> E.g. we can end up reserving a fence slot, but then find that we actually don't need it. >> >> Christian. >> >>> Besides, the whole reservation logic still looks a little weired to me ... especially this staged part ... >>> >>> Thanks >>> >>> /Monk >>> >>> -----Original Message----- >>> From: Christian König [mailto:ckoenig.leichtzumerken@gmail.com] >>> Sent: 2018年3月5日 19:22 >>> To: Liu, Monk ; Koenig, Christian >>> ; dri-devel@lists.freedesktop.org; >>> linux-kernel@vger.kernel.org >>> Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged when >>> slot available >>> >>> Am 05.03.2018 um 08:55 schrieb Liu, Monk: >>>> Hi Christian >>>> >>>> You are right on that part of obj-staged is set to NULL in >>>> add_fence, So my following question will be why we kfree(obj->staged) in reserve_shared() if staged is always NULL in that point ? >>> Good question, I haven't wrote code that so I can't fully answer. >>> >>> Maybe Chris or Maarten know more about that. >>> >>> Christian. >>> >>>> Thanks >>>> /Monk >>>> >>>> -----Original Message----- >>>> From: Christian König [mailto:ckoenig.leichtzumerken@gmail.com] >>>> Sent: 2018年2月28日 16:27 >>>> To: Liu, Monk ; dri-devel@lists.freedesktop.org; >>>> linux-kernel@vger.kernel.org >>>> Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged >>>> when slot available >>>> >>>> Am 28.02.2018 um 07:44 schrieb Monk Liu: >>>>> under below scenario the obj->fence would refer to a wild pointer: >>>>> >>>>> 1,call reservation_object_reserved_shared >>>>> 2,call reservation_object_add_shared_fence >>>>> 3,call reservation_object_reserved_shared >>>>> 4,call reservation_object_add_shared_fence >>>>> >>>>> in step 1, staged is allocated, >>>>> >>>>> in step 2, code path will go >>>>> reservation_object_add_shared_replace() >>>>> and obj->fence would be assigned as staged (through >>>>> RCU_INIT_POINTER) >>>>> >>>>> in step 3, obj->staged will be freed(by simple kfree), which make >>>>> obj->fence point to a wild pointer... >>>> Well that explanation is still nonsense. See >>>> reservation_object_add_shared_fence: >>>>>         obj->staged = NULL; >>>> Among the first things reservation_object_add_shared_fence() does is >>>> it sets obj->staged to NULL. >>>> >>>> So step 3 will not free anything and we never have a wild pointer. >>>> >>>> Regards, >>>> Christian. >>>> >>>>> in step 4, code path will go >>>>> reservation_object_add_shared_inplace() >>>>> and inside it the @fobj (which equals to @obj->staged, set by above >>>>> steps) is already a wild pointer >>>>> >>>>> should remov the kfree on staged in >>>>> reservation_object_reserve_shared() >>>>> >>>>> Change-Id: If7c01f1b4be3d3d8a81efa90216841f79ab1fc1c >>>>> Signed-off-by: Monk Liu >>>>> --- >>>>> drivers/dma-buf/reservation.c | 7 ++----- >>>>> 1 file changed, 2 insertions(+), 5 deletions(-) >>>>> >>>>> diff --git a/drivers/dma-buf/reservation.c >>>>> b/drivers/dma-buf/reservation.c index 375de41..b473ccc 100644 >>>>> --- a/drivers/dma-buf/reservation.c >>>>> +++ b/drivers/dma-buf/reservation.c >>>>> @@ -74,12 +74,9 @@ int reservation_object_reserve_shared(struct reservation_object *obj) >>>>> old = reservation_object_get_list(obj); >>>>> >>>>> if (old && old->shared_max) { >>>>> - if (old->shared_count < old->shared_max) { >>>>> - /* perform an in-place update */ >>>>> - kfree(obj->staged); >>>>> - obj->staged = NULL; >>>>> + if (old->shared_count < old->shared_max) >>>>> return 0; >>>>> - } else >>>>> + else >>>>> max = old->shared_max * 2; >>>>> } else >>>>> max = 4; >>>> _______________________________________________ >>>> dri-devel mailing list >>>> dri-devel@lists.freedesktop.org >>>> https://lists.freedesktop.org/mailman/listinfo/dri-devel > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel