Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp6253326imm; Wed, 27 Jun 2018 04:58:09 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJGG5T95o85MgtB3z2JhOkd9B3RC3v6ImR5lZK+vypQxL3NCjJRkkKjOG+AS4s7FneF8Kpx X-Received: by 2002:a17:902:3343:: with SMTP id a61-v6mr5730039plc.241.1530100689630; Wed, 27 Jun 2018 04:58:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530100689; cv=none; d=google.com; s=arc-20160816; b=f8ZJ8/dWcg7iQPqG4T9TFasmjDXE49lKB1GyjkNCTEEh97zSMDaZJlgcyNof1l12pf 2Wkhb3vwEgJAxretQicK+2oAadhnD8pD6uU4x5Tyghzr1xlB/kvkTO9YxmEKyiK7KvTo 2vlD4BPVwPniZqIffBLHaWYtngEZKdtnS8+KmvJLbbpAP2HwMVeIlkAzf6b35g0Tla2T LWJMGalI0823yQUj5q4NYPangHaJognpG0EiVUwBk0QM21iADLMbjqtCBj6s3wG1mLZr WgKDaUR0s+jQ6ryMw5chK1aVFedEyMsSbAb515Cqa9KPqXVQcCUjwQy7J+t5ACY1kqU5 FpuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:date:subject:user-agent:message-id :references:cc:in-reply-to:from:to:content-transfer-encoding :mime-version:arc-authentication-results; bh=EI303kJQHDeYHm/xptzvHA2yiVJGMspOui87GTm6uM8=; b=RrPKApeHRP2N6zk2PC4NBnjyGbBmMI13p1LlhrFUgl20/tFzgTyEj1mHSVzIVT0Mah urz7vtvfRklmii4euTB8JQWITSn9sKuc+rDEG0WVbjxrHUKF3lKlH0wwddMzA0ZYzYf0 y1vyy0fbIpfoEJF3eg0yMzvDqdQ7ZKeutYhuwwM0/lccZwfiRqToLNV/QgQwyI88aU5W D/iK/4mTlkFzQF8Z7eavS68ZinI68rBrPeXdn/4bA+6fCnIODIAVnTGOAD/jubFT+ji4 2k6ONAnFoH41Y3OQW7dSq61ccOdW1QnHWtGklQDNwJZJgwkeBm8JGMgXCBjjFX4/u3fr I1LA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b19-v6si3651862pls.439.2018.06.27.04.57.55; Wed, 27 Jun 2018 04:58:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964905AbeF0Lu4 convert rfc822-to-8bit (ORCPT + 99 others); Wed, 27 Jun 2018 07:50:56 -0400 Received: from mail.fireflyinternet.com ([109.228.58.192]:62634 "EHLO fireflyinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752057AbeF0Luz (ORCPT ); Wed, 27 Jun 2018 07:50:55 -0400 X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138; Received: from localhost (unverified [78.156.65.138]) by fireflyinternet.com (Firefly Internet (M1)) with ESMTP (TLS) id 12174522-1500050 for multiple; Wed, 27 Jun 2018 12:50:45 +0100 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT To: =?utf-8?q?Michel_D=C3=A4nzer?= , "Sumit Semwal" From: Chris Wilson In-Reply-To: <20180626143147.14296-1-michel@daenzer.net> Cc: linaro-mm-sig@lists.linaro.org, amd-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, =?utf-8?q?Christian_K=C3=B6nig?= References: <20180626143147.14296-1-michel@daenzer.net> Message-ID: <153010024207.8693.14587899562244751472@mail.alporthouse.com> User-Agent: alot/0.3.6 Subject: Re: [PATCH] dma-buf: Move BUG_ON from _add_shared_fence to _add_shared_inplace Date: Wed, 27 Jun 2018 12:50:42 +0100 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Michel Dänzer (2018-06-26 15:31:47) > From: Michel Dänzer > > Fixes the BUG_ON spuriously triggering under the following > circumstances: > > * ttm_eu_reserve_buffers processes a list containing multiple BOs using > the same reservation object, so it calls > reservation_object_reserve_shared with that reservation object once > for each such BO. > * In reservation_object_reserve_shared, old->shared_count == > old->shared_max - 1, so obj->staged is freed in preparation of an > in-place update. > * ttm_eu_fence_buffer_objects calls reservation_object_add_shared_fence > once for each of the BOs above, always with the same fence. > * The first call adds the fence in the remaining free slot, after which > old->shared_count == old->shared_max. > > In the next call to reservation_object_add_shared_fence, the BUG_ON > triggers. However, nothing bad would happen in > reservation_object_add_shared_inplace, since the fence is already in the > reservation object. > > Prevent this by moving the BUG_ON to where an overflow would actually > happen (e.g. if a buggy caller didn't call > reservation_object_reserve_shared before). > > Cc: stable@vger.kernel.org > Signed-off-by: Michel Dänzer I've convinced myself (or rather have not found a valid argument against) that being able to call reserve_shared + add_shared multiple times for the same fence is an intended part of reservation_object API I'd double check with Christian though. Reviewed-by: Chris Wilson > drivers/dma-buf/reservation.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/dma-buf/reservation.c b/drivers/dma-buf/reservation.c > index 314eb1071cce..532545b9488e 100644 > --- a/drivers/dma-buf/reservation.c > +++ b/drivers/dma-buf/reservation.c > @@ -141,6 +141,7 @@ reservation_object_add_shared_inplace(struct reservation_object *obj, > if (signaled) { > RCU_INIT_POINTER(fobj->shared[signaled_idx], fence); > } else { > + BUG_ON(fobj->shared_count >= fobj->shared_max); Personally I would just let kasan detect this and throw away the BUG_ON or at least move it behind some DMABUF_BUG_ON(). -Chris