RE: [PATCH] dma-buf/reservation: shouldn't kfree staged when slot available

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



And by the way, I add "if (staged!=NULL) BUG();" prior to "kfree(obj->staged)" in reserve_shared() routine, and this BUG() is actually hit, 
The stack dump shows it is hit during the vm_bo_update() in gem_va_update()...

Besides, the whole reservation logic still looks a little weired to me ... especially this staged part ...

Thanks

/Monk

-----Original Message-----
From: Christian König [mailto:ckoenig.leichtzumerken@xxxxxxxxx] 
Sent: 2018年3月5日 19:22
To: Liu, Monk <Monk.Liu@xxxxxxx>; Koenig, Christian <Christian.Koenig@xxxxxxx>; dri-devel@xxxxxxxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged when slot available

Am 05.03.2018 um 08:55 schrieb Liu, Monk:
> Hi Christian
>
> You are right on that part of obj-staged is set to NULL in add_fence, 
> So my following question will be why we kfree(obj->staged) in reserve_shared() if staged is always NULL in that point ?

Good question, I haven't wrote code that so I can't fully answer.

Maybe Chris or Maarten know more about that.

Christian.

>
> Thanks
> /Monk
>
> -----Original Message-----
> From: Christian König [mailto:ckoenig.leichtzumerken@xxxxxxxxx]
> Sent: 2018年2月28日 16:27
> To: Liu, Monk <Monk.Liu@xxxxxxx>; dri-devel@xxxxxxxxxxxxxxxxxxxxx; 
> linux-kernel@xxxxxxxxxxxxxxx
> Subject: Re: [PATCH] dma-buf/reservation: shouldn't kfree staged when 
> slot available
>
> Am 28.02.2018 um 07:44 schrieb Monk Liu:
>> under below scenario the obj->fence would refer to a wild pointer:
>>
>> 1,call reservation_object_reserved_shared
>> 2,call reservation_object_add_shared_fence
>> 3,call reservation_object_reserved_shared
>> 4,call reservation_object_add_shared_fence
>>
>> in step 1, staged is allocated,
>>
>> in step 2, code path will go reservation_object_add_shared_replace()
>> and obj->fence would be assigned as staged (through RCU_INIT_POINTER)
>>
>> in step 3, obj->staged will be freed(by simple kfree), which make
>> obj->fence point to a wild pointer...
>
> Well that explanation is still nonsense. See
> reservation_object_add_shared_fence:
>>          obj->staged = NULL;
> Among the first things reservation_object_add_shared_fence() does is 
> it sets obj->staged to NULL.
>
> So step 3 will not free anything and we never have a wild pointer.
>
> Regards,
> Christian.
>
>> in step 4, code path will go reservation_object_add_shared_inplace()
>> and inside it the @fobj (which equals to @obj->staged, set by above 
>> steps) is already a wild pointer
>>
>> should remov the kfree on staged in 
>> reservation_object_reserve_shared()
>>
>> Change-Id: If7c01f1b4be3d3d8a81efa90216841f79ab1fc1c
>> Signed-off-by: Monk Liu <Monk.Liu@xxxxxxx>
>> ---
>>    drivers/dma-buf/reservation.c | 7 ++-----
>>    1 file changed, 2 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/dma-buf/reservation.c 
>> b/drivers/dma-buf/reservation.c index 375de41..b473ccc 100644
>> --- a/drivers/dma-buf/reservation.c
>> +++ b/drivers/dma-buf/reservation.c
>> @@ -74,12 +74,9 @@ int reservation_object_reserve_shared(struct reservation_object *obj)
>>    	old = reservation_object_get_list(obj);
>>    
>>    	if (old && old->shared_max) {
>> -		if (old->shared_count < old->shared_max) {
>> -			/* perform an in-place update */
>> -			kfree(obj->staged);
>> -			obj->staged = NULL;
>> +		if (old->shared_count < old->shared_max)
>>    			return 0;
>> -		} else
>> +		else
>>    			max = old->shared_max * 2;
>>    	} else
>>    		max = 4;
> _______________________________________________
> dri-devel mailing list
> dri-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel




[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux