* [PATCH 0/3] drm/ttm: Cleanup state in global ttm structures
@ 2019-04-14 23:37 Brian Yip
2019-04-14 23:37 ` [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup Brian Yip
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Brian Yip @ 2019-04-14 23:37 UTC (permalink / raw)
To: christian.koenig
Cc: ray.huang, Jerry.Zhang, airlied, daniel, dri-devel, linux-kernel,
Brian Yip
State in global ttm structures was not properly reset on cleanup.
In the scenario where multiple drm drivers are loaded and the first one
fails to initialize, there is an attempt to reset the global state in
the ttm structures. However, there were some attributes which were not
properly reset during this process. This resulted in a crash and
false positive kobj initialization warnings during subsequent initialization
of these global structures.
Fix the crash and false positive kobj initialization warnings.
Brian Yip (3):
drm/ttm: Reset num_zones on ttm_mem_global cleanup
drm/ttm: Fix ttm_mem_glob.kobj state on cleanup
drm/ttm: Fix ttm_bo_glob.kobj state on cleanup
drivers/gpu/drm/ttm/ttm_bo.c | 4 ++++
drivers/gpu/drm/ttm/ttm_memory.c | 5 +++++
2 files changed, 9 insertions(+)
--
2.20.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup
2019-04-14 23:37 [PATCH 0/3] drm/ttm: Cleanup state in global ttm structures Brian Yip
@ 2019-04-14 23:37 ` Brian Yip
2019-04-15 6:25 ` Koenig, Christian
2019-04-14 23:37 ` [PATCH 2/3] drm/ttm: Fix ttm_mem_glob.kobj state on cleanup Brian Yip
2019-04-14 23:37 ` [PATCH 3/3] drm/ttm: Fix ttm_bo_glob.kobj " Brian Yip
2 siblings, 1 reply; 6+ messages in thread
From: Brian Yip @ 2019-04-14 23:37 UTC (permalink / raw)
To: christian.koenig
Cc: ray.huang, Jerry.Zhang, airlied, daniel, dri-devel, linux-kernel,
Brian Yip
num_zones in the ttm_mem_global structure was never reset after calling
ttm_mem_global_release(). Consequently, when multiple GPU drivers
are loaded, and the first one fails to load its firmware, the second
driver will attempt to load its own firmware. Initializing the
second driver invokes ttm_mem_global_init where ttm_mem_global.num_zones
is eventually incremented beyond TTM_MEM_MAX_ZONES.
ttm_mem_global.num_zones is then used to dereference a ttm_mem_zone beyond
the amount of ttm_mem_zones allocated, resulting in a crash.
Signed-off-by: Brian Yip <itsbriany@gmail.com>
---
drivers/gpu/drm/ttm/ttm_memory.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
index 699fed9e08ee..55ccb9800893 100644
--- a/drivers/gpu/drm/ttm/ttm_memory.c
+++ b/drivers/gpu/drm/ttm/ttm_memory.c
@@ -478,6 +478,9 @@ void ttm_mem_global_release(struct ttm_mem_global *glob)
}
kobject_del(&glob->kobj);
kobject_put(&glob->kobj);
+
+ if (!kref_read(&glob->kobj.kref))
+ glob->num_zones = 0;
}
static void ttm_check_swapping(struct ttm_mem_global *glob)
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/3] drm/ttm: Fix ttm_mem_glob.kobj state on cleanup
2019-04-14 23:37 [PATCH 0/3] drm/ttm: Cleanup state in global ttm structures Brian Yip
2019-04-14 23:37 ` [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup Brian Yip
@ 2019-04-14 23:37 ` Brian Yip
2019-04-14 23:37 ` [PATCH 3/3] drm/ttm: Fix ttm_bo_glob.kobj " Brian Yip
2 siblings, 0 replies; 6+ messages in thread
From: Brian Yip @ 2019-04-14 23:37 UTC (permalink / raw)
To: christian.koenig
Cc: ray.huang, Jerry.Zhang, airlied, daniel, dri-devel, linux-kernel,
Brian Yip
Cleanup ttm_mem_glob.kobj when its reference count hits 0
so that it can be re-initialized by future ttm_mem_global_init calls
without dumping a stack trace.
Signed-off-by: Brian Yip <itsbriany@gmail.com>
---
drivers/gpu/drm/ttm/ttm_memory.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
index 55ccb9800893..63d82a81912e 100644
--- a/drivers/gpu/drm/ttm/ttm_memory.c
+++ b/drivers/gpu/drm/ttm/ttm_memory.c
@@ -479,8 +479,10 @@ void ttm_mem_global_release(struct ttm_mem_global *glob)
kobject_del(&glob->kobj);
kobject_put(&glob->kobj);
- if (!kref_read(&glob->kobj.kref))
+ if (!kref_read(&glob->kobj.kref)) {
+ glob->kobj.state_initialized = 0;
glob->num_zones = 0;
+ }
}
static void ttm_check_swapping(struct ttm_mem_global *glob)
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/3] drm/ttm: Fix ttm_bo_glob.kobj state on cleanup
2019-04-14 23:37 [PATCH 0/3] drm/ttm: Cleanup state in global ttm structures Brian Yip
2019-04-14 23:37 ` [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup Brian Yip
2019-04-14 23:37 ` [PATCH 2/3] drm/ttm: Fix ttm_mem_glob.kobj state on cleanup Brian Yip
@ 2019-04-14 23:37 ` Brian Yip
2 siblings, 0 replies; 6+ messages in thread
From: Brian Yip @ 2019-04-14 23:37 UTC (permalink / raw)
To: christian.koenig
Cc: ray.huang, Jerry.Zhang, airlied, daniel, dri-devel, linux-kernel,
Brian Yip
Cleanup ttm_bo_glob.kobj when its reference count hits 0
so that it can be re-initialized by future ttm_bo_global_init calls
without dumping a stack trace.
Signed-off-by: Brian Yip <itsbriany@gmail.com>
---
drivers/gpu/drm/ttm/ttm_bo.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index 988416fb8a0b..1e1844f4a4fa 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -1535,6 +1535,10 @@ static void ttm_bo_global_release(void)
kobject_del(&glob->kobj);
kobject_put(&glob->kobj);
ttm_mem_global_release(&ttm_mem_glob);
+
+ if (!kref_read(&glob->kobj.kref))
+ glob->kobj.state_initialized = 0;
+
out:
mutex_unlock(&ttm_global_mutex);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup
2019-04-14 23:37 ` [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup Brian Yip
@ 2019-04-15 6:25 ` Koenig, Christian
0 siblings, 0 replies; 6+ messages in thread
From: Koenig, Christian @ 2019-04-15 6:25 UTC (permalink / raw)
To: Brian Yip
Cc: Huang, Ray, Zhang, Jerry, airlied, daniel, dri-devel, linux-kernel
Am 15.04.19 um 01:37 schrieb Brian Yip:
> num_zones in the ttm_mem_global structure was never reset after calling
> ttm_mem_global_release(). Consequently, when multiple GPU drivers
> are loaded, and the first one fails to load its firmware, the second
> driver will attempt to load its own firmware. Initializing the
> second driver invokes ttm_mem_global_init where ttm_mem_global.num_zones
> is eventually incremented beyond TTM_MEM_MAX_ZONES.
> ttm_mem_global.num_zones is then used to dereference a ttm_mem_zone beyond
> the amount of ttm_mem_zones allocated, resulting in a crash.
>
> Signed-off-by: Brian Yip <itsbriany@gmail.com>
> ---
> drivers/gpu/drm/ttm/ttm_memory.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
> index 699fed9e08ee..55ccb9800893 100644
> --- a/drivers/gpu/drm/ttm/ttm_memory.c
> +++ b/drivers/gpu/drm/ttm/ttm_memory.c
> @@ -478,6 +478,9 @@ void ttm_mem_global_release(struct ttm_mem_global *glob)
> }
> kobject_del(&glob->kobj);
> kobject_put(&glob->kobj);
> +
> + if (!kref_read(&glob->kobj.kref))
> + glob->num_zones = 0;
NAK. It's nice to see that somebody tries to take care of this problem,
but this is certainly not the right fix.
Instead of all of this the problem is simply that the glob structure is
not zero initialized in ttm_mem_global_init(), a simple memset should do
the trick.
Regards,
Christian.
> }
>
> static void ttm_check_swapping(struct ttm_mem_global *glob)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup
@ 2019-04-15 6:25 ` Koenig, Christian
0 siblings, 0 replies; 6+ messages in thread
From: Koenig, Christian @ 2019-04-15 6:25 UTC (permalink / raw)
To: Brian Yip; +Cc: airlied, linux-kernel, dri-devel, Huang, Ray, Zhang, Jerry
Am 15.04.19 um 01:37 schrieb Brian Yip:
> num_zones in the ttm_mem_global structure was never reset after calling
> ttm_mem_global_release(). Consequently, when multiple GPU drivers
> are loaded, and the first one fails to load its firmware, the second
> driver will attempt to load its own firmware. Initializing the
> second driver invokes ttm_mem_global_init where ttm_mem_global.num_zones
> is eventually incremented beyond TTM_MEM_MAX_ZONES.
> ttm_mem_global.num_zones is then used to dereference a ttm_mem_zone beyond
> the amount of ttm_mem_zones allocated, resulting in a crash.
>
> Signed-off-by: Brian Yip <itsbriany@gmail.com>
> ---
> drivers/gpu/drm/ttm/ttm_memory.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
> index 699fed9e08ee..55ccb9800893 100644
> --- a/drivers/gpu/drm/ttm/ttm_memory.c
> +++ b/drivers/gpu/drm/ttm/ttm_memory.c
> @@ -478,6 +478,9 @@ void ttm_mem_global_release(struct ttm_mem_global *glob)
> }
> kobject_del(&glob->kobj);
> kobject_put(&glob->kobj);
> +
> + if (!kref_read(&glob->kobj.kref))
> + glob->num_zones = 0;
NAK. It's nice to see that somebody tries to take care of this problem,
but this is certainly not the right fix.
Instead of all of this the problem is simply that the glob structure is
not zero initialized in ttm_mem_global_init(), a simple memset should do
the trick.
Regards,
Christian.
> }
>
> static void ttm_check_swapping(struct ttm_mem_global *glob)
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-04-15 6:25 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-14 23:37 [PATCH 0/3] drm/ttm: Cleanup state in global ttm structures Brian Yip
2019-04-14 23:37 ` [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup Brian Yip
2019-04-15 6:25 ` Koenig, Christian
2019-04-15 6:25 ` Koenig, Christian
2019-04-14 23:37 ` [PATCH 2/3] drm/ttm: Fix ttm_mem_glob.kobj state on cleanup Brian Yip
2019-04-14 23:37 ` [PATCH 3/3] drm/ttm: Fix ttm_bo_glob.kobj " Brian Yip
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.