[PATCH 0/3] drm/ttm: Cleanup state in global ttm structures

[PATCH 0/3] drm/ttm: Cleanup state in global ttm structures

[Brian Yip]

State in global ttm structures was not properly reset on cleanup.

In the scenario where multiple drm drivers are loaded and the first one 
fails to initialize, there is an attempt to reset the global state in
the ttm structures. However, there were some attributes which were not
properly reset during this process. This resulted in a crash and 
false positive kobj initialization warnings during subsequent initialization
of these global structures.

Fix the crash and false positive kobj initialization warnings.

Brian Yip (3):
  drm/ttm: Reset num_zones on ttm_mem_global cleanup
  drm/ttm: Fix ttm_mem_glob.kobj state on cleanup
  drm/ttm: Fix ttm_bo_glob.kobj state on cleanup

 drivers/gpu/drm/ttm/ttm_bo.c     | 4 ++++
 drivers/gpu/drm/ttm/ttm_memory.c | 5 +++++
 2 files changed, 9 insertions(+)

-- 
2.20.1

[PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup

[Brian Yip]

num_zones in the ttm_mem_global structure was never reset after calling
ttm_mem_global_release(). Consequently, when multiple GPU drivers
are loaded, and the first one fails to load its firmware, the second
driver will attempt to load its own firmware. Initializing the
second driver invokes ttm_mem_global_init where ttm_mem_global.num_zones
is eventually incremented beyond TTM_MEM_MAX_ZONES.
ttm_mem_global.num_zones is then used to dereference a ttm_mem_zone beyond
the amount of ttm_mem_zones allocated, resulting in a crash.

Signed-off-by: Brian Yip <itsbriany@gmail.com>
---
 drivers/gpu/drm/ttm/ttm_memory.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
index 699fed9e08ee..55ccb9800893 100644
--- a/drivers/gpu/drm/ttm/ttm_memory.c
+++ b/drivers/gpu/drm/ttm/ttm_memory.c
@@ -478,6 +478,9 @@ void ttm_mem_global_release(struct ttm_mem_global *glob)
 			}
 	kobject_del(&glob->kobj);
 	kobject_put(&glob->kobj);
+
+	if (!kref_read(&glob->kobj.kref))
+		glob->num_zones = 0;
 }
 
 static void ttm_check_swapping(struct ttm_mem_global *glob)
-- 
2.20.1

[PATCH 2/3] drm/ttm: Fix ttm_mem_glob.kobj state on cleanup

[Brian Yip]

Cleanup ttm_mem_glob.kobj when its reference count hits 0
so that it can be re-initialized by future ttm_mem_global_init calls
without dumping a stack trace.

Signed-off-by: Brian Yip <itsbriany@gmail.com>
---
 drivers/gpu/drm/ttm/ttm_memory.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
index 55ccb9800893..63d82a81912e 100644
--- a/drivers/gpu/drm/ttm/ttm_memory.c
+++ b/drivers/gpu/drm/ttm/ttm_memory.c
@@ -479,8 +479,10 @@ void ttm_mem_global_release(struct ttm_mem_global *glob)
 	kobject_del(&glob->kobj);
 	kobject_put(&glob->kobj);
 
-	if (!kref_read(&glob->kobj.kref))
+	if (!kref_read(&glob->kobj.kref)) {
+		glob->kobj.state_initialized = 0;
 		glob->num_zones = 0;
+	}
 }
 
 static void ttm_check_swapping(struct ttm_mem_global *glob)
-- 
2.20.1

[PATCH 3/3] drm/ttm: Fix ttm_bo_glob.kobj state on cleanup

[Brian Yip]

Cleanup ttm_bo_glob.kobj when its reference count hits 0
so that it can be re-initialized by future ttm_bo_global_init calls
without dumping a stack trace.

Signed-off-by: Brian Yip <itsbriany@gmail.com>
---
 drivers/gpu/drm/ttm/ttm_bo.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index 988416fb8a0b..1e1844f4a4fa 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -1535,6 +1535,10 @@ static void ttm_bo_global_release(void)
 	kobject_del(&glob->kobj);
 	kobject_put(&glob->kobj);
 	ttm_mem_global_release(&ttm_mem_glob);
+
+	if (!kref_read(&glob->kobj.kref))
+		glob->kobj.state_initialized = 0;
+
 out:
 	mutex_unlock(&ttm_global_mutex);
 }
-- 
2.20.1

Re: [PATCH 1/3] drm/ttm: Reset num_zones on ttm_mem_global cleanup

[Koenig, Christian]

Am 15.04.19 um 01:37 schrieb Brian Yip:
> num_zones in the ttm_mem_global structure was never reset after calling
> ttm_mem_global_release(). Consequently, when multiple GPU drivers
> are loaded, and the first one fails to load its firmware, the second
> driver will attempt to load its own firmware. Initializing the
> second driver invokes ttm_mem_global_init where ttm_mem_global.num_zones
> is eventually incremented beyond TTM_MEM_MAX_ZONES.
> ttm_mem_global.num_zones is then used to dereference a ttm_mem_zone beyond
> the amount of ttm_mem_zones allocated, resulting in a crash.
>
> Signed-off-by: Brian Yip <itsbriany@gmail.com>
> ---
>   drivers/gpu/drm/ttm/ttm_memory.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
> index 699fed9e08ee..55ccb9800893 100644
> --- a/drivers/gpu/drm/ttm/ttm_memory.c
> +++ b/drivers/gpu/drm/ttm/ttm_memory.c
> @@ -478,6 +478,9 @@ void ttm_mem_global_release(struct ttm_mem_global *glob)
>   			}
>   	kobject_del(&glob->kobj);
>   	kobject_put(&glob->kobj);
> +
> +	if (!kref_read(&glob->kobj.kref))
> +		glob->num_zones = 0;

NAK. It's nice to see that somebody tries to take care of this problem, 
but this is certainly not the right fix.

Instead of all of this the problem is simply that the glob structure is 
not zero initialized in ttm_mem_global_init(), a simple memset should do 
the trick.

Regards,
Christian.

>   }
>   
>   static void ttm_check_swapping(struct ttm_mem_global *glob)