From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
To: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Cc: David Airlie <airlied@linux.ie>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
linux-kernel <linux-kernel@vger.kernel.org>,
dri-devel <dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH] drm/gma500: fix double freeing
Date: Fri, 2 Oct 2015 21:26:41 +0530 [thread overview]
Message-ID: <20151002155641.GA16809@sudip-pc> (raw)
In-Reply-To: <CAMeQTsYhfXrbkxqpoCkYPL_scfCqrqhiJ-9x=46+YB+aY0reaw@mail.gmail.com>
On Thu, Oct 01, 2015 at 07:07:33PM +0200, Patrik Jakobsson wrote:
> On Wed, Sep 30, 2015 at 8:12 AM, Sudip Mukherjee
> <sudipm.mukherjee@gmail.com> wrote:
> > On Tue, Sep 29, 2015 at 03:20:35PM +0200, Patrik Jakobsson wrote:
> >> On Thu, Sep 24, 2015 at 5:57 PM, Sudip Mukherjee
> >> <sudipm.mukherjee@gmail.com> wrote:
> >> > On Wed, Sep 09, 2015 at 06:20:40PM +0530, Sudip Mukherjee wrote:
> >> >> If backing->stolen is true then we were freeing backing by calling
> >> >> psb_gtt_free_range() but we called it again after unlocking the mutex.
> >> >> Lets make it NULL after freeing in psb_gtt_free_range() and check for
> >> >> NULL before calling the function for the second time.
> >> >>
> >> >> Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
> >> >> ---
> >> > Hi Patrik,
> >> > A gentle ping.
> >> >
> >> > regards
> >> > sudip
> >>
> >> Hi, sorry for the late reply.
> >>
> >> Why are we freeing the range twice in the first case?
> > I think,
> > if backing->stolen is true then backing is released using
> > psb_gtt_free_range() but if backing->stolen is false then the gem object
> > is freed but the backing is not yet freed. To free that backing
> > psb_gtt_free_range() has been called second time. My patch tried to fix
> > the possibility of backing->stolen being true and backing being freed 2
> > times.
> >
> > regards
> > sudip
>
> There are some special handling of the stolen framebuffer that I don't
> remember entirely but the basic concept is that we free the backing
> when we drop the last reference on a gem object. That will trigger a
> psb_gtt_free_range(). So in this case it looks to me that the extra
> free is not needed at all. That's my quick reasoning, feel free to
> prove me wrong :)
In this case we are allocating backing using psbfb_alloc() and so
backing->stolen is always true. So we can remove the backing->stolen
condition. And if drm_fb_helper_alloc_fbi() fails then we
are jumping to out_err1. So the fitst free will not be needed.
diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c
index 2eaf1b3..932f07b 100644
--- a/drivers/gpu/drm/gma500/framebuffer.c
+++ b/drivers/gpu/drm/gma500/framebuffer.c
@@ -466,11 +466,6 @@ static int psbfb_create(struct psb_fbdev *fbdev,
mutex_unlock(&dev->struct_mutex);
return 0;
out_unref:
- if (backing->stolen)
- psb_gtt_free_range(dev, backing);
- else
- drm_gem_object_unreference(&backing->gem);
-
drm_fb_helper_release_fbi(&fbdev->psb_fb_helper);
out_err1:
mutex_unlock(&dev->struct_mutex);
If it is ok, I can submit the v2.
regards
sudip
WARNING: multiple messages have this Message-ID (diff)
From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
To: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>,
linux-kernel <linux-kernel@vger.kernel.org>,
dri-devel <dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH] drm/gma500: fix double freeing
Date: Fri, 2 Oct 2015 21:26:41 +0530 [thread overview]
Message-ID: <20151002155641.GA16809@sudip-pc> (raw)
In-Reply-To: <CAMeQTsYhfXrbkxqpoCkYPL_scfCqrqhiJ-9x=46+YB+aY0reaw@mail.gmail.com>
On Thu, Oct 01, 2015 at 07:07:33PM +0200, Patrik Jakobsson wrote:
> On Wed, Sep 30, 2015 at 8:12 AM, Sudip Mukherjee
> <sudipm.mukherjee@gmail.com> wrote:
> > On Tue, Sep 29, 2015 at 03:20:35PM +0200, Patrik Jakobsson wrote:
> >> On Thu, Sep 24, 2015 at 5:57 PM, Sudip Mukherjee
> >> <sudipm.mukherjee@gmail.com> wrote:
> >> > On Wed, Sep 09, 2015 at 06:20:40PM +0530, Sudip Mukherjee wrote:
> >> >> If backing->stolen is true then we were freeing backing by calling
> >> >> psb_gtt_free_range() but we called it again after unlocking the mutex.
> >> >> Lets make it NULL after freeing in psb_gtt_free_range() and check for
> >> >> NULL before calling the function for the second time.
> >> >>
> >> >> Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
> >> >> ---
> >> > Hi Patrik,
> >> > A gentle ping.
> >> >
> >> > regards
> >> > sudip
> >>
> >> Hi, sorry for the late reply.
> >>
> >> Why are we freeing the range twice in the first case?
> > I think,
> > if backing->stolen is true then backing is released using
> > psb_gtt_free_range() but if backing->stolen is false then the gem object
> > is freed but the backing is not yet freed. To free that backing
> > psb_gtt_free_range() has been called second time. My patch tried to fix
> > the possibility of backing->stolen being true and backing being freed 2
> > times.
> >
> > regards
> > sudip
>
> There are some special handling of the stolen framebuffer that I don't
> remember entirely but the basic concept is that we free the backing
> when we drop the last reference on a gem object. That will trigger a
> psb_gtt_free_range(). So in this case it looks to me that the extra
> free is not needed at all. That's my quick reasoning, feel free to
> prove me wrong :)
In this case we are allocating backing using psbfb_alloc() and so
backing->stolen is always true. So we can remove the backing->stolen
condition. And if drm_fb_helper_alloc_fbi() fails then we
are jumping to out_err1. So the fitst free will not be needed.
diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c
index 2eaf1b3..932f07b 100644
--- a/drivers/gpu/drm/gma500/framebuffer.c
+++ b/drivers/gpu/drm/gma500/framebuffer.c
@@ -466,11 +466,6 @@ static int psbfb_create(struct psb_fbdev *fbdev,
mutex_unlock(&dev->struct_mutex);
return 0;
out_unref:
- if (backing->stolen)
- psb_gtt_free_range(dev, backing);
- else
- drm_gem_object_unreference(&backing->gem);
-
drm_fb_helper_release_fbi(&fbdev->psb_fb_helper);
out_err1:
mutex_unlock(&dev->struct_mutex);
If it is ok, I can submit the v2.
regards
sudip
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2015-10-02 15:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-09 12:50 [PATCH] drm/gma500: fix double freeing Sudip Mukherjee
2015-09-09 12:50 ` Sudip Mukherjee
2015-09-24 15:57 ` Sudip Mukherjee
2015-09-24 15:57 ` Sudip Mukherjee
2015-09-29 13:20 ` Patrik Jakobsson
2015-09-29 13:20 ` Patrik Jakobsson
2015-09-30 6:12 ` Sudip Mukherjee
2015-09-30 6:12 ` Sudip Mukherjee
2015-10-01 17:07 ` Patrik Jakobsson
2015-10-01 17:07 ` Patrik Jakobsson
2015-10-02 15:56 ` Sudip Mukherjee [this message]
2015-10-02 15:56 ` Sudip Mukherjee
2015-10-05 23:54 ` Patrik Jakobsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151002155641.GA16809@sudip-pc \
--to=sudipm.mukherjee@gmail.com \
--cc=airlied@linux.ie \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=patrik.r.jakobsson@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.