| Message ID | 20171107134431.11209-1-christian.koenig@amd.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 07/11/17 02:44 PM, Christian König wrote: > Set bo->resv to ttm_resv during BO cleanup. This way freed BOs can be > better reaped during eviction. > > Signed-off-by: Roger He <Hongbo.He@amd.com> > Signed-off-by: Christian König <christian.koenig@amd.com> KASAN caught some badness while running piglit with this applied, see the attached dmesg excerpts. At least some of this might be pre-existing bugs being exposed by this change. E.g. I've been chasing another use-after-free, with ttm_bo_delayed_delete trying to reserve a BO which has already been destroyed. Looks like maybe the ddestroy list handling isn't quite watertight yet.
I guess this because you move the resv changing out of lock of bo->resv. Because at the beginning ttm_mem_evict_first may __ttm_bo_reserve(bo->resv) success, and then bo->resv has been changed by another thread. That is not matched and at this point bo->ttm_resv also may been freed already. And I think it is not easy to put it out of two lock of bo->resv and bo->ttm_resv. Thanks Roger(Hongbo.He) -----Original Message----- From: dri-devel [mailto:dri-devel-bounces@lists.freedesktop.org] On Behalf Of Michel D?nzer Sent: Wednesday, November 08, 2017 12:16 AM To: Christian König <ckoenig.leichtzumerken@gmail.com> Cc: dri-devel@lists.freedesktop.org; amd-gfx@lists.freedesktop.org Subject: Re: [PATCH] drm/ttm: set bo->resv point to tbo->ttm_resv after individualize_resv On 07/11/17 02:44 PM, Christian König wrote: > Set bo->resv to ttm_resv during BO cleanup. This way freed BOs can be > better reaped during eviction. > > Signed-off-by: Roger He <Hongbo.He@amd.com> > Signed-off-by: Christian König <christian.koenig@amd.com> KASAN caught some badness while running piglit with this applied, see the attached dmesg excerpts. At least some of this might be pre-existing bugs being exposed by this change. E.g. I've been chasing another use-after-free, with ttm_bo_delayed_delete trying to reserve a BO which has already been destroyed. Looks like maybe the ddestroy list handling isn't quite watertight yet. -- Earthling Michel Dänzer | http://www.amd.com Libre software enthusiast | Mesa and X developer
diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c index c088703777e2..cc33eb2174f6 100644 --- a/drivers/gpu/drm/ttm/ttm_bo.c +++ b/drivers/gpu/drm/ttm/ttm_bo.c @@ -444,18 +444,19 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo) reservation_object_wait_timeout_rcu(bo->resv, true, false, 30 * HZ); spin_lock(&glob->lru_lock); + bo->resv = &bo->ttm_resv; goto error; } spin_lock(&glob->lru_lock); - ret = __ttm_bo_reserve(bo, false, true, NULL); + if (bo->resv != &bo->ttm_resv) + bo->resv = &bo->ttm_resv; + else + ret = __ttm_bo_reserve(bo, false, true, NULL); if (!ret) { - if (reservation_object_test_signaled_rcu(&bo->ttm_resv, true)) { + if (reservation_object_test_signaled_rcu(bo->resv, true)) { ttm_bo_del_from_lru(bo); spin_unlock(&glob->lru_lock); - if (bo->resv != &bo->ttm_resv) - reservation_object_unlock(&bo->ttm_resv); - ttm_bo_cleanup_memtype_use(bo); return; } @@ -474,8 +475,6 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo) __ttm_bo_unreserve(bo); } - if (bo->resv != &bo->ttm_resv) - reservation_object_unlock(&bo->ttm_resv); error: kref_get(&bo->list_kref); @@ -503,15 +502,9 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo, bool no_wait_gpu) { struct ttm_bo_global *glob = bo->glob; - struct reservation_object *resv; int ret; - if (unlikely(list_empty(&bo->ddestroy))) - resv = bo->resv; - else - resv = &bo->ttm_resv; - - if (reservation_object_test_signaled_rcu(resv, true)) + if (reservation_object_test_signaled_rcu(bo->resv, true)) ret = 0; else ret = -EBUSY; @@ -521,7 +514,7 @@ static int ttm_bo_cleanup_refs_and_unlock(struct ttm_buffer_object *bo, ww_mutex_unlock(&bo->resv->lock); spin_unlock(&glob->lru_lock); - lret = reservation_object_wait_timeout_rcu(resv, true, + lret = reservation_object_wait_timeout_rcu(bo->resv, true, interruptible, 30 * HZ);