| Message ID | 20170814100721.13340-1-maarten.lankhorst@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
2017-08-14 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>: > complete_crtc_signaling is freeing fence_state, but when retrying > num_fences and fence_state are not zero'd. This caused duplicate > fd's in the fence_state array, followed by a BUG_ON in fs/file.c > because we reallocate freed memory, and installing over an existing > fd, or potential other fun. > > Zero fence_state and num_fences correctly in the retry loop, which > allows kms_atomic_transition to pass. > > Fixes: beaf5af48034 ("drm/fence: add out-fences support") > Cc: Gustavo Padovan <gustavo.padovan@collabora.co.uk> > Cc: Brian Starkey <brian.starkey@arm.com> (v10) > Cc: Sean Paul <seanpaul@chromium.org> > Cc: Daniel Vetter <daniel.vetter@ffwll.ch> > Cc: Jani Nikula <jani.nikula@linux.intel.com> > Cc: David Airlie <airlied@linux.ie> > Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> > Cc: <stable@vger.kernel.org> # v4.10+ > Testcase: kms_atomic_transitions.plane-all-modeset-transition-fencing > (with CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y) > --- > drivers/gpu/drm/drm_atomic.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) Reviewed-by: Gustavo Padovan <gustavo.padovan@collabora.com> Gustavo
On Fri, Aug 18, 2017 at 01:59:10PM -0300, Gustavo Padovan wrote: > 2017-08-14 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>: > > > complete_crtc_signaling is freeing fence_state, but when retrying > > num_fences and fence_state are not zero'd. This caused duplicate > > fd's in the fence_state array, followed by a BUG_ON in fs/file.c > > because we reallocate freed memory, and installing over an existing > > fd, or potential other fun. > > > > Zero fence_state and num_fences correctly in the retry loop, which > > allows kms_atomic_transition to pass. > > > > Fixes: beaf5af48034 ("drm/fence: add out-fences support") > > Cc: Gustavo Padovan <gustavo.padovan@collabora.co.uk> > > Cc: Brian Starkey <brian.starkey@arm.com> (v10) > > Cc: Sean Paul <seanpaul@chromium.org> > > Cc: Daniel Vetter <daniel.vetter@ffwll.ch> > > Cc: Jani Nikula <jani.nikula@linux.intel.com> > > Cc: David Airlie <airlied@linux.ie> > > Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> > > Cc: <stable@vger.kernel.org> # v4.10+ > > Testcase: kms_atomic_transitions.plane-all-modeset-transition-fencing > > (with CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y) > > --- > > drivers/gpu/drm/drm_atomic.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > Reviewed-by: Gustavo Padovan <gustavo.padovan@collabora.com> Hm somehow this fell through, applied to drm-misc-fixes. -Daniel
On Fri, Aug 18, 2017 at 10:13:08PM +0200, Daniel Vetter wrote: > On Fri, Aug 18, 2017 at 01:59:10PM -0300, Gustavo Padovan wrote: > > 2017-08-14 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>: > > > > > complete_crtc_signaling is freeing fence_state, but when retrying > > > num_fences and fence_state are not zero'd. This caused duplicate > > > fd's in the fence_state array, followed by a BUG_ON in fs/file.c > > > because we reallocate freed memory, and installing over an existing > > > fd, or potential other fun. > > > > > > Zero fence_state and num_fences correctly in the retry loop, which > > > allows kms_atomic_transition to pass. > > > > > > Fixes: beaf5af48034 ("drm/fence: add out-fences support") > > > Cc: Gustavo Padovan <gustavo.padovan@collabora.co.uk> > > > Cc: Brian Starkey <brian.starkey@arm.com> (v10) > > > Cc: Sean Paul <seanpaul@chromium.org> > > > Cc: Daniel Vetter <daniel.vetter@ffwll.ch> > > > Cc: Jani Nikula <jani.nikula@linux.intel.com> > > > Cc: David Airlie <airlied@linux.ie> > > > Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> > > > Cc: <stable@vger.kernel.org> # v4.10+ > > > Testcase: kms_atomic_transitions.plane-all-modeset-transition-fencing > > > (with CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y) > > > --- > > > drivers/gpu/drm/drm_atomic.c | 6 ++++-- > > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > Reviewed-by: Gustavo Padovan <gustavo.padovan@collabora.com> > > Hm somehow this fell through, applied to drm-misc-fixes. Actually it was merged already, I was on an old -fixes. -Daniel
diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 1b755439f591..8ec9be4f5d50 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -2203,10 +2203,10 @@ int drm_mode_atomic_ioctl(struct drm_device *dev, struct drm_atomic_state *state; struct drm_modeset_acquire_ctx ctx; struct drm_plane *plane; - struct drm_out_fence_state *fence_state = NULL; + struct drm_out_fence_state *fence_state; unsigned plane_mask; int ret = 0; - unsigned int i, j, num_fences = 0; + unsigned int i, j, num_fences; /* disallow for drivers not supporting atomic: */ if (!drm_core_check_feature(dev, DRIVER_ATOMIC)) @@ -2247,6 +2247,8 @@ int drm_mode_atomic_ioctl(struct drm_device *dev, plane_mask = 0; copied_objs = 0; copied_props = 0; + fence_state = NULL; + num_fences = 0; for (i = 0; i < arg->count_objs; i++) { uint32_t obj_id, count_props;
complete_crtc_signaling is freeing fence_state, but when retrying num_fences and fence_state are not zero'd. This caused duplicate fd's in the fence_state array, followed by a BUG_ON in fs/file.c because we reallocate freed memory, and installing over an existing fd, or potential other fun. Zero fence_state and num_fences correctly in the retry loop, which allows kms_atomic_transition to pass. Fixes: beaf5af48034 ("drm/fence: add out-fences support") Cc: Gustavo Padovan <gustavo.padovan@collabora.co.uk> Cc: Brian Starkey <brian.starkey@arm.com> (v10) Cc: Sean Paul <seanpaul@chromium.org> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Jani Nikula <jani.nikula@linux.intel.com> Cc: David Airlie <airlied@linux.ie> Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: <stable@vger.kernel.org> # v4.10+ Testcase: kms_atomic_transitions.plane-all-modeset-transition-fencing (with CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y) --- drivers/gpu/drm/drm_atomic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)