Hi Daniel,
On Wed, 20 May 2020 20:02:32 +0200 Daniel Vetter daniel.vetter@ffwll.ch wrote:
- Ditch the ->pages array
- Make it a private gem bo, which means no shmem object, which means fireworks if anyone calls drm_gem_object_get_pages. But we've just made sure that's all covered.
v2: Rebase
Acked-by: Thomas Zimmermann tzimmermann@suse.de Cc: Gerd Hoffmann kraxel@redhat.com Cc: Rob Herring robh@kernel.org Cc: Noralf Trønnes noralf@tronnes.org Signed-off-by: Daniel Vetter daniel.vetter@intel.com
I see a bunch of
[ 38.261313] ------------[ cut here ]------------ [ 38.261740] WARNING: CPU: 4 PID: 2945 at drivers/gpu/drm/drm_gem_shmem_helper.c:137 drm_gem_shmem_free_object+0xb4/0xe0 [ 38.262676] Modules linked in: [ 38.262949] CPU: 4 PID: 2945 Comm: Xwayland Not tainted 5.7.0-rc1-00111-g9c7e526c43d0 #520 [ 38.263667] Hardware name: Radxa ROCK Pi 4 (DT) [ 38.264062] pstate: 60000005 (nZCv daif -PAN -UAO) [ 38.264482] pc : drm_gem_shmem_free_object+0xb4/0xe0 [ 38.264916] lr : drm_gem_shmem_free_object+0x38/0xe0 [ 38.265348] sp : ffff800011cebbb0 [ 38.265639] x29: ffff800011cebbb0 x28: ffff800011cebd88 [ 38.266102] x27: 0000000000000000 x26: ffff000072a1f400 [ 38.266566] x25: 0000000000000009 x24: ffff000072a1f400 [ 38.267029] x23: 0000000000000002 x22: ffff000079409080 [ 38.267492] x21: ffff000079409280 x20: ffff00006c304800 [ 38.267955] x19: ffff00006c304800 x18: 0000000000000000 [ 38.268417] x17: 0000000000000000 x16: 0000000000000000 [ 38.268880] x15: 0000000000000000 x14: 0000000000000000 [ 38.269343] x13: 0001000000000000 x12: 0000000000000008 [ 38.269806] x11: 000000000000ffff x10: 0000000000000000 [ 38.270269] x9 : 0000000000000001 x8 : 0000000000210d00 [ 38.270732] x7 : 0000000000000001 x6 : ffff800011307980 [ 38.271195] x5 : ffff00006641c240 x4 : ffff00006ee1b400 [ 38.271656] x3 : 0000000000000004 x2 : aafbc6f338cf6000 [ 38.272119] x1 : 0000000000000000 x0 : 00000000ffffffff [ 38.272583] Call trace: [ 38.272799] drm_gem_shmem_free_object+0xb4/0xe0 [ 38.273203] panfrost_gem_free_object+0xf0/0x128 [ 38.273608] drm_gem_object_free+0x18/0x40 [ 38.273967] drm_gem_object_handle_put_unlocked+0xe4/0xe8 [ 38.274439] drm_gem_object_release_handle+0x6c/0x98 [ 38.274872] drm_gem_handle_delete+0x84/0x140 [ 38.275253] drm_gem_close_ioctl+0x2c/0x40 [ 38.275612] drm_ioctl_kernel+0xb8/0x108 [ 38.275954] drm_ioctl+0x214/0x450 [ 38.276255] ksys_ioctl+0xa0/0xe0 [ 38.276546] __arm64_sys_ioctl+0x1c/0x28 [ 38.276891] el0_svc_common.constprop.0+0x68/0x160 [ 38.277310] do_el0_svc+0x20/0x80 [ 38.277602] el0_sync_handler+0x10c/0x178 [ 38.277952] el0_sync+0x140/0x180 [ 38.278242] ---[ end trace db5754ef8b213ce5 ]---
after applying that patch. Didn't have time to dig through it, unfortunately.
drivers/gpu/drm/drm_gem_shmem_helper.c | 59 ++++++++++---------------- 1 file changed, 23 insertions(+), 36 deletions(-)
diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index 06cee8e97d27..f6854af206d2 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -35,22 +35,12 @@ static const struct drm_gem_object_funcs drm_gem_shmem_funcs = { .mmap = drm_gem_shmem_mmap, };
-/**
- drm_gem_shmem_create - Allocate an object with the given size
- @dev: DRM device
- @size: Size of the object to allocate
- This function creates a shmem GEM object.
- Returns:
- A struct drm_gem_shmem_object * on success or an ERR_PTR()-encoded negative
- error code on failure.
- */
-struct drm_gem_shmem_object *drm_gem_shmem_create(struct drm_device *dev, size_t size) +static struct drm_gem_shmem_object * +__drm_gem_shmem_create(struct drm_device *dev, size_t size, bool private) { struct drm_gem_shmem_object *shmem; struct drm_gem_object *obj;
- int ret;
int ret = 0;
size = PAGE_ALIGN(size);
@@ -64,7 +54,10 @@ struct drm_gem_shmem_object *drm_gem_shmem_create(struct drm_device *dev, size_t if (!obj->funcs) obj->funcs = &drm_gem_shmem_funcs;
- ret = drm_gem_object_init(dev, obj, size);
- if (private)
drm_gem_private_object_init(dev, obj, size);- else
ret = drm_gem_object_init(dev, obj, size);@@ -96,6 +89,21 @@ struct drm_gem_shmem_object *drm_gem_shmem_create(struct drm_device *dev, size_t
return ERR_PTR(ret); } +/**
- drm_gem_shmem_create - Allocate an object with the given size
- @dev: DRM device
- @size: Size of the object to allocate
- This function creates a shmem GEM object.
- Returns:
- A struct drm_gem_shmem_object * on success or an ERR_PTR()-encoded negative
- error code on failure.
- */
+struct drm_gem_shmem_object *drm_gem_shmem_create(struct drm_device *dev, size_t size) +{
- return __drm_gem_shmem_create(dev, size, false);
+} EXPORT_SYMBOL_GPL(drm_gem_shmem_create);
/** @@ -115,7 +123,6 @@ void drm_gem_shmem_free_object(struct drm_gem_object *obj) if (obj->import_attach) { shmem->pages_use_count--; drm_prime_gem_destroy(obj, shmem->sgt);
kvfree(shmem->pages);@@ -371,7 +378,7 @@ drm_gem_shmem_create_with_handle(struct drm_file *file_priv, struct drm_gem_shmem_object *shmem; int ret;
- shmem = drm_gem_shmem_create(dev, size);
- shmem = __drm_gem_shmem_create(dev, size, true); if (IS_ERR(shmem)) return shmem;
@@ -695,36 +702,16 @@ drm_gem_shmem_prime_import_sg_table(struct drm_device *dev, struct sg_table *sgt) { size_t size = PAGE_ALIGN(attach->dmabuf->size);
size_t npages = size >> PAGE_SHIFT; struct drm_gem_shmem_object *shmem;
int ret;
shmem = drm_gem_shmem_create(dev, size); if (IS_ERR(shmem)) return ERR_CAST(shmem);
shmem->pages = kvmalloc_array(npages, sizeof(struct page *), GFP_KERNEL);
if (!shmem->pages) {
ret = -ENOMEM;goto err_free_gem;}
ret = drm_prime_sg_to_page_addr_arrays(sgt, shmem->pages, NULL, npages);
if (ret < 0)
goto err_free_array;shmem->sgt = sgt;
shmem->pages_use_count = 1; /* Permanently pinned from our point of view */
DRM_DEBUG_PRIME("size = %zu\n", size);
return &shmem->base;
-err_free_array:
- kvfree(shmem->pages);
-err_free_gem:
- drm_gem_object_put(&shmem->base);
- return ERR_PTR(ret);
} EXPORT_SYMBOL_GPL(drm_gem_shmem_prime_import_sg_table);