The locking of release_lock was stupid; it should have been be called with fence_lock_irq if it was legitimately used. Unfortunately it never protected anything except the fence implementation correctly.
Signed-off-by: Maarten Lankhorst maarten.lankhorst@canonical.com --- drivers/gpu/drm/qxl/qxl_debugfs.c | 2 -- drivers/gpu/drm/qxl/qxl_release.c | 9 +++------ 2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/qxl/qxl_debugfs.c b/drivers/gpu/drm/qxl/qxl_debugfs.c index a4a63fd84803..6911b8c44492 100644 --- a/drivers/gpu/drm/qxl/qxl_debugfs.c +++ b/drivers/gpu/drm/qxl/qxl_debugfs.c @@ -57,7 +57,6 @@ qxl_debugfs_buffers_info(struct seq_file *m, void *data) struct qxl_device *qdev = node->minor->dev->dev_private; struct qxl_bo *bo;
- spin_lock(&qdev->release_lock); list_for_each_entry(bo, &qdev->gem.objects, list) { struct reservation_object_list *fobj; int rel; @@ -71,7 +70,6 @@ qxl_debugfs_buffers_info(struct seq_file *m, void *data) (unsigned long)bo->gem_base.size, bo->pin_count, rel); } - spin_unlock(&qdev->release_lock); return 0; }
diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c index 15158c5a5b3a..828d47e90dce 100644 --- a/drivers/gpu/drm/qxl/qxl_release.c +++ b/drivers/gpu/drm/qxl/qxl_release.c @@ -71,7 +71,7 @@ static long qxl_fence_wait(struct fence *fence, bool intr, signed long timeout) retry: sc++;
- if (fence_is_signaled_locked(fence)) + if (fence_is_signaled(fence)) goto signaled;
qxl_io_notify_oom(qdev); @@ -80,11 +80,11 @@ retry: if (!qxl_queue_garbage_collect(qdev, true)) break;
- if (fence_is_signaled_locked(fence)) + if (fence_is_signaled(fence)) goto signaled; }
- if (fence_is_signaled_locked(fence)) + if (fence_is_signaled(fence)) goto signaled;
if (have_drawable_releases || sc < 4) { @@ -457,8 +457,6 @@ void qxl_release_fence_buffer_objects(struct qxl_release *release) glob = bo->glob;
spin_lock(&glob->lru_lock); - /* acquire release_lock to protect bo->resv->fence and its contents */ - spin_lock(&qdev->release_lock);
list_for_each_entry(entry, &release->bos, head) { bo = entry->bo; @@ -468,7 +466,6 @@ void qxl_release_fence_buffer_objects(struct qxl_release *release) ttm_bo_add_to_lru(bo); __ttm_bo_unreserve(bo); } - spin_unlock(&qdev->release_lock); spin_unlock(&glob->lru_lock); ww_acquire_fini(&release->ticket); }
This is how you implement a sieve in a driver. ;-)
Signed-off-by: Maarten Lankhorst maarten.lankhorst@canonical.com --- drivers/gpu/drm/qxl/qxl_release.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c index 828d47e90dce..29ab4ec44c40 100644 --- a/drivers/gpu/drm/qxl/qxl_release.c +++ b/drivers/gpu/drm/qxl/qxl_release.c @@ -162,12 +162,14 @@ static void qxl_release_free_list(struct qxl_release *release) { while (!list_empty(&release->bos)) { - struct ttm_validate_buffer *entry; + struct qxl_bo_list *entry; + struct qxl_bo *bo;
entry = container_of(release->bos.next, - struct ttm_validate_buffer, head); - - list_del(&entry->head); + struct qxl_bo_list, tv.head); + bo = to_qxl_bo(entry->tv.bo); + qxl_bo_unref(&bo); + list_del(&entry->tv.head); kfree(entry); } }
This crash was already here before the conversion, but qxl never leaked hard enough to hit this.
Signed-off-by: Maarten Lankhorst maarten.lankhorst@canonical.com --- The crash is probably only going to happen in extreme memory stress when the system's already fucked, but hey still a bug. :-)
drivers/gpu/drm/qxl/qxl_release.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c index 29ab4ec44c40..a6e19c83143e 100644 --- a/drivers/gpu/drm/qxl/qxl_release.c +++ b/drivers/gpu/drm/qxl/qxl_release.c @@ -440,7 +440,7 @@ void qxl_release_fence_buffer_objects(struct qxl_release *release)
/* if only one object on the release its the release itself since these objects are pinned no need to reserve */ - if (list_is_singular(&release->bos)) + if (list_is_singular(&release->bos) || list_empty(&release->bos)) return;
bo = list_first_entry(&release->bos, struct ttm_validate_buffer, head)->bo;
dri-devel@lists.freedesktop.org
-
Maarten Lankhorst