Re: [Freedreno] [PATCH v2 1/6] drm: msm: remove resv fields from msm_gem_object struct
On Mon, May 13, 2019 at 01:32:39PM -0700, Bjorn Andersson wrote:
> On Wed 08 May 19:03 PDT 2019, Brian Masney wrote:
>
> > The msm_gem_object structure contains resv and _resv fields that are
> > no longer needed since the reservation object is now stored on
> > drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb()
> > both referenced the wrong reservation object, and would lead to an
> > attempt to dereference a NULL pointer. Correct those two cases to
> > point to the correct reservation object.
> >
> > Signed-off-by: Brian Masney
> > Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object
> > reservation_object")
>
> Reviewed-by: Bjorn Andersson
> Tested-by: Bjorn Andersson
>
> This resolves a NULL-pointer dereference about to show up in v5.2-rc1,
> so please pick this up for -rc.
Let me send out another version of just this patch. This snippet below
that I removed needs to stay. I got a little too over eager removing
code.
> > @@ -973,9 +973,6 @@ static int msm_gem_new_impl(struct drm_device *dev,
> > msm_obj->flags = flags;
> > msm_obj->madv = MSM_MADV_WILLNEED;
> >
> > - if (resv)
> > - msm_obj->base.resv = resv;
> > -
> > INIT_LIST_HEAD(_obj->submit_entry);
> > INIT_LIST_HEAD(_obj->vmas);
> >
Brian
___
Freedreno mailing list
Freedreno@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/freedreno
Re: [Freedreno] [PATCH v2 1/6] drm: msm: remove resv fields from msm_gem_object struct
On Wed 08 May 19:03 PDT 2019, Brian Masney wrote:
> The msm_gem_object structure contains resv and _resv fields that are
> no longer needed since the reservation object is now stored on
> drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb()
> both referenced the wrong reservation object, and would lead to an
> attempt to dereference a NULL pointer. Correct those two cases to
> point to the correct reservation object.
>
> Signed-off-by: Brian Masney
> Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object
> reservation_object")
Reviewed-by: Bjorn Andersson
Tested-by: Bjorn Andersson
This resolves a NULL-pointer dereference about to show up in v5.2-rc1,
so please pick this up for -rc.
Regards,
Bjorn
> ---
> Patch introduced in v2
>
> drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 +---
> drivers/gpu/drm/msm/msm_atomic.c | 4 +---
> drivers/gpu/drm/msm/msm_gem.c | 3 ---
> drivers/gpu/drm/msm/msm_gem.h | 4
> 4 files changed, 2 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> index da1f727d7495..ce1a555e1f31 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
> @@ -780,7 +780,6 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
> struct dpu_plane_state *pstate = to_dpu_plane_state(new_state);
> struct dpu_hw_fmt_layout layout;
> struct drm_gem_object *obj;
> - struct msm_gem_object *msm_obj;
> struct dma_fence *fence;
> struct dpu_kms *kms = _dpu_plane_get_kms(>base);
> int ret;
> @@ -799,8 +798,7 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
>* implicit fence and fb prepare by hand here.
>*/
> obj = msm_framebuffer_bo(new_state->fb, 0);
> - msm_obj = to_msm_bo(obj);
> - fence = reservation_object_get_excl_rcu(msm_obj->resv);
> + fence = reservation_object_get_excl_rcu(obj->resv);
> if (fence)
> drm_atomic_set_fence_for_plane(new_state, fence);
>
> diff --git a/drivers/gpu/drm/msm/msm_atomic.c
> b/drivers/gpu/drm/msm/msm_atomic.c
> index f5b1256e32b6..131c23a267ee 100644
> --- a/drivers/gpu/drm/msm/msm_atomic.c
> +++ b/drivers/gpu/drm/msm/msm_atomic.c
> @@ -49,15 +49,13 @@ int msm_atomic_prepare_fb(struct drm_plane *plane,
> struct msm_drm_private *priv = plane->dev->dev_private;
> struct msm_kms *kms = priv->kms;
> struct drm_gem_object *obj;
> - struct msm_gem_object *msm_obj;
> struct dma_fence *fence;
>
> if (!new_state->fb)
> return 0;
>
> obj = msm_framebuffer_bo(new_state->fb, 0);
> - msm_obj = to_msm_bo(obj);
> - fence = reservation_object_get_excl_rcu(msm_obj->resv);
> + fence = reservation_object_get_excl_rcu(obj->resv);
>
> drm_atomic_set_fence_for_plane(new_state, fence);
>
> diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
> index 31d5a744d84f..947508e8269d 100644
> --- a/drivers/gpu/drm/msm/msm_gem.c
> +++ b/drivers/gpu/drm/msm/msm_gem.c
> @@ -973,9 +973,6 @@ static int msm_gem_new_impl(struct drm_device *dev,
> msm_obj->flags = flags;
> msm_obj->madv = MSM_MADV_WILLNEED;
>
> - if (resv)
> - msm_obj->base.resv = resv;
> -
> INIT_LIST_HEAD(_obj->submit_entry);
> INIT_LIST_HEAD(_obj->vmas);
>
> diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
> index c5ac781dffee..812d1b1369a5 100644
> --- a/drivers/gpu/drm/msm/msm_gem.h
> +++ b/drivers/gpu/drm/msm/msm_gem.h
> @@ -86,10 +86,6 @@ struct msm_gem_object {
>
> struct llist_node freed;
>
> - /* normally (resv == &_resv) except for imported bo's */
> - struct reservation_object *resv;
> - struct reservation_object _resv;
> -
> /* For physically contiguous buffers. Used when we don't have
>* an IOMMU. Also used for stolen/splashscreen buffer.
>*/
> --
> 2.20.1
>
___
Freedreno mailing list
Freedreno@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/freedreno
[Freedreno] [PATCH v2 1/6] drm: msm: remove resv fields from msm_gem_object struct
The msm_gem_object structure contains resv and _resv fields that are
no longer needed since the reservation object is now stored on
drm_gem_object. msm_atomic_prepare_fb() and msm_atomic_prepare_fb()
both referenced the wrong reservation object, and would lead to an
attempt to dereference a NULL pointer. Correct those two cases to
point to the correct reservation object.
Signed-off-by: Brian Masney
Fixes: dd55cf6929e6 ("drm: msm: Switch to use drm_gem_object
reservation_object")
---
Patch introduced in v2
drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 +---
drivers/gpu/drm/msm/msm_atomic.c | 4 +---
drivers/gpu/drm/msm/msm_gem.c | 3 ---
drivers/gpu/drm/msm/msm_gem.h | 4
4 files changed, 2 insertions(+), 13 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
index da1f727d7495..ce1a555e1f31 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
@@ -780,7 +780,6 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
struct dpu_plane_state *pstate = to_dpu_plane_state(new_state);
struct dpu_hw_fmt_layout layout;
struct drm_gem_object *obj;
- struct msm_gem_object *msm_obj;
struct dma_fence *fence;
struct dpu_kms *kms = _dpu_plane_get_kms(>base);
int ret;
@@ -799,8 +798,7 @@ static int dpu_plane_prepare_fb(struct drm_plane *plane,
* implicit fence and fb prepare by hand here.
*/
obj = msm_framebuffer_bo(new_state->fb, 0);
- msm_obj = to_msm_bo(obj);
- fence = reservation_object_get_excl_rcu(msm_obj->resv);
+ fence = reservation_object_get_excl_rcu(obj->resv);
if (fence)
drm_atomic_set_fence_for_plane(new_state, fence);
diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
index f5b1256e32b6..131c23a267ee 100644
--- a/drivers/gpu/drm/msm/msm_atomic.c
+++ b/drivers/gpu/drm/msm/msm_atomic.c
@@ -49,15 +49,13 @@ int msm_atomic_prepare_fb(struct drm_plane *plane,
struct msm_drm_private *priv = plane->dev->dev_private;
struct msm_kms *kms = priv->kms;
struct drm_gem_object *obj;
- struct msm_gem_object *msm_obj;
struct dma_fence *fence;
if (!new_state->fb)
return 0;
obj = msm_framebuffer_bo(new_state->fb, 0);
- msm_obj = to_msm_bo(obj);
- fence = reservation_object_get_excl_rcu(msm_obj->resv);
+ fence = reservation_object_get_excl_rcu(obj->resv);
drm_atomic_set_fence_for_plane(new_state, fence);
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 31d5a744d84f..947508e8269d 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -973,9 +973,6 @@ static int msm_gem_new_impl(struct drm_device *dev,
msm_obj->flags = flags;
msm_obj->madv = MSM_MADV_WILLNEED;
- if (resv)
- msm_obj->base.resv = resv;
-
INIT_LIST_HEAD(_obj->submit_entry);
INIT_LIST_HEAD(_obj->vmas);
diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
index c5ac781dffee..812d1b1369a5 100644
--- a/drivers/gpu/drm/msm/msm_gem.h
+++ b/drivers/gpu/drm/msm/msm_gem.h
@@ -86,10 +86,6 @@ struct msm_gem_object {
struct llist_node freed;
- /* normally (resv == &_resv) except for imported bo's */
- struct reservation_object *resv;
- struct reservation_object _resv;
-
/* For physically contiguous buffers. Used when we don't have
* an IOMMU. Also used for stolen/splashscreen buffer.
*/
--
2.20.1
___
Freedreno mailing list
Freedreno@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/freedreno
