mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-29 07:04:10 +08:00
1d204ee108
The res is initialized here only if there's no errors so passing it to
ttm_resource_fini in the error paths results in a kernel oops. In the
error paths, instead of the unitialized res, we have to use to use
node->base on which ttm_resource_init was called.
Sample affected backtrace:
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d8
Mem abort info:
ESR = 0x96000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106ac0000
[00000000000000d8] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 96000004 [#1] SMP
Modules linked in: bnep vsock_loopback vmw_vsock_virtio_transport_common
vsock snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_hda_codec
snd_hwdep >
CPU: 0 PID: 1197 Comm: gnome-shell Tainted: G U 5.17.0-rc2-vmwgfx #2
Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ttm_resource_fini+0x5c/0xac [ttm]
lr : ttm_range_man_alloc+0x128/0x1e0 [ttm]
sp : ffff80000d783510
x29: ffff80000d783510 x28: 0000000000000000 x27: ffff000086514400
x26: 0000000000000300 x25: ffff0000809f9e78 x24: 0000000000000000
x23: ffff80000d783680 x22: ffff000086514400 x21: 00000000ffffffe4
x20: ffff80000d7836a0 x19: ffff0000809f9e00 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000800 x12: ffff0000f2600a00
x11: 000000000000fc96 x10: 0000000000000000 x9 : ffff800001295c18
x8 : 0000000000000000 x7 : 0000000000000300 x6 : 0000000000000000
x5 : 0000000000000000 x4 : ffff0000f1034e20 x3 : ffff0000f1034600
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000600000
Call trace:
ttm_resource_fini+0x5c/0xac [ttm]
ttm_range_man_alloc+0x128/0x1e0 [ttm]
ttm_resource_alloc+0x58/0x90 [ttm]
ttm_bo_mem_space+0xc8/0x3e4 [ttm]
ttm_bo_validate+0xb4/0x134 [ttm]
vmw_bo_pin_in_start_of_vram+0xbc/0x200 [vmwgfx]
vmw_framebuffer_pin+0xc0/0x154 [vmwgfx]
vmw_ldu_primary_plane_atomic_update+0x8c/0x6e0 [vmwgfx]
drm_atomic_helper_commit_planes+0x11c/0x2e0
drm_atomic_helper_commit_tail+0x60/0xb0
commit_tail+0x1b0/0x210
drm_atomic_helper_commit+0x168/0x400
drm_atomic_commit+0x64/0x74
drm_atomic_helper_set_config+0xdc/0x11c
drm_mode_setcrtc+0x1c4/0x780
drm_ioctl_kernel+0xd0/0x1a0
drm_ioctl+0x2c4/0x690
vmw_generic_ioctl+0xe0/0x174 [vmwgfx]
vmw_unlocked_ioctl+0x24/0x30 [vmwgfx]
__arm64_sys_ioctl+0xb4/0x100
invoke_syscall+0x78/0x100
el0_svc_common.constprop.0+0x54/0x184
do_el0_svc+0x34/0x9c
el0_svc+0x48/0x1b0
el0t_64_sync_handler+0xa4/0x130
el0t_64_sync+0x1a4/0x1a8
Code: 35000260 f9401a81 52800002 f9403a60 (f9406c23)
---[ end trace 0000000000000000 ]---
Signed-off-by: Zack Rusin <zackr@vmware.com>
Fixes: de3688e469 ("drm/ttm: add ttm_resource_fini v2")
Cc: Christian König <christian.koenig@amd.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220318174332.440068-6-zack@kde.org
209 lines
5.7 KiB
C
209 lines
5.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 OR MIT */
|
|
/**************************************************************************
|
|
*
|
|
* Copyright (c) 2007-2010 VMware, Inc., Palo Alto, CA., USA
|
|
* All Rights Reserved.
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the
|
|
* "Software"), to deal in the Software without restriction, including
|
|
* without limitation the rights to use, copy, modify, merge, publish,
|
|
* distribute, sub license, and/or sell copies of the Software, and to
|
|
* permit persons to whom the Software is furnished to do so, subject to
|
|
* the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice (including the
|
|
* next paragraph) shall be included in all copies or substantial portions
|
|
* of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
|
|
* THE COPYRIGHT HOLDERS, AUTHORS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM,
|
|
* DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
|
* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
|
|
* USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
*
|
|
**************************************************************************/
|
|
/*
|
|
* Authors: Thomas Hellstrom <thellstrom-at-vmware-dot-com>
|
|
*/
|
|
|
|
#include <drm/ttm/ttm_device.h>
|
|
#include <drm/ttm/ttm_placement.h>
|
|
#include <drm/ttm/ttm_range_manager.h>
|
|
#include <drm/ttm/ttm_bo_api.h>
|
|
#include <drm/drm_mm.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/spinlock.h>
|
|
|
|
/*
|
|
* Currently we use a spinlock for the lock, but a mutex *may* be
|
|
* more appropriate to reduce scheduling latency if the range manager
|
|
* ends up with very fragmented allocation patterns.
|
|
*/
|
|
|
|
struct ttm_range_manager {
|
|
struct ttm_resource_manager manager;
|
|
struct drm_mm mm;
|
|
spinlock_t lock;
|
|
};
|
|
|
|
static inline struct ttm_range_manager *
|
|
to_range_manager(struct ttm_resource_manager *man)
|
|
{
|
|
return container_of(man, struct ttm_range_manager, manager);
|
|
}
|
|
|
|
static int ttm_range_man_alloc(struct ttm_resource_manager *man,
|
|
struct ttm_buffer_object *bo,
|
|
const struct ttm_place *place,
|
|
struct ttm_resource **res)
|
|
{
|
|
struct ttm_range_manager *rman = to_range_manager(man);
|
|
struct ttm_range_mgr_node *node;
|
|
struct drm_mm *mm = &rman->mm;
|
|
enum drm_mm_insert_mode mode;
|
|
unsigned long lpfn;
|
|
int ret;
|
|
|
|
lpfn = place->lpfn;
|
|
if (!lpfn)
|
|
lpfn = man->size;
|
|
|
|
node = kzalloc(struct_size(node, mm_nodes, 1), GFP_KERNEL);
|
|
if (!node)
|
|
return -ENOMEM;
|
|
|
|
mode = DRM_MM_INSERT_BEST;
|
|
if (place->flags & TTM_PL_FLAG_TOPDOWN)
|
|
mode = DRM_MM_INSERT_HIGH;
|
|
|
|
ttm_resource_init(bo, place, &node->base);
|
|
|
|
spin_lock(&rman->lock);
|
|
ret = drm_mm_insert_node_in_range(mm, &node->mm_nodes[0],
|
|
node->base.num_pages,
|
|
bo->page_alignment, 0,
|
|
place->fpfn, lpfn, mode);
|
|
spin_unlock(&rman->lock);
|
|
|
|
if (unlikely(ret)) {
|
|
ttm_resource_fini(man, &node->base);
|
|
kfree(node);
|
|
return ret;
|
|
}
|
|
|
|
node->base.start = node->mm_nodes[0].start;
|
|
*res = &node->base;
|
|
return 0;
|
|
}
|
|
|
|
static void ttm_range_man_free(struct ttm_resource_manager *man,
|
|
struct ttm_resource *res)
|
|
{
|
|
struct ttm_range_mgr_node *node = to_ttm_range_mgr_node(res);
|
|
struct ttm_range_manager *rman = to_range_manager(man);
|
|
|
|
spin_lock(&rman->lock);
|
|
drm_mm_remove_node(&node->mm_nodes[0]);
|
|
spin_unlock(&rman->lock);
|
|
|
|
ttm_resource_fini(man, res);
|
|
kfree(node);
|
|
}
|
|
|
|
static void ttm_range_man_debug(struct ttm_resource_manager *man,
|
|
struct drm_printer *printer)
|
|
{
|
|
struct ttm_range_manager *rman = to_range_manager(man);
|
|
|
|
spin_lock(&rman->lock);
|
|
drm_mm_print(&rman->mm, printer);
|
|
spin_unlock(&rman->lock);
|
|
}
|
|
|
|
static const struct ttm_resource_manager_func ttm_range_manager_func = {
|
|
.alloc = ttm_range_man_alloc,
|
|
.free = ttm_range_man_free,
|
|
.debug = ttm_range_man_debug
|
|
};
|
|
|
|
/**
|
|
* ttm_range_man_init_nocheck - Initialise a generic range manager for the
|
|
* selected memory type.
|
|
*
|
|
* @bdev: ttm device
|
|
* @type: memory manager type
|
|
* @use_tt: if the memory manager uses tt
|
|
* @p_size: size of area to be managed in pages.
|
|
*
|
|
* The range manager is installed for this device in the type slot.
|
|
*
|
|
* Return: %0 on success or a negative error code on failure
|
|
*/
|
|
int ttm_range_man_init_nocheck(struct ttm_device *bdev,
|
|
unsigned type, bool use_tt,
|
|
unsigned long p_size)
|
|
{
|
|
struct ttm_resource_manager *man;
|
|
struct ttm_range_manager *rman;
|
|
|
|
rman = kzalloc(sizeof(*rman), GFP_KERNEL);
|
|
if (!rman)
|
|
return -ENOMEM;
|
|
|
|
man = &rman->manager;
|
|
man->use_tt = use_tt;
|
|
|
|
man->func = &ttm_range_manager_func;
|
|
|
|
ttm_resource_manager_init(man, bdev, p_size);
|
|
|
|
drm_mm_init(&rman->mm, 0, p_size);
|
|
spin_lock_init(&rman->lock);
|
|
|
|
ttm_set_driver_manager(bdev, type, &rman->manager);
|
|
ttm_resource_manager_set_used(man, true);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(ttm_range_man_init_nocheck);
|
|
|
|
/**
|
|
* ttm_range_man_fini_nocheck - Remove the generic range manager from a slot
|
|
* and tear it down.
|
|
*
|
|
* @bdev: ttm device
|
|
* @type: memory manager type
|
|
*
|
|
* Return: %0 on success or a negative error code on failure
|
|
*/
|
|
int ttm_range_man_fini_nocheck(struct ttm_device *bdev,
|
|
unsigned type)
|
|
{
|
|
struct ttm_resource_manager *man = ttm_manager_type(bdev, type);
|
|
struct ttm_range_manager *rman = to_range_manager(man);
|
|
struct drm_mm *mm = &rman->mm;
|
|
int ret;
|
|
|
|
if (!man)
|
|
return 0;
|
|
|
|
ttm_resource_manager_set_used(man, false);
|
|
|
|
ret = ttm_resource_manager_evict_all(bdev, man);
|
|
if (ret)
|
|
return ret;
|
|
|
|
spin_lock(&rman->lock);
|
|
drm_mm_clean(mm);
|
|
drm_mm_takedown(mm);
|
|
spin_unlock(&rman->lock);
|
|
|
|
ttm_resource_manager_cleanup(man);
|
|
ttm_set_driver_manager(bdev, type, NULL);
|
|
kfree(rman);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(ttm_range_man_fini_nocheck);
|