[bug report] drm/ttm: fix re-init of global structures

[Christian König]

Am 04.02.20 um 13:57 schrieb Dan Carpenter:
> Hello Christian König,
>
> The patch bd4264112f93: "drm/ttm: fix re-init of global structures"
> from Apr 16, 2019, leads to the following static checker warning:
>
> 	drivers/gpu/drm/ttm/ttm_bo.c:1610 ttm_bo_global_release()
> 	warn: passing freed memory 'glob'
>
> drivers/gpu/drm/ttm/ttm_bo.c
>    1591  static void ttm_bo_global_kobj_release(struct kobject *kobj)
>    1592  {
>    1593          struct ttm_bo_global *glob =
>    1594                  container_of(kobj, struct ttm_bo_global, kobj);
>    1595
>    1596          __free_page(glob->dummy_read_page);
>    1597  }
>    1598
>    1599  static void ttm_bo_global_release(void)
>    1600  {
>    1601          struct ttm_bo_global *glob = &ttm_bo_glob;
>    1602
>    1603          mutex_lock(&ttm_global_mutex);
>    1604          if (--ttm_bo_glob_use_count > 0)
>    1605                  goto out;
>    1606
>    1607          kobject_del(&glob->kobj);
>    1608          kobject_put(&glob->kobj);
>    1609          ttm_mem_global_release(&ttm_mem_glob);
>    1610          memset(glob, 0, sizeof(*glob));
>                         ^^^^^^^^^^^^^^^^^^^^^^
> Depending on the config kobject_release() might call ttm_bo_global_kobj_release()
> a few seconds after this memset.  Maybe put the memset into
> ttm_bo_global_kobj_release()?

That's not possible. The object might be re-used directly after we drop 
the ttm_global_mutex.

How can we wait for the ttm_mem_global_release() to have finished?

I mean in theory that function should actually be used from a 
module_exit() callback, and we need to make 100% sure that the kobj is 
gone or we are running in a bunch of trouble.

Christian.

>
>    1611  out:
>    1612          mutex_unlock(&ttm_global_mutex);
>    1613  }
>
>
> regards,
> dan carpenter