[Intel-xe] [PATCH] drm/xe: Fix error paths of __xe_bo_create_locked

Matthew Brost matthew.brost at intel.com
Fri Jul 28 14:45:25 UTC 2023 

On Fri, Jul 28, 2023 at 12:15:01PM +0200, Maarten Lankhorst wrote:
> Hey,
> 
> On 2023-07-25 19:22, Matthew Brost wrote:
> > On Tue, Jul 25, 2023 at 05:12:39PM +0200, Maarten Lankhorst wrote:
> > > ttm_bo_init_reserved() calls the destroy() callback if it fails.
> > > 
> > > Because of this, __xe_bo_create_locked is required to be responsible
> > > for freeing the bo even when it's passed in as argument.
> > > 
> > > Additionally, if the placement check fails, the bo was kept alive.
> > > Fix it too.
> > > 
> > > Reported-by: Oded Gabbay <ogabbay at kernel.org>
> > > Signed-off-by: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> > > ---
> > >   drivers/gpu/drm/xe/xe_bo.c | 8 ++++++--
> > >   1 file changed, 6 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c
> > > index e240df6c7ae64..b63290540dd9b 100644
> > > --- a/drivers/gpu/drm/xe/xe_bo.c
> > > +++ b/drivers/gpu/drm/xe/xe_bo.c
> > > @@ -1158,8 +1158,10 @@ struct xe_bo *__xe_bo_create_locked(struct xe_device *xe, struct xe_bo *bo,
> > >   	/* Only kernel objects should set GT */
> > >   	XE_BUG_ON(tile && type != ttm_bo_type_kernel);
> > > -	if (XE_WARN_ON(!size))
> > > +	if (XE_WARN_ON(!size)) {
> > > +		xe_bo_free(bo);
> > >   		return ERR_PTR(-EINVAL);
> > > +	}
> > >   	if (!bo) {
> > >   		bo = xe_bo_alloc();
> > > @@ -1197,8 +1199,10 @@ struct xe_bo *__xe_bo_create_locked(struct xe_device *xe, struct xe_bo *bo,
> > >   	if (!(flags & XE_BO_FIXED_PLACEMENT_BIT)) {
> > >   		err = __xe_bo_placement_for_flags(xe, bo, bo->flags);
> > > -		if (WARN_ON(err))
> > > +		if (WARN_ON(err)) {
> > > +			xe_ttm_bo_destroy(&bo->ttm);
> > 
> > This doesn't look right as we haven't fully initialized the BO. An
> > example of this is the snippet from xe_ttm_bo_destroy:
> > 
> > 1012         if (bo->vm && xe_bo_is_user(bo))
> > 1013                 xe_vm_put(bo->vm);
> bo->vm is only assigned later, see xe_bo_create_locked_range line 1300-1302.
> 

Ah, yes I see this now.

> > 
> > This shouldn't be executed in this error path.
> > 
> > Also do we need to do a cleanup if ttm_bo_init_reserved fails?
> No, it cleans up the bo by calling xe_ttm_bo_destroy itself on failure. This
> is also why it's safe to call xe_ttm_bo_destroy right before
> ttm_bo_init_reserved in our setup function; on failure it would have been
> called anyway.
> 
> Because of ttm_bo_init_reserved semantics, the function is slightly
> confusing, but still correct. From the ttm_bo_init_reserved docs:
> "If a failure occurs, the function will call the @destroy function. Thus,
> after a failure, dereferencing @bo is illegal and will likely cause memory
> corruption."
> 
> This patch is correct, but the semantics are confusing.

Thanks for explaining, makes sense now.

With that:
Reviewed-by: Matthew Brost <matthew.brost at intel.com>


> 
> ~Maarten

More information about the Intel-xe mailing list