[PATCH] dma-buf/sync_file: Always increment refcount when merging fences.
Rafael Antognolli
rafael.antognolli at intel.com
Tue Sep 13 23:24:27 UTC 2016
The refcount of a fence should be increased whenever it is added to a merged
fence, since it will later be decreased when the merged fence is destroyed.
Failing to do so will cause the original fence to be freed if the merged fence
gets freed, but other places still referencing won't know about it.
This patch fixes a kernel panic that can be triggered by creating a fence that
is expired (or increasing the timeline until it expires), then creating a
merged fence out of it, and deleting the merged fence. This will make the
original expired fence's refcount go to zero.
Signed-off-by: Rafael Antognolli <rafael.antognolli at intel.com>
---
Sample code to trigger the mentioned kernel panic (might need to be executed a
couple times before it actually breaks everything):
static void test_sync_expired_merge(void)
{
int iterations = 1 << 20;
int timeline;
int i;
int fence_expired, fence_merged;
timeline = sw_sync_timeline_create();
sw_sync_timeline_inc(timeline, 100);
fence_expired = sw_sync_fence_create(timeline, 1);
fence_merged = sw_sync_merge(fence_expired, fence_expired);
sw_sync_fence_destroy(fence_merged);
for (i = 0; i < iterations; i++) {
int fence = sw_sync_merge(fence_expired, fence_expired);
igt_assert_f(sw_sync_wait(fence, -1) > 0,
"Failure waiting on fence\n");
sw_sync_fence_destroy(fence);
}
sw_sync_fence_destroy(fence_expired);
}
drivers/dma-buf/sync_file.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
index 486d29c..6ce6b8f 100644
--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -178,11 +178,8 @@ static struct fence **get_fences(struct sync_file *sync_file, int *num_fences)
static void add_fence(struct fence **fences, int *i, struct fence *fence)
{
fences[*i] = fence;
-
- if (!fence_is_signaled(fence)) {
- fence_get(fence);
- (*i)++;
- }
+ fence_get(fence);
+ (*i)++;
}
/**
--
2.7.4
More information about the dri-devel
mailing list