[PATCH] dma-buf/sync_file: Always increment refcount when merging fences.
Gustavo Padovan
gustavo.padovan at collabora.com
Tue Sep 13 23:41:41 UTC 2016
Hi Rafael,
2016-09-13 Rafael Antognolli <rafael.antognolli at intel.com>:
> The refcount of a fence should be increased whenever it is added to a merged
> fence, since it will later be decreased when the merged fence is destroyed.
> Failing to do so will cause the original fence to be freed if the merged fence
> gets freed, but other places still referencing won't know about it.
>
> This patch fixes a kernel panic that can be triggered by creating a fence that
> is expired (or increasing the timeline until it expires), then creating a
> merged fence out of it, and deleting the merged fence. This will make the
> original expired fence's refcount go to zero.
>
> Signed-off-by: Rafael Antognolli <rafael.antognolli at intel.com>
> ---
>
> Sample code to trigger the mentioned kernel panic (might need to be executed a
> couple times before it actually breaks everything):
>
> static void test_sync_expired_merge(void)
> {
> int iterations = 1 << 20;
> int timeline;
> int i;
> int fence_expired, fence_merged;
>
> timeline = sw_sync_timeline_create();
>
> sw_sync_timeline_inc(timeline, 100);
> fence_expired = sw_sync_fence_create(timeline, 1);
> fence_merged = sw_sync_merge(fence_expired, fence_expired);
> sw_sync_fence_destroy(fence_merged);
>
> for (i = 0; i < iterations; i++) {
> int fence = sw_sync_merge(fence_expired, fence_expired);
>
> igt_assert_f(sw_sync_wait(fence, -1) > 0,
> "Failure waiting on fence\n");
> sw_sync_fence_destroy(fence);
> }
>
> sw_sync_fence_destroy(fence_expired);
> }
>
> drivers/dma-buf/sync_file.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
Thanks for spotting this.
Reviewed-by: Gustavo Padovan <gustavo.padovan at collabora.co.uk>
Gustavo
More information about the dri-devel
mailing list