[Intel-gfx] [PATCH] drm/i915: Avoid refcount_inc on known zero count

[Mika Kuoppala]

Chris Wilson <chris at chris-wilson.co.uk> writes:

> In intel_wakeref_auto, we use refcount_inc_not_zero to detect the first
> use and initialise the timer. On doing so, we have to avoid using
> refcount_inc on that zero count as the debug code flags that as an
> error:
> 	refcount_t: increment on 0; use-after-free.
>

Yeah there are reinforced version: refcount_inc_checked, which
I failed to notice.

I guess the good news is that now we have proof that there is
someone watching our six.

> Rearrange the code so that if we know the count is 0 and we are
> initialising, we explicitly set it to 1.
>
> Fixes: b27e35ae5b18 ("drm/i915: Keep user GGTT alive for a minimum of 250ms")
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Mika Kuoppala <mika.kuoppala at linux.intel.com>

> ---
>  drivers/gpu/drm/i915/intel_wakeref.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/intel_wakeref.c b/drivers/gpu/drm/i915/intel_wakeref.c
> index c2dda5a375f0..c25ba1b5e8ba 100644
> --- a/drivers/gpu/drm/i915/intel_wakeref.c
> +++ b/drivers/gpu/drm/i915/intel_wakeref.c
> @@ -114,11 +114,11 @@ void intel_wakeref_auto(struct intel_wakeref_auto *wf, unsigned long timeout)
>  
>  	if (!refcount_inc_not_zero(&wf->count)) {
>  		spin_lock_irqsave(&wf->lock, flags);
> -		if (!refcount_read(&wf->count)) {
> +		if (!refcount_inc_not_zero(&wf->count)) {

Ok, overflow is checked with this.

Reviewed-by: Mika Kuoppala <mika.kuoppala at linux.intel.com>


>  			GEM_BUG_ON(wf->wakeref);
>  			wf->wakeref = intel_runtime_pm_get_if_in_use(wf->i915);
> +			refcount_set(&wf->count, 1);
>  		}
> -		refcount_inc(&wf->count);
>  		spin_unlock_irqrestore(&wf->lock, flags);
>  	}
>  
> -- 
> 2.20.1