| Message ID | 1473808788-5949-1-git-send-email-rafael.antognolli@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c index 486d29c..6ce6b8f 100644 --- a/drivers/dma-buf/sync_file.c +++ b/drivers/dma-buf/sync_file.c @@ -178,11 +178,8 @@ static struct fence **get_fences(struct sync_file *sync_file, int *num_fences) static void add_fence(struct fence **fences, int *i, struct fence *fence) { fences[*i] = fence; - - if (!fence_is_signaled(fence)) { - fence_get(fence); - (*i)++; - } + fence_get(fence); + (*i)++; } /**
The refcount of a fence should be increased whenever it is added to a merged fence, since it will later be decreased when the merged fence is destroyed. Failing to do so will cause the original fence to be freed if the merged fence gets freed, but other places still referencing won't know about it. This patch fixes a kernel panic that can be triggered by creating a fence that is expired (or increasing the timeline until it expires), then creating a merged fence out of it, and deleting the merged fence. This will make the original expired fence's refcount go to zero. Signed-off-by: Rafael Antognolli <rafael.antognolli@intel.com> --- Sample code to trigger the mentioned kernel panic (might need to be executed a couple times before it actually breaks everything): static void test_sync_expired_merge(void) { int iterations = 1 << 20; int timeline; int i; int fence_expired, fence_merged; timeline = sw_sync_timeline_create(); sw_sync_timeline_inc(timeline, 100); fence_expired = sw_sync_fence_create(timeline, 1); fence_merged = sw_sync_merge(fence_expired, fence_expired); sw_sync_fence_destroy(fence_merged); for (i = 0; i < iterations; i++) { int fence = sw_sync_merge(fence_expired, fence_expired); igt_assert_f(sw_sync_wait(fence, -1) > 0, "Failure waiting on fence\n"); sw_sync_fence_destroy(fence); } sw_sync_fence_destroy(fence_expired); } drivers/dma-buf/sync_file.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)