Hi Rafael, 2016-09-13 Rafael Antognolli <rafael.antognolli at intel.com>:
> The refcount of a fence should be increased whenever it is added to a merged > fence, since it will later be decreased when the merged fence is destroyed. > Failing to do so will cause the original fence to be freed if the merged fence > gets freed, but other places still referencing won't know about it. > > This patch fixes a kernel panic that can be triggered by creating a fence that > is expired (or increasing the timeline until it expires), then creating a > merged fence out of it, and deleting the merged fence. This will make the > original expired fence's refcount go to zero. > > Signed-off-by: Rafael Antognolli <rafael.antognolli at intel.com> > --- > > Sample code to trigger the mentioned kernel panic (might need to be executed a > couple times before it actually breaks everything): > > static void test_sync_expired_merge(void) > { > int iterations = 1 << 20; > int timeline; > int i; > int fence_expired, fence_merged; > > timeline = sw_sync_timeline_create(); > > sw_sync_timeline_inc(timeline, 100); > fence_expired = sw_sync_fence_create(timeline, 1); > fence_merged = sw_sync_merge(fence_expired, fence_expired); > sw_sync_fence_destroy(fence_merged); > > for (i = 0; i < iterations; i++) { > int fence = sw_sync_merge(fence_expired, fence_expired); > > igt_assert_f(sw_sync_wait(fence, -1) > 0, > "Failure waiting on fence\n"); > sw_sync_fence_destroy(fence); > } > > sw_sync_fence_destroy(fence_expired); > } > > drivers/dma-buf/sync_file.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) Thanks for spotting this. Reviewed-by: Gustavo Padovan <gustavo.padovan at collabora.co.uk> Gustavo