drivers/gpu/drm/lima/lima_gem.c | 1 - drivers/gpu/drm/scheduler/sched_main.c | 1 - 2 files changed, 2 deletions(-)
When drm_sched_job_add_dependency() fails, dma_fence_put() will be called
internally. Calling it again after drm_sched_job_add_dependency() finishes
may result in a dangling pointer.
Fix this by removing redundant dma_fence_put().
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
drivers/gpu/drm/lima/lima_gem.c | 1 -
drivers/gpu/drm/scheduler/sched_main.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/drivers/gpu/drm/lima/lima_gem.c b/drivers/gpu/drm/lima/lima_gem.c
index 55bb1ec3c4f7..99c8e7f6bb1c 100644
--- a/drivers/gpu/drm/lima/lima_gem.c
+++ b/drivers/gpu/drm/lima/lima_gem.c
@@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file *file, struct lima_submit *submit)
err = drm_sched_job_add_dependency(&submit->task->base, fence);
if (err) {
- dma_fence_put(fence);
return err;
}
}
diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
index b81fceb0b8a2..ebab9eca37a8 100644
--- a/drivers/gpu/drm/scheduler/sched_main.c
+++ b/drivers/gpu/drm/scheduler/sched_main.c
@@ -708,7 +708,6 @@ int drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
dma_fence_get(fence);
ret = drm_sched_job_add_dependency(job, fence);
if (ret) {
- dma_fence_put(fence);
return ret;
}
}
--
2.25.1On 2022-04-25 04:36, Hangyu Hua wrote:
> When drm_sched_job_add_dependency() fails, dma_fence_put() will be called
> internally. Calling it again after drm_sched_job_add_dependency() finishes
> may result in a dangling pointer.
>
> Fix this by removing redundant dma_fence_put().
>
> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
> ---
> drivers/gpu/drm/lima/lima_gem.c | 1 -
> drivers/gpu/drm/scheduler/sched_main.c | 1 -
> 2 files changed, 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/lima/lima_gem.c b/drivers/gpu/drm/lima/lima_gem.c
> index 55bb1ec3c4f7..99c8e7f6bb1c 100644
> --- a/drivers/gpu/drm/lima/lima_gem.c
> +++ b/drivers/gpu/drm/lima/lima_gem.c
> @@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file *file, struct lima_submit *submit)
>
> err = drm_sched_job_add_dependency(&submit->task->base, fence);
> if (err) {
> - dma_fence_put(fence);
> return err;
Makes sense here
> }
> }
> diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
> index b81fceb0b8a2..ebab9eca37a8 100644
> --- a/drivers/gpu/drm/scheduler/sched_main.c
> +++ b/drivers/gpu/drm/scheduler/sched_main.c
> @@ -708,7 +708,6 @@ int drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
> dma_fence_get(fence);
> ret = drm_sched_job_add_dependency(job, fence);
> if (ret) {
> - dma_fence_put(fence);
Not sure about this one since if you look at the relevant commits -
'drm/scheduler: fix drm_sched_job_add_implicit_dependencies' and
'drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder'
You will see that the dma_fence_put here balances the extra dma_fence_get
above
Andrey
> return ret;
> }
> }
On 2022/4/25 23:42, Andrey Grodzovsky wrote:
> On 2022-04-25 04:36, Hangyu Hua wrote:
>
>> When drm_sched_job_add_dependency() fails, dma_fence_put() will be called
>> internally. Calling it again after drm_sched_job_add_dependency()
>> finishes
>> may result in a dangling pointer.
>>
>> Fix this by removing redundant dma_fence_put().
>>
>> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
>> ---
>> drivers/gpu/drm/lima/lima_gem.c | 1 -
>> drivers/gpu/drm/scheduler/sched_main.c | 1 -
>> 2 files changed, 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/lima/lima_gem.c
>> b/drivers/gpu/drm/lima/lima_gem.c
>> index 55bb1ec3c4f7..99c8e7f6bb1c 100644
>> --- a/drivers/gpu/drm/lima/lima_gem.c
>> +++ b/drivers/gpu/drm/lima/lima_gem.c
>> @@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file
>> *file, struct lima_submit *submit)
>> err = drm_sched_job_add_dependency(&submit->task->base, fence);
>> if (err) {
>> - dma_fence_put(fence);
>> return err;
>
>
> Makes sense here
>
>
>> }
>> }
>> diff --git a/drivers/gpu/drm/scheduler/sched_main.c
>> b/drivers/gpu/drm/scheduler/sched_main.c
>> index b81fceb0b8a2..ebab9eca37a8 100644
>> --- a/drivers/gpu/drm/scheduler/sched_main.c
>> +++ b/drivers/gpu/drm/scheduler/sched_main.c
>> @@ -708,7 +708,6 @@ int drm_sched_job_add_implicit_dependencies(struct
>> drm_sched_job *job,
>> dma_fence_get(fence);
>> ret = drm_sched_job_add_dependency(job, fence);
>> if (ret) {
>> - dma_fence_put(fence);
>
>
>
> Not sure about this one since if you look at the relevant commits -
> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies' and
> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder'
> You will see that the dma_fence_put here balances the extra dma_fence_get
> above
>
> Andrey
>
I don't think so. I checked the call chain and found no additional
dma_fence_get(). But dma_fence_get() needs to be called before
drm_sched_job_add_dependency() to keep the counter balanced. On the
other hand, dma_fence_get() and dma_fence_put() are meaningless here if
threre is an extra dma_fence_get() beacause counter will not decrease to
0 during drm_sched_job_add_dependency().
I check the call chain as follows:
msm_ioctl_gem_submit()
-> submit_fence_sync()
-> drm_sched_job_add_implicit_dependencies()
Thanks,
Hangyu
>
>> return ret;
>> }
>> }
On 2022-04-25 22:54, Hangyu Hua wrote:
> On 2022/4/25 23:42, Andrey Grodzovsky wrote:
>> On 2022-04-25 04:36, Hangyu Hua wrote:
>>
>>> When drm_sched_job_add_dependency() fails, dma_fence_put() will be
>>> called
>>> internally. Calling it again after drm_sched_job_add_dependency()
>>> finishes
>>> may result in a dangling pointer.
>>>
>>> Fix this by removing redundant dma_fence_put().
>>>
>>> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
>>> ---
>>> drivers/gpu/drm/lima/lima_gem.c | 1 -
>>> drivers/gpu/drm/scheduler/sched_main.c | 1 -
>>> 2 files changed, 2 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/lima/lima_gem.c
>>> b/drivers/gpu/drm/lima/lima_gem.c
>>> index 55bb1ec3c4f7..99c8e7f6bb1c 100644
>>> --- a/drivers/gpu/drm/lima/lima_gem.c
>>> +++ b/drivers/gpu/drm/lima/lima_gem.c
>>> @@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file
>>> *file, struct lima_submit *submit)
>>> err = drm_sched_job_add_dependency(&submit->task->base,
>>> fence);
>>> if (err) {
>>> - dma_fence_put(fence);
>>> return err;
>>
>>
>> Makes sense here
>>
>>
>>> }
>>> }
>>> diff --git a/drivers/gpu/drm/scheduler/sched_main.c
>>> b/drivers/gpu/drm/scheduler/sched_main.c
>>> index b81fceb0b8a2..ebab9eca37a8 100644
>>> --- a/drivers/gpu/drm/scheduler/sched_main.c
>>> +++ b/drivers/gpu/drm/scheduler/sched_main.c
>>> @@ -708,7 +708,6 @@ int
>>> drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
>>> dma_fence_get(fence);
>>> ret = drm_sched_job_add_dependency(job, fence);
>>> if (ret) {
>>> - dma_fence_put(fence);
>>
>>
>>
>> Not sure about this one since if you look at the relevant commits -
>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies' and
>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder'
>> You will see that the dma_fence_put here balances the extra
>> dma_fence_get
>> above
>>
>> Andrey
>>
>
> I don't think so. I checked the call chain and found no additional
> dma_fence_get(). But dma_fence_get() needs to be called before
> drm_sched_job_add_dependency() to keep the counter balanced.
I didn't say there is an additional dma_fence_get , from what I
understand here drm_sched_job_add_implicit_dependencies->dma_fence_get
is not balancing any counter but rather grabs an extra reference to
account for adding the fence to the job's dependency array, and so when
adding fails then you call dma_fence_put to decrement the count back.
This makes sense because drm_sched_job_add_dependency doesn't increment
himself refcount for the fences
> On the other hand, dma_fence_get() and dma_fence_put() are meaningless
> here if threre is an extra dma_fence_get() beacause counter will not
> decrease to 0 during drm_sched_job_add_dependency().
Where is the extra dma_fence_get() ?
>
> I check the call chain as follows:
>
> msm_ioctl_gem_submit()
> -> submit_fence_sync()
> -> drm_sched_job_add_implicit_dependencies()
Could you maybe print the buggy refcount sequence you say you discovered
as an example ? Because I fail to follow where is the problem.
Andrey
>
> Thanks,
> Hangyu
>
>>
>>> return ret;
>>> }
>>> }
On 2022-04-25 22:54, Hangyu Hua wrote:
> On 2022/4/25 23:42, Andrey Grodzovsky wrote:
>> On 2022-04-25 04:36, Hangyu Hua wrote:
>>
>>> When drm_sched_job_add_dependency() fails, dma_fence_put() will be
>>> called
>>> internally. Calling it again after drm_sched_job_add_dependency()
>>> finishes
>>> may result in a dangling pointer.
>>>
>>> Fix this by removing redundant dma_fence_put().
>>>
>>> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
>>> ---
>>> drivers/gpu/drm/lima/lima_gem.c | 1 -
>>> drivers/gpu/drm/scheduler/sched_main.c | 1 -
>>> 2 files changed, 2 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/lima/lima_gem.c
>>> b/drivers/gpu/drm/lima/lima_gem.c
>>> index 55bb1ec3c4f7..99c8e7f6bb1c 100644
>>> --- a/drivers/gpu/drm/lima/lima_gem.c
>>> +++ b/drivers/gpu/drm/lima/lima_gem.c
>>> @@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file
>>> *file, struct lima_submit *submit)
>>> err = drm_sched_job_add_dependency(&submit->task->base,
>>> fence);
>>> if (err) {
>>> - dma_fence_put(fence);
>>> return err;
>>
>>
>> Makes sense here
>>
>>
>>> }
>>> }
>>> diff --git a/drivers/gpu/drm/scheduler/sched_main.c
>>> b/drivers/gpu/drm/scheduler/sched_main.c
>>> index b81fceb0b8a2..ebab9eca37a8 100644
>>> --- a/drivers/gpu/drm/scheduler/sched_main.c
>>> +++ b/drivers/gpu/drm/scheduler/sched_main.c
>>> @@ -708,7 +708,6 @@ int
>>> drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
>>> dma_fence_get(fence);
>>> ret = drm_sched_job_add_dependency(job, fence);
>>> if (ret) {
>>> - dma_fence_put(fence);
>>
>>
>>
>> Not sure about this one since if you look at the relevant commits -
>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies' and
>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder'
>> You will see that the dma_fence_put here balances the extra
>> dma_fence_get
>> above
>>
>> Andrey
>>
>
> I don't think so. I checked the call chain and found no additional
> dma_fence_get(). But dma_fence_get() needs to be called before
> drm_sched_job_add_dependency() to keep the counter balanced.
I don't say there is an additional get, I just say that
drm_sched_job_add_dependency doesn't grab an extra reference to the
fences it stores so this needs to be done outside and for that
drm_sched_job_add_implicit_dependencies->dma_fence_get is called and, if
this addition fails you just call dma_fence_put to keep the counter
balanced.
> On the other hand, dma_fence_get() and dma_fence_put() are meaningless
> here if threre is an extra dma_fence_get() beacause counter will not
> decrease to 0 during drm_sched_job_add_dependency().
>
> I check the call chain as follows:
>
> msm_ioctl_gem_submit()
> -> submit_fence_sync()
> -> drm_sched_job_add_implicit_dependencies()
Can you maybe trace or print one such example of problematic refcount
that you are trying to fix ? I still don't see where is the problem.
Andrey
>
> Thanks,
> Hangyu
>
>>
>>> return ret;
>>> }
>>> }
On 2022/4/26 22:55, Andrey Grodzovsky wrote:
>
> On 2022-04-25 22:54, Hangyu Hua wrote:
>> On 2022/4/25 23:42, Andrey Grodzovsky wrote:
>>> On 2022-04-25 04:36, Hangyu Hua wrote:
>>>
>>>> When drm_sched_job_add_dependency() fails, dma_fence_put() will be
>>>> called
>>>> internally. Calling it again after drm_sched_job_add_dependency()
>>>> finishes
>>>> may result in a dangling pointer.
>>>>
>>>> Fix this by removing redundant dma_fence_put().
>>>>
>>>> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
>>>> ---
>>>> drivers/gpu/drm/lima/lima_gem.c | 1 -
>>>> drivers/gpu/drm/scheduler/sched_main.c | 1 -
>>>> 2 files changed, 2 deletions(-)
>>>>
>>>> diff --git a/drivers/gpu/drm/lima/lima_gem.c
>>>> b/drivers/gpu/drm/lima/lima_gem.c
>>>> index 55bb1ec3c4f7..99c8e7f6bb1c 100644
>>>> --- a/drivers/gpu/drm/lima/lima_gem.c
>>>> +++ b/drivers/gpu/drm/lima/lima_gem.c
>>>> @@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file
>>>> *file, struct lima_submit *submit)
>>>> err = drm_sched_job_add_dependency(&submit->task->base,
>>>> fence);
>>>> if (err) {
>>>> - dma_fence_put(fence);
>>>> return err;
>>>
>>>
>>> Makes sense here
>>>
>>>
>>>> }
>>>> }
>>>> diff --git a/drivers/gpu/drm/scheduler/sched_main.c
>>>> b/drivers/gpu/drm/scheduler/sched_main.c
>>>> index b81fceb0b8a2..ebab9eca37a8 100644
>>>> --- a/drivers/gpu/drm/scheduler/sched_main.c
>>>> +++ b/drivers/gpu/drm/scheduler/sched_main.c
>>>> @@ -708,7 +708,6 @@ int
>>>> drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
>>>> dma_fence_get(fence);
>>>> ret = drm_sched_job_add_dependency(job, fence);
>>>> if (ret) {
>>>> - dma_fence_put(fence);
>>>
>>>
>>>
>>> Not sure about this one since if you look at the relevant commits -
>>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies' and
>>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder'
>>> You will see that the dma_fence_put here balances the extra
>>> dma_fence_get
>>> above
>>>
>>> Andrey
>>>
>>
>> I don't think so. I checked the call chain and found no additional
>> dma_fence_get(). But dma_fence_get() needs to be called before
>> drm_sched_job_add_dependency() to keep the counter balanced.
>
>
> I don't say there is an additional get, I just say that
> drm_sched_job_add_dependency doesn't grab an extra reference to the
> fences it stores so this needs to be done outside and for that
> drm_sched_job_add_implicit_dependencies->dma_fence_get is called and, if
> this addition fails you just call dma_fence_put to keep the counter
> balanced.
>
drm_sched_job_add_implicit_dependencies() will call
drm_sched_job_add_dependency(). And drm_sched_job_add_dependency()
already call dma_fence_put() when it fails. Calling dma_fence_put()
twice doesn't make sense.
dma_fence_get() is in [2]. But dma_fence_put() will be called in [1] and
[3] when xa_alloc() fails.
int drm_sched_job_add_dependency(struct drm_sched_job *job,
struct dma_fence *fence)
{
...
ret = xa_alloc(&job->dependencies, &id, fence, xa_limit_32b, GFP_KERNEL);
if (ret != 0)
dma_fence_put(fence); <--- [1]
return ret;
}
EXPORT_SYMBOL(drm_sched_job_add_dependency);
int drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
struct drm_gem_object *obj,
bool write)
{
struct dma_resv_iter cursor;
struct dma_fence *fence;
int ret;
dma_resv_for_each_fence(&cursor, obj->resv, write, fence) {
/* Make sure to grab an additional ref on the added fence */
dma_fence_get(fence); <--- [2]
ret = drm_sched_job_add_dependency(job, fence);
if (ret) {
dma_fence_put(fence); <--- [3]
return ret;
}
}
return 0;
}
>
>> On the other hand, dma_fence_get() and dma_fence_put() are meaningless
>> here if threre is an extra dma_fence_get() beacause counter will not
>> decrease to 0 during drm_sched_job_add_dependency().
>>
>> I check the call chain as follows:
>>
>> msm_ioctl_gem_submit()
>> -> submit_fence_sync()
>> -> drm_sched_job_add_implicit_dependencies()
>
>
> Can you maybe trace or print one such example of problematic refcount
> that you are trying to fix ? I still don't see where is the problem.
>
> Andrey
>
I also wish I could. System logs can make this easy. But i don't have a
corresponding GPU physical device.
drm_sched_job_add_implicit_dependencies is only used in a few devices.
Thanks.
>
>>
>> Thanks,
>> Hangyu
>>
>>>
>>>> return ret;
>>>> }
>>>> }
© 2016 - 2026 Red Hat, Inc.