| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e26e6ef8-6665-0b9d-804f-cf107f1788d4@amd.com>
Date: Tue, 26 Apr 2022 10:55:34 -0400
From: Andrey Grodzovsky <andrey.grodzovsky@....com>
To: Hangyu Hua <hbh25y@...il.com>, yuq825@...il.com, airlied@...ux.ie,
daniel@...ll.ch
Cc: dri-devel@...ts.freedesktop.org, lima@...ts.freedesktop.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] gpu: drm: remove redundant dma_fence_put() when
drm_sched_job_add_dependency() fails
On 2022-04-25 22:54, Hangyu Hua wrote:
> On 2022/4/25 23:42, Andrey Grodzovsky wrote:
>> On 2022-04-25 04:36, Hangyu Hua wrote:
>>
>>> When drm_sched_job_add_dependency() fails, dma_fence_put() will be
>>> called
>>> internally. Calling it again after drm_sched_job_add_dependency()
>>> finishes
>>> may result in a dangling pointer.
>>>
>>> Fix this by removing redundant dma_fence_put().
>>>
>>> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
>>> ---
>>> drivers/gpu/drm/lima/lima_gem.c | 1 -
>>> drivers/gpu/drm/scheduler/sched_main.c | 1 -
>>> 2 files changed, 2 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/lima/lima_gem.c
>>> b/drivers/gpu/drm/lima/lima_gem.c
>>> index 55bb1ec3c4f7..99c8e7f6bb1c 100644
>>> --- a/drivers/gpu/drm/lima/lima_gem.c
>>> +++ b/drivers/gpu/drm/lima/lima_gem.c
>>> @@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file
>>> *file, struct lima_submit *submit)
>>> err = drm_sched_job_add_dependency(&submit->task->base,
>>> fence);
>>> if (err) {
>>> - dma_fence_put(fence);
>>> return err;
>>
>>
>> Makes sense here
>>
>>
>>> }
>>> }
>>> diff --git a/drivers/gpu/drm/scheduler/sched_main.c
>>> b/drivers/gpu/drm/scheduler/sched_main.c
>>> index b81fceb0b8a2..ebab9eca37a8 100644
>>> --- a/drivers/gpu/drm/scheduler/sched_main.c
>>> +++ b/drivers/gpu/drm/scheduler/sched_main.c
>>> @@ -708,7 +708,6 @@ int
>>> drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
>>> dma_fence_get(fence);
>>> ret = drm_sched_job_add_dependency(job, fence);
>>> if (ret) {
>>> - dma_fence_put(fence);
>>
>>
>>
>> Not sure about this one since if you look at the relevant commits -
>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies' and
>> 'drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder'
>> You will see that the dma_fence_put here balances the extra
>> dma_fence_get
>> above
>>
>> Andrey
>>
>
> I don't think so. I checked the call chain and found no additional
> dma_fence_get(). But dma_fence_get() needs to be called before
> drm_sched_job_add_dependency() to keep the counter balanced.
I don't say there is an additional get, I just say that
drm_sched_job_add_dependency doesn't grab an extra reference to the
fences it stores so this needs to be done outside and for that
drm_sched_job_add_implicit_dependencies->dma_fence_get is called and, if
this addition fails you just call dma_fence_put to keep the counter
balanced.
> On the other hand, dma_fence_get() and dma_fence_put() are meaningless
> here if threre is an extra dma_fence_get() beacause counter will not
> decrease to 0 during drm_sched_job_add_dependency().
>
> I check the call chain as follows:
>
> msm_ioctl_gem_submit()
> -> submit_fence_sync()
> -> drm_sched_job_add_implicit_dependencies()
Can you maybe trace or print one such example of problematic refcount
that you are trying to fix ? I still don't see where is the problem.
Andrey
>
> Thanks,
> Hangyu
>
>>
>>> return ret;
>>> }
>>> }
Powered by blists - more mailing lists