From: Andrey Grodzovsky
Date: Tue Apr 26 2022 - 19:20:21 EST

On 2022-04-25 22:54, Hangyu Hua wrote:
On 2022/4/25 23:42, Andrey Grodzovsky wrote:
On 2022-04-25 04:36, Hangyu Hua wrote:

When drm_sched_job_add_dependency() fails, dma_fence_put() will be called
internally. Calling it again after drm_sched_job_add_dependency() finishes
may result in a dangling pointer.

Fix this by removing redundant dma_fence_put().

Signed-off-by: Hangyu Hua <hbh25y@xxxxxxxxx>
  drivers/gpu/drm/lima/lima_gem.c        | 1 -
  drivers/gpu/drm/scheduler/sched_main.c | 1 -
  2 files changed, 2 deletions(-)

diff --git a/drivers/gpu/drm/lima/lima_gem.c b/drivers/gpu/drm/lima/lima_gem.c
index 55bb1ec3c4f7..99c8e7f6bb1c 100644
--- a/drivers/gpu/drm/lima/lima_gem.c
+++ b/drivers/gpu/drm/lima/lima_gem.c
@@ -291,7 +291,6 @@ static int lima_gem_add_deps(struct drm_file *file, struct lima_submit *submit)
          err = drm_sched_job_add_dependency(&submit->task->base, fence);
          if (err) {
-            dma_fence_put(fence);
              return err;

Makes sense here

diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
index b81fceb0b8a2..ebab9eca37a8 100644
--- a/drivers/gpu/drm/scheduler/sched_main.c
+++ b/drivers/gpu/drm/scheduler/sched_main.c
@@ -708,7 +708,6 @@ int drm_sched_job_add_implicit_dependencies(struct drm_sched_job *job,
          ret = drm_sched_job_add_dependency(job, fence);
          if (ret) {
-            dma_fence_put(fence);

Not sure about this one since if you look at the relevant commits -
'drm/scheduler: fix drm_sched_job_add_implicit_dependencies' and
'drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder'
You will see that the dma_fence_put here balances the extra dma_fence_get


I don't think so. I checked the call chain and found no additional dma_fence_get(). But dma_fence_get() needs to be called before drm_sched_job_add_dependency() to keep the counter balanced.

I didn't say there is an additional dma_fence_get , from what I understand here drm_sched_job_add_implicit_dependencies->dma_fence_get is not balancing any counter but rather grabs an extra reference to account for adding the fence to the job's dependency array, and so when adding fails then you call dma_fence_put to decrement the count back. This makes sense because drm_sched_job_add_dependency doesn't increment himself refcount for the fences

On the other hand, dma_fence_get() and dma_fence_put() are meaningless here if threre is an extra dma_fence_get() beacause counter will not decrease to 0 during drm_sched_job_add_dependency().

Where is the extra dma_fence_get() ?

I check the call chain as follows:

-> submit_fence_sync()
-> drm_sched_job_add_implicit_dependencies()

Could you maybe print the buggy refcount sequence you say you discovered as an example ? Because I fail to follow where is the problem.



              return ret;