An extra dma_fence_put() can drop the last reference to a fence while it is
still attached to a dma_resv object. This frees the fence prematurely via
dma_fence_release() while other users still hold the pointer.
Later accesses through dma_resv iteration may then operate on the freed
fence object, leading to refcount underflow warnings and potential hangs
when walking reservation fences.
Fix this by correcting the fence lifetime so the dma_resv object retains a
valid reference until it is done with the fence.i
[ 31.133803] refcount_t: underflow; use-after-free.
[ 31.133805] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x58/0x90, CPU#18: kworker/u96:1/188
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
* be good for now
*/
r = dma_fence_wait(fences[i], true);
- if (r) {
- dma_fence_put(fences[i]);
+ if (r)
goto free_fences;
- }
- dma_fence_put(fences[i]);
continue;
}
fence_info[cnt].va = fence_drv->va;
fence_info[cnt].value = fences[i]->seqno;
- dma_fence_put(fences[i]);
/* Increment the actual userq fence count */
cnt++;
}
projects / thirdparty / linux.git / commitdiff
