freedreno/drm: Move pipe unref after fence removal (!13263) · Merge requests · Mesa / mesa

Rob Clark requested to merge robclark/mesa:fd/fence-crash into main Oct 08, 2021

Dropping the final pipe ref could in turn drop the final ref to one of a couple other bo's, which in turn could indirectly recurse back into cleanup_fences() on the same bo, resulting in a double decrement of bo->nr_fences and underflow to a large positive #. This happens because free'ing a bo back to the bo cache periodically calls fd_bo_cache_cleanup() and any bo's that have not been re-used can be really free'd, which in turn calls cleanup_fences().

Signed-off-by: Rob Clark robdclark@chromium.org

This is a crash that has been showing up recently.. not enough to reproduce, but I spent some time this afternoon trying to make sense of the mindump[1] (which at least gives me register values and $pc of the crash). From that, and cross referencing the disassembly, I could work out that it was crashing dereferencing f->pipe and that bo->nr_fences was 0xffff. Above is my theory of how we can end up in that state.

[1] https://crash.corp.google.com/browse?q=reportid=%2798f8e32cb793cd1d%27 (sorry none-googlers)

freedreno/drm: Move pipe unref after fence removal

Merge request reports