staging: sync: Fix race condition between merge and signal

The copied sync_pt was activated immediately. If the sync_pt was
signaled before the entire merge was completed, the new fence's pt_list
could be iterated over while it is still in the process of being
created.

Moving the the sync_pt_activate call for all new sync_pts to after both
the sync_fence_copy_pts and the sync_fence_merge_pts calls ensure that
the pt_list is complete and immutable before it can be reached from the
timeline's active list.

Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Cc: Erik Gilling <konkers@android.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Rob Clark <robclark@gmail.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: dri-devel@lists.freedesktop.org
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Erik Gilling <konkers@android.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
index 1ddc404081676a5acbf2970c683a6c2a8b14f087..bd18c755c77942f8d5c3161cf075bde56355c6df 100644 (file)
--- a/drivers/staging/android/sync.c
+++ b/drivers/staging/android/sync.c
@@ -324,7 +324,6 @@ static int sync_fence_copy_pts(struct sync_fence *dst, struct sync_fence *src)
 
                new_pt->fence = dst;
                list_add(&new_pt->pt_list, &dst->pt_list_head);
-               sync_pt_activate(new_pt);
        }
 
        return 0;
@@ -357,7 +356,6 @@ static int sync_fence_merge_pts(struct sync_fence *dst, struct sync_fence *src)
                                        new_pt->fence = dst;
                                        list_replace(&dst_pt->pt_list,
                                                     &new_pt->pt_list);
-                                       sync_pt_activate(new_pt);
                                        sync_pt_free(dst_pt);
                                }
                                collapsed = true;
@@ -373,7 +371,6 @@ static int sync_fence_merge_pts(struct sync_fence *dst, struct sync_fence *src)
 
                        new_pt->fence = dst;
                        list_add(&new_pt->pt_list, &dst->pt_list_head);
-                       sync_pt_activate(new_pt);
                }
        }
 
@@ -454,6 +451,7 @@ struct sync_fence *sync_fence_merge(const char *name,
                                    struct sync_fence *a, struct sync_fence *b)
 {
        struct sync_fence *fence;
+       struct list_head *pos;
        int err;
 
        fence = sync_fence_alloc(name);
@@ -468,6 +466,12 @@ struct sync_fence *sync_fence_merge(const char *name,
        if (err < 0)
                goto err;
 
+       list_for_each(pos, &fence->pt_list_head) {
+               struct sync_pt *pt =
+                       container_of(pos, struct sync_pt, pt_list);
+               sync_pt_activate(pt);
+       }
+
        /*
         * signal the fence in case one of it's pts were activated before
         * they were activated