From: Andrew Bresticker Date: Mon, 12 Oct 2015 20:31:45 +0000 (-0700) Subject: CHROMIUM: android: Unconditionally remove callbacks in sync_fence_free() X-Git-Tag: firefly_0821_release~2958^2~203 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=46dfd401fbd7b085ee104a6b714d0619c594f40c;p=firefly-linux-kernel-4.4.55.git CHROMIUM: android: Unconditionally remove callbacks in sync_fence_free() Using fence->status to determine whether or not there are callbacks remaining on the sync_fence is racy since fence->status may have been decremented to 0 on another CPU before fence_check_cb_func() has completed. By unconditionally calling fence_remove_callback() for each fence in the sync_fence, we guarantee that each callback has either completed (since fence_remove_callback() grabs the fence lock) or been removed. BUG=chrome-os-partner:46382 TEST=Reboot cycle test on Smaug; no crashes seen. Change-Id: I837180ef633aed3c5ae1e52e0d6ded838342b8fa Signed-off-by: Andrew Bresticker Reviewed-on: https://chromium-review.googlesource.com/305331 Reviewed-by: Puneet Kumar --- diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c index a18d1c55aca6..da101a506cd2 100644 --- a/drivers/staging/android/sync.c +++ b/drivers/staging/android/sync.c @@ -527,12 +527,10 @@ static const struct fence_ops android_fence_ops = { static void sync_fence_free(struct kref *kref) { struct sync_fence *fence = container_of(kref, struct sync_fence, kref); - int i, status = atomic_read(&fence->status); + int i; for (i = 0; i < fence->num_fences; ++i) { - if (status) - fence_remove_callback(fence->cbs[i].sync_pt, - &fence->cbs[i].cb); + fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb); fence_put(fence->cbs[i].sync_pt); }