From: Francisco Jerez Date: Mon, 18 Oct 2010 01:54:33 +0000 (+0200) Subject: drm/nouveau: Fix race condition in channel refcount handling. X-Git-Tag: firefly_0821_release~7613^2~3065^2~37^2~77 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=f175b745b50c5c5356e8b3b409b7f38aa44de6bb;p=firefly-linux-kernel-4.4.55.git drm/nouveau: Fix race condition in channel refcount handling. nouveau_channel_put() can be executed after the 'refcount == 0' check in nouveau_channel_get() and before the channel reference count is incremented. In that case CPU0 will take the context down while CPU1 thinks it owns the channel and 'refcount == 1'. Signed-off-by: Francisco Jerez Signed-off-by: Ben Skeggs --- diff --git a/drivers/gpu/drm/nouveau/nouveau_channel.c b/drivers/gpu/drm/nouveau/nouveau_channel.c index 9a051fafa7c3..c46a6f641964 100644 --- a/drivers/gpu/drm/nouveau/nouveau_channel.c +++ b/drivers/gpu/drm/nouveau/nouveau_channel.c @@ -247,17 +247,16 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id) spin_lock_irqsave(&dev_priv->channels.lock, flags); chan = dev_priv->channels.ptr[id]; - if (unlikely(!chan || atomic_read(&chan->refcount) == 0)) { + if (unlikely(!chan || (file_priv && chan->file_priv != file_priv))) { spin_unlock_irqrestore(&dev_priv->channels.lock, flags); return ERR_PTR(-EINVAL); } - if (unlikely(file_priv && chan->file_priv != file_priv)) { + if (unlikely(!atomic_inc_not_zero(&chan->refcount))) { spin_unlock_irqrestore(&dev_priv->channels.lock, flags); return ERR_PTR(-EINVAL); } - atomic_inc(&chan->refcount); spin_unlock_irqrestore(&dev_priv->channels.lock, flags); mutex_lock(&chan->mutex);