Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

drm/nouveau: Fix race condition in channel refcount handling.

Browse source 
nouveau_channel_put() can be executed after the 'refcount == 0' check
in nouveau_channel_get() and before the channel reference count is
incremented. In that case CPU0 will take the context down while CPU1
thinks it owns the channel and 'refcount == 1'.

Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
This commit is contained in:
Francisco Jerez 2010-10-18 03:54:33 +02:00 committed by Ben Skeggs
parent 3945e47543
commit f175b745b5
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
drivers/gpu/drm/nouveau/nouveau_channel.c
View file

@ -247,17 +247,16 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id)
spin_lock_irqsave(&dev_priv->channels.lock, flags);
chan = dev_priv->channels.ptr[id];
if (unlikely(!chan || atomic_read(&chan->refcount) == 0)) {
if (unlikely(!chan || (file_priv && chan->file_priv != file_priv))) {
spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
return ERR_PTR(-EINVAL);
}
if (unlikely(file_priv && chan->file_priv != file_priv)) {
if (unlikely(!atomic_inc_not_zero(&chan->refcount))) {
spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
return ERR_PTR(-EINVAL);
}
atomic_inc(&chan->refcount);
spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
mutex_lock(&chan->mutex);