drm/nouveau/tmr: fix corruption of the pending list when rescheduling an alarm

commit 9fc64667ee48c9a25e7dca1a6bcb6906fec5bcc5 upstream.

At least therm/fantog "attempts" to work around this issue, which could
lead to corruption of the pending alarm list.

Fix it properly by not updating the timestamp without the lock held, or
trying to add an already pending alarm to the pending alarm list....

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
index d4dae1f12d622b03cb2af61d2dcb966fed28f7fb..4e958db23ca0bfea7a21d21d5a12ea34465d97c7 100644 (file)
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
@@ -65,14 +65,17 @@ nvkm_timer_alarm(struct nvkm_timer *tmr, u32 nsec, struct nvkm_alarm *alarm)
        struct nvkm_alarm *list;
        unsigned long flags;
 
-       alarm->timestamp = nvkm_timer_read(tmr) + nsec;
-
-       /* append new alarm to list, in soonest-alarm-first order */
+       /* Remove alarm from pending list.
+        *
+        * This both protects against the corruption of the list,
+        * and implements alarm rescheduling/cancellation.
+        */
        spin_lock_irqsave(&tmr->lock, flags);
-       if (!nsec) {
-               if (!list_empty(&alarm->head))
-                       list_del(&alarm->head);
-       } else {
+       list_del_init(&alarm->head);
+
+       if (nsec) {
+               /* Insert into pending list, ordered earliest to latest. */
+               alarm->timestamp = nvkm_timer_read(tmr) + nsec;
                list_for_each_entry(list, &tmr->alarms, head) {
                        if (list->timestamp > alarm->timestamp)
                                break;