staging: vchiq_arm: Fix unlocked access to dequeue_pending

The dequeue_pending flag wasn't protected by a spinlock in the
service_callback. So fix this to make it safe.

Signed-off-by: Phil Elwell <phil@raspberrypi.org>
Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
index 0525211bcd65db4b04958f7974072209c1938bbb..4f024fab4f842fd7d6610c090114930e0c9886fb 100644 (file)
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
@@ -279,6 +279,7 @@ service_callback(VCHIQ_REASON_T reason, VCHIQ_HEADER_T *header,
        USER_SERVICE_T *user_service;
        VCHIQ_SERVICE_T *service;
        VCHIQ_INSTANCE_T instance;
+       bool skip_completion = false;
        DEBUG_INITIALISE(g_state.local)
 
        DEBUG_TRACE(SERVICE_CALLBACK_LINE);
@@ -345,9 +346,6 @@ service_callback(VCHIQ_REASON_T reason, VCHIQ_HEADER_T *header,
                user_service->msg_queue[user_service->msg_insert &
                        (MSG_QUEUE_SIZE - 1)] = header;
                user_service->msg_insert++;
-               spin_unlock(&msg_queue_spinlock);
-
-               up(&user_service->insert_event);
 
                /* If there is a thread waiting in DEQUEUE_MESSAGE, or if
                ** there is a MESSAGE_AVAILABLE in the completion queue then
@@ -356,15 +354,20 @@ service_callback(VCHIQ_REASON_T reason, VCHIQ_HEADER_T *header,
                if (((user_service->message_available_pos -
                        instance->completion_remove) >= 0) ||
                        user_service->dequeue_pending) {
-                       DEBUG_TRACE(SERVICE_CALLBACK_LINE);
                        user_service->dequeue_pending = 0;
-                       return VCHIQ_SUCCESS;
+                       skip_completion = true;
                }
 
+               spin_unlock(&msg_queue_spinlock);
+               up(&user_service->insert_event);
+
                header = NULL;
        }
        DEBUG_TRACE(SERVICE_CALLBACK_LINE);
 
+       if (skip_completion)
+               return VCHIQ_SUCCESS;
+
        return add_completion(instance, reason, header, user_service,
                bulk_userdata);
 }