projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8519c62)
drm/omap: fix race condition with dev->obj_list
authorTomi Valkeinen <tomi.valkeinen@ti.com>
Wed, 17 Dec 2014 12:34:22 +0000 (14:34 +0200)
committerTomi Valkeinen <tomi.valkeinen@ti.com>
Tue, 24 Mar 2015 11:50:58 +0000 (13:50 +0200)
omap_gem_objects are added to dev->obj_list in omap_gem_new, and removed
in omap_gem_free_object. Unfortunately there's no locking for
dev->obj_list, which eventually leads to a crash:

WARNING: CPU: 1 PID: 1123 at lib/list_debug.c:59 __list_del_entry+0xa4/0xe0()
list_del corruption. prev->next should be e9281344, but was ea722b84

Add a spinlock to protect dev->obj_list.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
drivers/gpu/drm/omapdrm/omap_drv.c patch | blob | blame | history
drivers/gpu/drm/omapdrm/omap_drv.h patch | blob | blame | history
drivers/gpu/drm/omapdrm/omap_gem.c patch | blob | blame | history

diff --git a/drivers/gpu/drm/omapdrm/omap_drv.c b/drivers/gpu/drm/omapdrm/omap_drv.c
index c4c2373179019bcebcf11c4548b6d58ce76382c8..c6980985884ba6c20e2171999fa4e20fae7955fa 100644 (file)
--- a/drivers/gpu/drm/omapdrm/omap_drv.c
+++ b/drivers/gpu/drm/omapdrm/omap_drv.c
@@ -491,6 +491,7 @@ static int dev_load(struct drm_device *dev, unsigned long flags)
 
        priv->wq = alloc_ordered_workqueue("omapdrm", 0);
 
+       spin_lock_init(&priv->list_lock);
        INIT_LIST_HEAD(&priv->obj_list);
 
        omap_gem_init(dev);
diff --git a/drivers/gpu/drm/omapdrm/omap_drv.h b/drivers/gpu/drm/omapdrm/omap_drv.h
index 57e11c1f589fc9456be01eb8f9854f02b2a4f8db..b31c79f15aede8481af46d62e8342b59aaa62f4c 100644 (file)
--- a/drivers/gpu/drm/omapdrm/omap_drv.h
+++ b/drivers/gpu/drm/omapdrm/omap_drv.h
@@ -105,6 +105,9 @@ struct omap_drm_private {
 
        struct workqueue_struct *wq;
 
+       /* lock for obj_list below */
+       spinlock_t list_lock;
+
        /* list of GEM objects: */
        struct list_head obj_list;
 
diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c
index d37ee756a0b19545bd4c0862411c8eaeede80ad7..e9718b99a8a9f022bdbc2501e9e1005270bc1f6a 100644 (file)
--- a/drivers/gpu/drm/omapdrm/omap_gem.c
+++ b/drivers/gpu/drm/omapdrm/omap_gem.c
@@ -1273,13 +1273,16 @@ unlock:
 void omap_gem_free_object(struct drm_gem_object *obj)
 {
        struct drm_device *dev = obj->dev;
+       struct omap_drm_private *priv = dev->dev_private;
        struct omap_gem_object *omap_obj = to_omap_bo(obj);
 
        evict(obj);
 
        WARN_ON(!mutex_is_locked(&dev->struct_mutex));
 
+       spin_lock(&priv->list_lock);
        list_del(&omap_obj->mm_list);
+       spin_unlock(&priv->list_lock);
 
        drm_gem_free_mmap_offset(obj);
 
@@ -1377,7 +1380,9 @@ struct drm_gem_object *omap_gem_new(struct drm_device *dev,
        if (!omap_obj)
                goto fail;
 
+       spin_lock(&priv->list_lock);
        list_add(&omap_obj->mm_list, &priv->obj_list);
+       spin_unlock(&priv->list_lock);
 
        obj = &omap_obj->base;