From: Dmitry Torokhov Date: Tue, 15 Dec 2015 01:34:08 +0000 (-0800) Subject: android: unconditionally remove callbacks in sync_fence_free() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=699f685569434510d944e419f4048c4e3ba8d631;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git android: unconditionally remove callbacks in sync_fence_free() Using fence->status to determine whether or not there are callbacks remaining on the sync_fence is racy since fence->status may have been decremented to 0 on another CPU before fence_check_cb_func() has completed. By unconditionally calling fence_remove_callback() for each fence in the sync_fence, we guarantee that each callback has either completed (since fence_remove_callback() grabs the fence lock) or been removed. Signed-off-by: Andrew Bresticker Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c index 78c62dfb3978..ed43796b5b58 100644 --- a/drivers/staging/android/sync.c +++ b/drivers/staging/android/sync.c @@ -524,12 +524,10 @@ static const struct fence_ops android_fence_ops = { static void sync_fence_free(struct kref *kref) { struct sync_fence *fence = container_of(kref, struct sync_fence, kref); - int i, status = atomic_read(&fence->status); + int i; for (i = 0; i < fence->num_fences; ++i) { - if (status) - fence_remove_callback(fence->cbs[i].sync_pt, - &fence->cbs[i].cb); + fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb); fence_put(fence->cbs[i].sync_pt); }