The atomic exchange operation we were doing before in replace_fence was
sufficient for the case where it raced with itself. However, if you
have a race between a replace_fence and dma_fence_get(syncobj->fence),
you may end up with the entire replace_fence happening between the point
in time where the one thread gets the syncobj->fence pointer and when it
calls dma_fence_get() on it. If this happens, then the reference may be
dropped before we get a chance to get a new one.
Signed-off-by: Jason Ekstrand <jason@xxxxxxxxxxxxxx>
---
drivers/gpu/drm/drm_syncobj.c | 25 +++++++++++++++++++++++--
include/drm/drm_syncobj.h | 6 ++++++
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
index 6f2a6041..dafca83 100644
--- a/drivers/gpu/drm/drm_syncobj.c
+++ b/drivers/gpu/drm/drm_syncobj.c
@@ -75,6 +75,22 @@ struct drm_syncobj *drm_syncobj_find(struct drm_file *file_private,
}
EXPORT_SYMBOL(drm_syncobj_find);
+struct dma_fence *drm_syncobj_fence_get(struct drm_syncobj *syncobj)
+{
+ struct dma_fence *fence;
+
+ /* Lock to prevent someone from replacing the fence and dropping
+ * the syncobj's reference between when we get the dma_fence
+ * pointer and wehen we have a chance to incref.
+ */
+ spin_lock(&syncobj->lock);
+ fence = dma_fence_get(syncobj->fence);
+ spin_unlock(&syncobj->lock);
+
+ return fence;
+}
+EXPORT_SYMBOL(drm_syncobj_fence_get);
+
/**
* drm_syncobj_replace_fence - replace fence in a sync object.
* @file_private: drm file private pointer.
@@ -91,7 +107,11 @@ void drm_syncobj_replace_fence(struct drm_file *file_private,
if (fence)
dma_fence_get(fence);
- old_fence = xchg(&syncobj->fence, fence);
+
+ spin_lock(&syncobj->lock);
+ old_fence = syncobj->fence;
+ syncobj->fence = fence;
+ spin_unlock(&syncobj->lock);
dma_fence_put(old_fence);
}
@@ -107,7 +127,7 @@ int drm_syncobj_find_fence(struct drm_file *file_private,
if (!syncobj)
return -ENOENT;
- *fence = dma_fence_get(syncobj->fence);
+ *fence = drm_syncobj_fence_get(syncobj);
if (!*fence) {
ret = -EINVAL;
}
@@ -143,6 +163,7 @@ static int drm_syncobj_create(struct drm_file *file_private,
return -ENOMEM;
kref_init(&syncobj->refcount);
+ spin_lock_init(&syncobj->lock);
idr_preload(GFP_KERNEL);
spin_lock(&file_private->syncobj_table_lock);
diff --git a/include/drm/drm_syncobj.h b/include/drm/drm_syncobj.h
index 9ffff22..422d631 100644
--- a/include/drm/drm_syncobj.h
+++ b/include/drm/drm_syncobj.h
@@ -46,6 +46,11 @@ struct drm_syncobj {
*/
struct dma_fence *fence;
/**
+ * @spinlock:
+ * locks fence.
+ */
+ spinlock_t lock;
+ /**
* @file:
* a file backing for this syncobj.
*/
@@ -79,6 +84,7 @@ drm_syncobj_put(struct drm_syncobj *obj)
struct drm_syncobj *drm_syncobj_find(struct drm_file *file_private,
u32 handle);
+struct dma_fence *drm_syncobj_fence_get(struct drm_syncobj *syncobj);
void drm_syncobj_replace_fence(struct drm_file *file_private,
struct drm_syncobj *syncobj,
struct dma_fence *fence);
--
2.5.0.400.gff86faf
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
