Quoting Chunming Zhou (2018-10-19 11:26:41)
> Signed-off-by: Chunming Zhou <david1.zhou@xxxxxxx>
> Cc: Daniel Vetter <daniel@xxxxxxxx>
> Cc: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> Cc: Christian König <christian.koenig@xxxxxxx>
> ---
> drivers/gpu/drm/drm_syncobj.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
> index 57bf6006394d..2f3c14cb5156 100644
> --- a/drivers/gpu/drm/drm_syncobj.c
> +++ b/drivers/gpu/drm/drm_syncobj.c
> @@ -344,13 +344,16 @@ void drm_syncobj_replace_fence(struct drm_syncobj *syncobj,
> drm_syncobj_create_signal_pt(syncobj, fence, pt_value);
> if (fence) {
> struct drm_syncobj_cb *cur, *tmp;
> + struct list_head cb_list;
> + INIT_LIST_HEAD(&cb_list);
LIST_HEAD(cb_list); // does both in one
> spin_lock(&syncobj->lock);
> - list_for_each_entry_safe(cur, tmp, &syncobj->cb_list, node) {
> + list_splice_init(&syncobj->cb_list, &cb_list);
Steal the snapshot of the list under the lock, ok.
> + spin_unlock(&syncobj->lock);
> + list_for_each_entry_safe(cur, tmp, &cb_list, node) {
> list_del_init(&cur->node);
Races against external caller of drm_syncobj_remove_callback(). However,
it looks like that race is just fine, but we don't guard against the
struct drm_syncobj_cb itself being freed, leading to all sort of fun for
an interrupted drm_syncobj_array_wait_timeout.
That kfree seems to undermine the validity of stealing the list.
-Chris
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
