This is a note to let you know that I've just added the patch titled
dma-buf/sw-sync: Fix locking around sync_timeline lists
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
dma-buf-sw-sync-fix-locking-around-sync_timeline-lists.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From d3862e44daa7a0c94d2f6193502a8c49379acfce Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
Date: Thu, 29 Jun 2017 22:05:32 +0100
Subject: dma-buf/sw-sync: Fix locking around sync_timeline lists
From: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
commit d3862e44daa7a0c94d2f6193502a8c49379acfce upstream.
The sync_pt were not adding themselves atomically to the timeline lists,
corruption imminent. Only a single list is required to track the
unsignaled sync_pt, so reduce it and rename the lock more appropriately
along with using idiomatic names to distinguish a list from links along
it.
v2: Prevent spinlock recursion on free during create (next patch) and
fixup crossref in kerneldoc
Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
Cc: Sumit Semwal <sumit.semwal@xxxxxxxxxx>
Cc: Sean Paul <seanpaul@xxxxxxxxxxxx>
Cc: Gustavo Padovan <gustavo@xxxxxxxxxxx>
Reviewed-by: Sean Paul <seanpaul@xxxxxxxxxxxx>
Signed-off-by: Gustavo Padovan <gustavo.padovan@xxxxxxxxxxxxx>
Link: http://patchwork.freedesktop.org/patch/msgid/20170629210532.5617-1-chris@xxxxxxxxxxxxxxxxxx
[s/dma_fence/fence/g - gregkh]
Cc: Jisheng Zhang <Jisheng.Zhang@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/dma-buf/sw_sync.c | 48 +++++++++++++++++--------------------------
drivers/dma-buf/sync_debug.c | 9 +++-----
drivers/dma-buf/sync_debug.h | 22 +++++++------------
3 files changed, 31 insertions(+), 48 deletions(-)
--- a/drivers/dma-buf/sw_sync.c
+++ b/drivers/dma-buf/sw_sync.c
@@ -96,9 +96,8 @@ struct sync_timeline *sync_timeline_crea
obj->context = fence_context_alloc(1);
strlcpy(obj->name, name, sizeof(obj->name));
- INIT_LIST_HEAD(&obj->child_list_head);
- INIT_LIST_HEAD(&obj->active_list_head);
- spin_lock_init(&obj->child_list_lock);
+ INIT_LIST_HEAD(&obj->pt_list);
+ spin_lock_init(&obj->lock);
sync_timeline_debug_add(obj);
@@ -139,17 +138,15 @@ static void sync_timeline_signal(struct
trace_sync_timeline(obj);
- spin_lock_irq(&obj->child_list_lock);
+ spin_lock_irq(&obj->lock);
obj->value += inc;
- list_for_each_entry_safe(pt, next, &obj->active_list_head,
- active_list) {
+ list_for_each_entry_safe(pt, next, &obj->pt_list, link)
if (fence_is_signaled_locked(&pt->base))
- list_del_init(&pt->active_list);
- }
+ list_del_init(&pt->link);
- spin_unlock_irq(&obj->child_list_lock);
+ spin_unlock_irq(&obj->lock);
}
/**
@@ -171,15 +168,15 @@ static struct sync_pt *sync_pt_create(st
if (!pt)
return NULL;
- spin_lock_irq(&obj->child_list_lock);
-
sync_timeline_get(obj);
- fence_init(&pt->base, &timeline_fence_ops, &obj->child_list_lock,
+ fence_init(&pt->base, &timeline_fence_ops, &obj->lock,
obj->context, value);
- list_add_tail(&pt->child_list, &obj->child_list_head);
- INIT_LIST_HEAD(&pt->active_list);
+ INIT_LIST_HEAD(&pt->link);
- spin_unlock_irq(&obj->child_list_lock);
+ spin_lock_irq(&obj->lock);
+ if (!fence_is_signaled_locked(&pt->base))
+ list_add_tail(&pt->link, &obj->pt_list);
+ spin_unlock_irq(&obj->lock);
return pt;
}
@@ -200,15 +197,15 @@ static void timeline_fence_release(struc
{
struct sync_pt *pt = fence_to_sync_pt(fence);
struct sync_timeline *parent = fence_parent(fence);
- unsigned long flags;
- spin_lock_irqsave(fence->lock, flags);
+ if (!list_empty(&pt->link)) {
+ unsigned long flags;
- list_del(&pt->child_list);
- if (!list_empty(&pt->active_list))
- list_del(&pt->active_list);
-
- spin_unlock_irqrestore(fence->lock, flags);
+ spin_lock_irqsave(fence->lock, flags);
+ if (!list_empty(&pt->link))
+ list_del(&pt->link);
+ spin_unlock_irqrestore(fence->lock, flags);
+ }
sync_timeline_put(parent);
fence_free(fence);
@@ -223,13 +220,6 @@ static bool timeline_fence_signaled(stru
static bool timeline_fence_enable_signaling(struct fence *fence)
{
- struct sync_pt *pt = fence_to_sync_pt(fence);
- struct sync_timeline *parent = fence_parent(fence);
-
- if (timeline_fence_signaled(fence))
- return false;
-
- list_add_tail(&pt->active_list, &parent->active_list_head);
return true;
}
--- a/drivers/dma-buf/sync_debug.c
+++ b/drivers/dma-buf/sync_debug.c
@@ -119,13 +119,12 @@ static void sync_print_obj(struct seq_fi
seq_printf(s, "%s: %d\n", obj->name, obj->value);
- spin_lock_irq(&obj->child_list_lock);
- list_for_each(pos, &obj->child_list_head) {
- struct sync_pt *pt =
- container_of(pos, struct sync_pt, child_list);
+ spin_lock_irq(&obj->lock);
+ list_for_each(pos, &obj->pt_list) {
+ struct sync_pt *pt = container_of(pos, struct sync_pt, link);
sync_print_fence(s, &pt->base, false);
}
- spin_unlock_irq(&obj->child_list_lock);
+ spin_unlock_irq(&obj->lock);
}
static void sync_print_sync_file(struct seq_file *s,
--- a/drivers/dma-buf/sync_debug.h
+++ b/drivers/dma-buf/sync_debug.h
@@ -24,43 +24,37 @@
* struct sync_timeline - sync object
* @kref: reference count on fence.
* @name: name of the sync_timeline. Useful for debugging
- * @child_list_head: list of children sync_pts for this sync_timeline
- * @child_list_lock: lock protecting @child_list_head and fence.status
- * @active_list_head: list of active (unsignaled/errored) sync_pts
+ * @lock: lock protecting @pt_list and @value
+ * @pt_list: list of active (unsignaled/errored) sync_pts
* @sync_timeline_list: membership in global sync_timeline_list
*/
struct sync_timeline {
struct kref kref;
char name[32];
- /* protected by child_list_lock */
+ /* protected by lock */
u64 context;
int value;
- struct list_head child_list_head;
- spinlock_t child_list_lock;
-
- struct list_head active_list_head;
+ struct list_head pt_list;
+ spinlock_t lock;
struct list_head sync_timeline_list;
};
static inline struct sync_timeline *fence_parent(struct fence *fence)
{
- return container_of(fence->lock, struct sync_timeline,
- child_list_lock);
+ return container_of(fence->lock, struct sync_timeline, lock);
}
/**
* struct sync_pt - sync_pt object
* @base: base fence object
- * @child_list: sync timeline child's list
- * @active_list: sync timeline active child's list
+ * @link: link on the sync timeline's list
*/
struct sync_pt {
struct fence base;
- struct list_head child_list;
- struct list_head active_list;
+ struct list_head link;
};
#ifdef CONFIG_SW_SYNC
Patches currently in stable-queue which might be from chris@xxxxxxxxxxxxxxxxxx are
queue-4.9/dma-buf-sw-sync-fix-the-is-signaled-test-to-handle-u32-wraparound.patch
queue-4.9/dma-fence-clear-fence-status-during-dma_fence_init.patch
queue-4.9/dma-buf-sw-sync-fix-locking-around-sync_timeline-lists.patch
queue-4.9/dma-fence-wrap-querying-the-fence-status.patch
queue-4.9/dma-buf-sw_sync-clean-up-list-before-signaling-the-fence.patch
queue-4.9/dma-buf-sw-sync-reduce-irqsave-irqrestore-from-known-context.patch
queue-4.9/dma-buf-sw_sync-move-timeline_fence_ops-around.patch
queue-4.9/dma-buf-sw-sync-prevent-user-overflow-on-timeline-advance.patch
queue-4.9/dma-fence-introduce-drm_fence_set_error-helper.patch
queue-4.9/dma-buf-sw_sync-force-signal-all-unsignaled-fences-on-dying-timeline.patch
queue-4.9/dma-buf-sw-sync-use-an-rbtree-to-sort-fences-in-the-timeline.patch
queue-4.9/dma-buf-sw-sync-sync_pt-is-private-and-of-fixed-size.patch
queue-4.9/dma-buf-dma-fence-extract-__dma_fence_is_later.patch