Commit 7b72d3ba authored Dec 14, 2015 by Dmitry Torokhov Committed by DidntRead Apr 03, 2019

android: unconditionally remove callbacks in sync_fence_free()



[ Upstream commit 699f685569434510d944e419f4048c4e3ba8d631 ]

Using fence->status to determine whether or not there are callbacks
remaining on the sync_fence is racy since fence->status may have been
decremented to 0 on another CPU before fence_check_cb_func() has
completed.  By unconditionally calling fence_remove_callback() for each
fence in the sync_fence, we guarantee that each callback has either
completed (since fence_remove_callback() grabs the fence lock) or been
removed.

Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent ab985cb3

drivers/staging/android/sync.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -531,10 +531,10 @@ static const struct fence_ops android_fence_ops = {
		static void sync_fence_free(struct kref *kref)
		{
		struct sync_fence *fence = container_of(kref, struct sync_fence, kref);
		int i; // Google Patch 4f4f7cc
		int i;

		for (i = 0; i < fence->num_fences; ++i) {
		fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb); // Google Patch 4f4f7cc
		fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb);
		fence_put(fence->cbs[i].sync_pt);
		}