diff options
author | Rob Clark <robdclark@chromium.org> | 2020-11-16 09:48:49 -0800 |
---|---|---|
committer | Rob Clark <robdclark@chromium.org> | 2020-11-21 09:50:23 -0800 |
commit | ab5c54cb88350e224632e5b0fcd7f86ece06beb9 (patch) | |
tree | 01cc4f34f02dd7815eb6cdb96ead692b569b793a /lib/mpi/mpi-inline.h | |
parent | e8c765811b1064c200829eacf237ac8c25e79cd0 (diff) |
drm/msm: Protect obj->active_count under obj lock
Previously we only held obj lock in the _active_get() path, and relied
on atomic_dec_return() to not be racy in the _active_put() path where
obj lock was not held.
But this is a false sense of security. Unlike obj lifetime refcnt,
where you do not expect to *increase* the refcnt after the last put
(which would mean that something has gone horribly wrong with the
object liveness reference counting), the active_count can increase
again from zero. Racing _active_put()s and _active_get()s could leave
the obj on the wrong mm list.
But in the retire path, immediately after the _active_put(), the
_unpin_iova() would acquire obj lock. So just move the locking earlier
and rely on that to protect obj->active_count.
Fixes: c5c1643cef7a ("drm/msm: Drop struct_mutex from the retire path")
Signed-off-by: Rob Clark <robdclark@chromium.org>
Diffstat (limited to 'lib/mpi/mpi-inline.h')
0 files changed, 0 insertions, 0 deletions