[PATCH 22/30] staging: sync: Protect unlocked access to fence status

From: John Stultz
Date: Thu Feb 28 2013 - 19:47:00 EST


From: Erik Gilling <konkers@xxxxxxxxxxx>

Fence status is checked outside of locks in both sync_fence_wait and
sync_fence_poll. This patch adds propper barrier protection in these
cases to avoid seeing stale status.

Cc: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxx>
Cc: Erik Gilling <konkers@xxxxxxxxxxx>
Cc: Daniel Vetter <daniel.vetter@xxxxxxxx>
Cc: Rob Clark <robclark@xxxxxxxxx>
Cc: Sumit Semwal <sumit.semwal@xxxxxxxxxx>
Cc: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: dri-devel@xxxxxxxxxxxxxxxxxxxxx
Cc: Android Kernel Team <kernel-team@xxxxxxxxxxx>
Signed-off-by: Erik Gilling <konkers@xxxxxxxxxxx>
Signed-off-by: John Stultz <john.stultz@xxxxxxxxxx>
---
drivers/staging/android/sync.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
index 36ffa20..2394189 100644
--- a/drivers/staging/android/sync.c
+++ b/drivers/staging/android/sync.c
@@ -556,6 +556,16 @@ int sync_fence_cancel_async(struct sync_fence *fence,
}
EXPORT_SYMBOL(sync_fence_cancel_async);

+static bool sync_fence_check(struct sync_fence *fence)
+{
+ /*
+ * Make sure that reads to fence->status are ordered with the
+ * wait queue event triggering
+ */
+ smp_rmb();
+ return fence->status != 0;
+}
+
int sync_fence_wait(struct sync_fence *fence, long timeout)
{
int err = 0;
@@ -563,7 +573,7 @@ int sync_fence_wait(struct sync_fence *fence, long timeout)
if (timeout > 0) {
timeout = msecs_to_jiffies(timeout);
err = wait_event_interruptible_timeout(fence->wq,
- fence->status != 0,
+ sync_fence_check(fence),
timeout);
} else if (timeout < 0) {
err = wait_event_interruptible(fence->wq, fence->status != 0);
@@ -630,6 +640,12 @@ static unsigned int sync_fence_poll(struct file *file, poll_table *wait)

poll_wait(file, &fence->wq, wait);

+ /*
+ * Make sure that reads to fence->status are ordered with the
+ * wait queue event triggering
+ */
+ smp_rmb();
+
if (fence->status == 1)
return POLLIN;
else if (fence->status < 0)
--
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/