drm: Hold the mutex when dropping the last GEM reference (v2) - linux

diff options

author	Chris Wilson <chris@chris-wilson.co.uk>	2010-09-30 10:10:26 +0200
committer	Dave Airlie <airlied@redhat.com>	2010-10-01 13:08:45 +0200
commit	39b4d07aa3583ceefe73622841303a0a3e942ca1 (patch)
tree	d42f6e782f331b1d967f50ca3a02b9e51ea88515 /security
parent	drm/gem: handlecount isn't really a kref so don't make it one. (diff)
download	linux-39b4d07aa3583ceefe73622841303a0a3e942ca1.tar.xz linux-39b4d07aa3583ceefe73622841303a0a3e942ca1.zip

drm: Hold the mutex when dropping the last GEM reference (v2)

In order to be fully threadsafe we need to check that the drm_gem_object refcount is still 0 after acquiring the mutex in order to call the free function. Otherwise, we may encounter scenarios like: Thread A: Thread B: drm_gem_close unreference_unlocked kref_put mutex_lock ... i915_gem_evict ... kref_get -> BUG ... i915_gem_unbind ... kref_put ... i915_gem_object_free ... mutex_unlock mutex_lock i915_gem_object_free -> BUG i915_gem_object_unbind kfree mutex_unlock Note that no driver is currently using the free_unlocked vfunc and it is scheduled for removal, hasten that process. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30454 Reported-and-Tested-by: Magnus Kessler <Magnus.Kessler@gmx.net> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: stable@kernel.org Signed-off-by: Dave Airlie <airlied@redhat.com>

Diffstat (limited to 'security')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: