提交 f175b745 编写于 作者: F Francisco Jerez 提交者: Ben Skeggs

drm/nouveau: Fix race condition in channel refcount handling.

nouveau_channel_put() can be executed after the 'refcount == 0' check
in nouveau_channel_get() and before the channel reference count is
incremented. In that case CPU0 will take the context down while CPU1
thinks it owns the channel and 'refcount == 1'.
Signed-off-by: NFrancisco Jerez <currojerez@riseup.net>
Signed-off-by: NBen Skeggs <bskeggs@redhat.com>
上级 3945e475
...@@ -247,17 +247,16 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id) ...@@ -247,17 +247,16 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id)
spin_lock_irqsave(&dev_priv->channels.lock, flags); spin_lock_irqsave(&dev_priv->channels.lock, flags);
chan = dev_priv->channels.ptr[id]; chan = dev_priv->channels.ptr[id];
if (unlikely(!chan || atomic_read(&chan->refcount) == 0)) { if (unlikely(!chan || (file_priv && chan->file_priv != file_priv))) {
spin_unlock_irqrestore(&dev_priv->channels.lock, flags); spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
} }
if (unlikely(file_priv && chan->file_priv != file_priv)) { if (unlikely(!atomic_inc_not_zero(&chan->refcount))) {
spin_unlock_irqrestore(&dev_priv->channels.lock, flags); spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
} }
atomic_inc(&chan->refcount);
spin_unlock_irqrestore(&dev_priv->channels.lock, flags); spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
mutex_lock(&chan->mutex); mutex_lock(&chan->mutex);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册