• Rob Clark's avatar
    drm/msm: Protect obj->active_count under obj lock · ab5c54cb
    Rob Clark authored
    Previously we only held obj lock in the _active_get() path, and relied
    on atomic_dec_return() to not be racy in the _active_put() path where
    obj lock was not held.
    
    But this is a false sense of security.  Unlike obj lifetime refcnt,
    where you do not expect to *increase* the refcnt after the last put
    (which would mean that something has gone horribly wrong with the
    object liveness reference counting), the active_count can increase
    again from zero.  Racing _active_put()s and _active_get()s could leave
    the obj on the wrong mm list.
    
    But in the retire path, immediately after the _active_put(), the
    _unpin_iova() would acquire obj lock.  So just move the locking earlier
    and rely on that to protect obj->active_count.
    
    Fixes: c5c1643c ("drm/msm: Drop struct_mutex from the retire path")
    Signed-off-by: default avatarRob Clark <robdclark@chromium.org>
    ab5c54cb
msm_gem.h 8.5 KB