Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 76c4055f authored by Tomi Valkeinen's avatar Tomi Valkeinen
Browse files

drm/omap: fix race condition with dev->obj_list 



omap_gem_objects are added to dev->obj_list in omap_gem_new, and removed
in omap_gem_free_object. Unfortunately there's no locking for
dev->obj_list, which eventually leads to a crash:

WARNING: CPU: 1 PID: 1123 at lib/list_debug.c:59 __list_del_entry+0xa4/0xe0()
list_del corruption. prev->next should be e9281344, but was ea722b84

Add a spinlock to protect dev->obj_list.

Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
parent 8519c62c

drivers/gpu/drm/omapdrm/omap_drv.c

+1 −0
Original line number Diff line number Diff line
@@ -491,6 +491,7 @@ static int dev_load(struct drm_device *dev, unsigned long flags) 


	priv->wq = alloc_ordered_workqueue("omapdrm", 0);



	spin_lock_init(&priv->list_lock);

	INIT_LIST_HEAD(&priv->obj_list);



	omap_gem_init(dev);

drivers/gpu/drm/omapdrm/omap_drv.h

+3 −0
Original line number Diff line number Diff line
@@ -105,6 +105,9 @@ struct omap_drm_private { 


	struct workqueue_struct *wq;



	/* lock for obj_list below */

	spinlock_t list_lock;



	/* list of GEM objects: */

	struct list_head obj_list;

drivers/gpu/drm/omapdrm/omap_gem.c

+5 −0
Original line number Diff line number Diff line
@@ -1273,13 +1273,16 @@ int omap_gem_set_sync_object(struct drm_gem_object *obj, void *syncobj) 
void omap_gem_free_object(struct drm_gem_object *obj)

{

	struct drm_device *dev = obj->dev;

	struct omap_drm_private *priv = dev->dev_private;

	struct omap_gem_object *omap_obj = to_omap_bo(obj);



	evict(obj);



	WARN_ON(!mutex_is_locked(&dev->struct_mutex));



	spin_lock(&priv->list_lock);

	list_del(&omap_obj->mm_list);

	spin_unlock(&priv->list_lock);



	drm_gem_free_mmap_offset(obj);
@@ -1377,7 +1380,9 @@ struct drm_gem_object *omap_gem_new(struct drm_device *dev, 
	if (!omap_obj)

		goto fail;



	spin_lock(&priv->list_lock);

	list_add(&omap_obj->mm_list, &priv->obj_list);

	spin_unlock(&priv->list_lock);



	obj = &omap_obj->base;