1 From 5b47cb78e8ce1991ef58a57cfb76a2698ce10982 Mon Sep 17 00:00:00 2001
2 From: Dmitry Torokhov <dtor@chromium.org>
3 Date: Mon, 14 Dec 2015 17:34:08 -0800
4 Subject: android: unconditionally remove callbacks in sync_fence_free()
6 [ Upstream commit 699f685569434510d944e419f4048c4e3ba8d631 ]
8 Using fence->status to determine whether or not there are callbacks
9 remaining on the sync_fence is racy since fence->status may have been
10 decremented to 0 on another CPU before fence_check_cb_func() has
11 completed. By unconditionally calling fence_remove_callback() for each
12 fence in the sync_fence, we guarantee that each callback has either
13 completed (since fence_remove_callback() grabs the fence lock) or been
16 Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
17 Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
18 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19 Signed-off-by: Sasha Levin <sashal@kernel.org>
21 drivers/staging/android/sync.c | 6 ++----
22 1 file changed, 2 insertions(+), 4 deletions(-)
24 diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
25 index f83e00c78051..50a9945da27e 100644
26 --- a/drivers/staging/android/sync.c
27 +++ b/drivers/staging/android/sync.c
28 @@ -519,12 +519,10 @@ static const struct fence_ops android_fence_ops = {
29 static void sync_fence_free(struct kref *kref)
31 struct sync_fence *fence = container_of(kref, struct sync_fence, kref);
32 - int i, status = atomic_read(&fence->status);
35 for (i = 0; i < fence->num_fences; ++i) {
37 - fence_remove_callback(fence->cbs[i].sync_pt,
39 + fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb);
40 fence_put(fence->cbs[i].sync_pt);