Linux 3.18.138

[thirdparty/kernel/stable-queue.git] / releases / 3.18.138 / android-unconditionally-remove-callbacks-in-sync_fen.patch

From 5b47cb78e8ce1991ef58a57cfb76a2698ce10982 Mon Sep 17 00:00:00 2001
From: Dmitry Torokhov <dtor@chromium.org>
Date: Mon, 14 Dec 2015 17:34:08 -0800
Subject: android: unconditionally remove callbacks in sync_fence_free()

[ Upstream commit 699f685569434510d944e419f4048c4e3ba8d631 ]

Using fence->status to determine whether or not there are callbacks
remaining on the sync_fence is racy since fence->status may have been
decremented to 0 on another CPU before fence_check_cb_func() has
completed.  By unconditionally calling fence_remove_callback() for each
fence in the sync_fence, we guarantee that each callback has either
completed (since fence_remove_callback() grabs the fence lock) or been
removed.

Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/android/sync.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
index f83e00c78051..50a9945da27e 100644
--- a/drivers/staging/android/sync.c
+++ b/drivers/staging/android/sync.c
@@ -519,12 +519,10 @@ static const struct fence_ops android_fence_ops = {
 static void sync_fence_free(struct kref *kref)
 {
        struct sync_fence *fence = container_of(kref, struct sync_fence, kref);
-       int i, status = atomic_read(&fence->status);
+       int i;
 
        for (i = 0; i < fence->num_fences; ++i) {
-               if (status)
-                       fence_remove_callback(fence->cbs[i].sync_pt,
-                                             &fence->cbs[i].cb);
+               fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb);
                fence_put(fence->cbs[i].sync_pt);
        }
 
-- 
2.19.1