From patchwork Mon Feb  3 18:16:19 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Stultz <john.stultz@linaro.org>
X-Patchwork-Id: 24049
Return-Path: <patchwork-forward+bncBCJ7RPMX4EMBBDF2X6LQKGQE3LRM23Y@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-vc0-f198.google.com (mail-vc0-f198.google.com
 [209.85.220.198])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 54694202B2
 for <linaro@patches.linaro.org>; Mon,  3 Feb 2014 18:16:45 +0000 (UTC)
Received: by mail-vc0-f198.google.com with SMTP id lf12sf19285536vcb.9
 for <linaro@patches.linaro.org>; Mon, 03 Feb 2014 10:16:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:in-reply-to:references:x-original-sender
 :x-original-authentication-results:precedence:mailing-list:list-id
 :list-post:list-help:list-archive:list-unsubscribe;
 bh=1fcVHvphRsKRsIBIEGEDusDTRPGKOqGYQ1s8o5Soj38=;
 b=S+ChFMNojsa5r/3ga/Mdeq5BFLvlqUJC9sXLaggf+gsUxVLBFyv+y+cgJBPaIwAsAg
 6edlM+miQXh9+Fs9bH11aEL6P1nq66uZgdmPEhi56X3A42GWvB2142ZbrlQv825Elv54
 R/ObM1WIKDOp+UlaryBHj86z0Wug7NQZ7UJ1uPeOsnNBML5V1LbtBDXxsy14rNVgN4oS
 PpYAlMWs/62SAC3NY+t0aSK6gTDeHtt4NVMDKxFLtJlibxEz1mr9jP0Qja7ZJhJH8kzQ
 1C88fQHeGQQt1XavG0zq2ie8qWnbzWtx/xW+wsfiAbO/JmfRI9FucP5t7CVlGw44ghWe
 OJ3g==
X-Gm-Message-State: ALoCoQmrwG8FZMZFAFD/ms6hhoh+bFsjrNaKeO+6lOfKkd6BAQixs/HN9yMLYVoTU69PQzr1+WTc
X-Received: by 10.58.38.137 with SMTP id g9mr14800795vek.6.1391451404490;
 Mon, 03 Feb 2014 10:16:44 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.140.44.102 with SMTP id f93ls2008473qga.75.gmail; Mon, 03 Feb
 2014 10:16:44 -0800 (PST)
X-Received: by 10.220.92.135 with SMTP id r7mr29394874vcm.11.1391451404418; 
 Mon, 03 Feb 2014 10:16:44 -0800 (PST)
Received: from mail-vc0-f181.google.com (mail-vc0-f181.google.com
 [209.85.220.181]) by mx.google.com with ESMTPS id
 tt2si7044484vdc.139.2014.02.03.10.16.44
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Mon, 03 Feb 2014 10:16:44 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.220.181 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.220.181; 
Received: by mail-vc0-f181.google.com with SMTP id ie18so5087830vcb.12
 for <patchwork-forward@linaro.org>;
 Mon, 03 Feb 2014 10:16:44 -0800 (PST)
X-Received: by 10.220.98.143 with SMTP id q15mr420449vcn.38.1391451404317;
 Mon, 03 Feb 2014 10:16:44 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp174173vcz;
 Mon, 3 Feb 2014 10:16:43 -0800 (PST)
X-Received: by 10.66.221.199 with SMTP id qg7mr39135085pac.88.1391451403390; 
 Mon, 03 Feb 2014 10:16:43 -0800 (PST)
Received: from mail-pb0-f41.google.com (mail-pb0-f41.google.com
 [209.85.160.41]) by mx.google.com with ESMTPS id
 pk8si21500729pab.68.2014.02.03.10.16.43 for <patches@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Mon, 03 Feb 2014 10:16:43 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.160.41 is neither permitted nor
 denied by best guess record for domain of
 john.stultz@linaro.org) client-ip=209.85.160.41; 
Received: by mail-pb0-f41.google.com with SMTP id up15so7396545pbc.28
 for <patches@linaro.org>; Mon, 03 Feb 2014 10:16:43 -0800 (PST)
X-Received: by 10.66.249.202 with SMTP id yw10mr38059278pac.111.1391451402927; 
 Mon, 03 Feb 2014 10:16:42 -0800 (PST)
Received: from localhost.localdomain (c-67-170-153-23.hsd1.or.comcast.net.
 [67.170.153.23]) by mx.google.com with ESMTPSA id
 y9sm150496099pas.10.2014.02.03.10.16.40 for <multiple recipients>
 (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Mon, 03 Feb 2014 10:16:42 -0800 (PST)
From: John Stultz <john.stultz@linaro.org>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Alistair Strachan <alistair.strachan@imgtec.com>,
 Greg KH <gregkh@linuxfoundation.org>, Colin Cross <ccross@android.com>,
 Android Kernel Team <kernel-team@android.com>,
 John Stultz <john.stultz@linaro.org>
Subject: [PATCH 07/16] staging: sync: Fix a race condition between
 release_obj and print_obj
Date: Mon,  3 Feb 2014 10:16:19 -0800
Message-Id: <1391451388-23906-8-git-send-email-john.stultz@linaro.org>
X-Mailer: git-send-email 1.8.3.2
In-Reply-To: <1391451388-23906-1-git-send-email-john.stultz@linaro.org>
References: <1391451388-23906-1-git-send-email-john.stultz@linaro.org>
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: john.stultz@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.220.181 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>

From: Alistair Strachan <alistair.strachan@imgtec.com>

Before this change, a timeline would only be removed from the timeline
list *after* the sync driver had its release_obj() called. However, the
driver's release_obj() may free resources needed by print_obj().

Although the timeline list is locked when print_obj() is called, it is
not locked when release_obj() is called. If one CPU was in print_obj()
when another was in release_obj(), the print_obj() may make unsafe
accesses.

It is not actually necessary to hold the timeline list lock when calling
release_obj() if the call is made after the timeline is unlinked from
the list, since there is no possibility another thread could be in --
or enter -- print_obj() for that timeline.

This change moves the release_obj() call to after the timeline is
unlinked, preventing the above race from occurring.

Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
[jstultz: minor commit subject tweak]
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 drivers/staging/android/sync.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
index fec2d1c..3d05f662 100644
--- a/drivers/staging/android/sync.c
+++ b/drivers/staging/android/sync.c
@@ -79,13 +79,13 @@ static void sync_timeline_free(struct kref *kref)
 		container_of(kref, struct sync_timeline, kref);
 	unsigned long flags;
 
-	if (obj->ops->release_obj)
-		obj->ops->release_obj(obj);
-
 	spin_lock_irqsave(&sync_timeline_list_lock, flags);
 	list_del(&obj->sync_timeline_list);
 	spin_unlock_irqrestore(&sync_timeline_list_lock, flags);
 
+	if (obj->ops->release_obj)
+		obj->ops->release_obj(obj);
+
 	kfree(obj);
 }