From patchwork Wed Feb  5 00:08:36 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Stultz <john.stultz@linaro.org>
X-Patchwork-Id: 24151
Return-Path: <patchwork-forward+bncBCJ7RPMX4EMBBLUCY2LQKGQENYLPTQA@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-oa0-f70.google.com (mail-oa0-f70.google.com
 [209.85.219.70])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 34047202FA
 for <linaro@patches.linaro.org>; Wed,  5 Feb 2014 00:09:19 +0000 (UTC)
Received: by mail-oa0-f70.google.com with SMTP id m1sf41607925oag.1
 for <linaro@patches.linaro.org>; Tue, 04 Feb 2014 16:09:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:in-reply-to:references:x-original-sender
 :x-original-authentication-results:precedence:mailing-list:list-id
 :list-post:list-help:list-archive:list-unsubscribe;
 bh=1fcVHvphRsKRsIBIEGEDusDTRPGKOqGYQ1s8o5Soj38=;
 b=MyJjC3kWdDVgdQhU8ulrDpBsYl1dC5DiBOUXyIfjUI9mjtKzxtGpuD6LTrDtPutzkq
 oaQ9iWl0I5pmRIGqNUMNn1m6M9nuqQa6e/+8lCJwb6Uyk6T+kp686c9ZKqbl4FJBcCeK
 iOpJLgap6eMjtKlQx+S53Rep/GFRX0tiRrFxcdZR1OfsgZpCeTSg7H5iUupt0nXK8W2n
 E552JkowVCYtoVgL5kTAse+aLoST4O04S8nR5X3XD8Xzs8SvILfYblYqXN5f5vjdbrlS
 vIHYd8fs98l+QfytFL492vKv/OIDE3ySUpu9dti62Xay6UmzUBPoVPTzBnRB8e0xVt/e
 6VIA==
X-Gm-Message-State: ALoCoQmKUXcUcppWGPJNKAePIHnZHPI4stMZtQa9PK+ZUOL2YDKs0FVxvdN34T+DuxxZBzxCujuT
X-Received: by 10.182.126.137 with SMTP id my9mr17763707obb.13.1391558958185; 
 Tue, 04 Feb 2014 16:09:18 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.140.109.101 with SMTP id k92ls262711qgf.78.gmail; Tue, 04 Feb
 2014 16:09:18 -0800 (PST)
X-Received: by 10.52.166.9 with SMTP id zc9mr29341756vdb.16.1391558958096;
 Tue, 04 Feb 2014 16:09:18 -0800 (PST)
Received: from mail-ve0-f170.google.com (mail-ve0-f170.google.com
 [209.85.128.170]) by mx.google.com with ESMTPS id
 uo10si2233861vec.94.2014.02.04.16.09.18
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 04 Feb 2014 16:09:18 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.128.170 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.128.170; 
Received: by mail-ve0-f170.google.com with SMTP id cz12so6797921veb.1
 for <patchwork-forward@linaro.org>;
 Tue, 04 Feb 2014 16:09:18 -0800 (PST)
X-Received: by 10.58.90.202 with SMTP id by10mr33743597veb.6.1391558958003; 
 Tue, 04 Feb 2014 16:09:18 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp4084vcz;
 Tue, 4 Feb 2014 16:09:17 -0800 (PST)
X-Received: by 10.66.144.227 with SMTP id sp3mr47442891pab.100.1391558957059; 
 Tue, 04 Feb 2014 16:09:17 -0800 (PST)
Received: from mail-pa0-f43.google.com (mail-pa0-f43.google.com
 [209.85.220.43]) by mx.google.com with ESMTPS id
 eb3si26592991pbd.197.2014.02.04.16.09.16 for <patches@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 04 Feb 2014 16:09:17 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.220.43 is neither permitted nor
 denied by best guess record for domain of
 john.stultz@linaro.org) client-ip=209.85.220.43; 
Received: by mail-pa0-f43.google.com with SMTP id rd3so9229477pab.2
 for <patches@linaro.org>; Tue, 04 Feb 2014 16:09:16 -0800 (PST)
X-Received: by 10.68.29.72 with SMTP id i8mr38098354pbh.116.1391558956473;
 Tue, 04 Feb 2014 16:09:16 -0800 (PST)
Received: from localhost.localdomain (c-67-170-153-23.hsd1.or.comcast.net.
 [67.170.153.23]) by mx.google.com with ESMTPSA id
 g6sm181483447pat.2.2014.02.04.16.09.15 for <multiple recipients>
 (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 04 Feb 2014 16:09:15 -0800 (PST)
From: John Stultz <john.stultz@linaro.org>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Alistair Strachan <alistair.strachan@imgtec.com>,
 Greg KH <gregkh@linuxfoundation.org>, Colin Cross <ccross@android.com>,
 Android Kernel Team <kernel-team@android.com>,
 John Stultz <john.stultz@linaro.org>
Subject: [PATCH 3/7] staging: sync: Fix a race condition between release_obj
 and print_obj
Date: Tue,  4 Feb 2014 16:08:36 -0800
Message-Id: <1391558920-31590-4-git-send-email-john.stultz@linaro.org>
X-Mailer: git-send-email 1.8.3.2
In-Reply-To: <1391558920-31590-1-git-send-email-john.stultz@linaro.org>
References: <1391558920-31590-1-git-send-email-john.stultz@linaro.org>
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: john.stultz@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.128.170 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>

From: Alistair Strachan <alistair.strachan@imgtec.com>

Before this change, a timeline would only be removed from the timeline
list *after* the sync driver had its release_obj() called. However, the
driver's release_obj() may free resources needed by print_obj().

Although the timeline list is locked when print_obj() is called, it is
not locked when release_obj() is called. If one CPU was in print_obj()
when another was in release_obj(), the print_obj() may make unsafe
accesses.

It is not actually necessary to hold the timeline list lock when calling
release_obj() if the call is made after the timeline is unlinked from
the list, since there is no possibility another thread could be in --
or enter -- print_obj() for that timeline.

This change moves the release_obj() call to after the timeline is
unlinked, preventing the above race from occurring.

Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
[jstultz: minor commit subject tweak]
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 drivers/staging/android/sync.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
index fec2d1c..3d05f662 100644
--- a/drivers/staging/android/sync.c
+++ b/drivers/staging/android/sync.c
@@ -79,13 +79,13 @@ static void sync_timeline_free(struct kref *kref)
 		container_of(kref, struct sync_timeline, kref);
 	unsigned long flags;
 
-	if (obj->ops->release_obj)
-		obj->ops->release_obj(obj);
-
 	spin_lock_irqsave(&sync_timeline_list_lock, flags);
 	list_del(&obj->sync_timeline_list);
 	spin_unlock_irqrestore(&sync_timeline_list_lock, flags);
 
+	if (obj->ops->release_obj)
+		obj->ops->release_obj(obj);
+
 	kfree(obj);
 }