sync: Fix race condition between merge and signal
The copied sync_pt was activated immediately. If the sync_pt was
signaled before the entire merge was completed, the new fence's pt_list
could be iterated over while it is still in the process of being
created.
Moving the the sync_pt_activate call for all new sync_pts to after both
the sync_fence_copy_pts and the sync_fence_merge_pts calls ensure that
the pt_list is complete and immutable before it can be reached from the
timeline's active list.
Change-Id: I7aa4d404a822347b6ce148018d2a66e4f6a20c78
Signed-off-by: Erik Gilling <konkers@android.com>
Signed-off-by: Naseer Ahmed <naseer@codeaurora.org>
diff --git a/drivers/base/sync.c b/drivers/base/sync.c
index 809d02b..a97a503 100644
--- a/drivers/base/sync.c
+++ b/drivers/base/sync.c
@@ -324,7 +324,6 @@
new_pt->fence = dst;
list_add(&new_pt->pt_list, &dst->pt_list_head);
- sync_pt_activate(new_pt);
}
return 0;
@@ -356,7 +355,6 @@
new_pt->fence = dst;
list_replace(&dst_pt->pt_list,
&new_pt->pt_list);
- sync_pt_activate(new_pt);
sync_pt_free(dst_pt);
}
collapsed = true;
@@ -372,7 +370,6 @@
new_pt->fence = dst;
list_add(&new_pt->pt_list, &dst->pt_list_head);
- sync_pt_activate(new_pt);
}
}
@@ -453,6 +450,7 @@
struct sync_fence *a, struct sync_fence *b)
{
struct sync_fence *fence;
+ struct list_head *pos;
int err;
fence = sync_fence_alloc(name);
@@ -467,6 +465,12 @@
if (err < 0)
goto err;
+ list_for_each(pos, &fence->pt_list_head) {
+ struct sync_pt *pt =
+ container_of(pos, struct sync_pt, pt_list);
+ sync_pt_activate(pt);
+ }
+
/*
* signal the fence in case one of it's pts were activated before
* they were activated