etnaviv: drm: fix BO refcount race
There is a race where the BO refcount might drop to 0 before the
dmabuf/name import paths had a chance to grab a reference for a
BO found in the handle_table. The easiest solution is to keep the
refcount stable as long as the table_lock is held.
While a more involved scheme of rechecking the refcount before
actually destroying the BO might also work, the bo_del path isn't
called very often, so micro-optimizing a single mutex_lock seems
to be over-engineered, so go for the easy solution.
Cc: <mesa-stable@lists.freedesktop.org>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/7367>
diff --git a/src/etnaviv/drm/etnaviv_bo.c b/src/etnaviv/drm/etnaviv_bo.c
index 0ec64b7..7fde304 100644
--- a/src/etnaviv/drm/etnaviv_bo.c
+++ b/src/etnaviv/drm/etnaviv_bo.c
@@ -257,11 +257,15 @@
struct etna_device *dev = bo->dev;
- if (!p_atomic_dec_zero(&bo->refcnt))
- return;
-
pthread_mutex_lock(&etna_drm_table_lock);
+ /* Must test under table lock to avoid racing with the from_dmabuf/name
+ * paths, which rely on the BO refcount to be stable over the lookup, so
+ * they can grab a reference when the BO is found in the hash.
+ */
+ if (!p_atomic_dec_zero(&bo->refcnt))
+ goto out;
+
if (bo->reuse && (etna_bo_cache_free(&dev->bo_cache, bo) == 0))
goto out;