drm: Hold the mutex when dropping the last GEM reference (v2)
authorChris Wilson <chris@chris-wilson.co.uk>
Thu, 30 Sep 2010 08:10:26 +0000 (09:10 +0100)
committerDave Airlie <airlied@redhat.com>
Fri, 1 Oct 2010 11:08:45 +0000 (21:08 +1000)
commit39b4d07aa3583ceefe73622841303a0a3e942ca1
treed42f6e782f331b1d967f50ca3a02b9e51ea88515
parent29d08b3efddca628b0360411ab2b85f7b1723f48
drm: Hold the mutex when dropping the last GEM reference (v2)

In order to be fully threadsafe we need to check that the drm_gem_object
refcount is still 0 after acquiring the mutex in order to call the free
function. Otherwise, we may encounter scenarios like:

Thread A:                                        Thread B:
drm_gem_close
unreference_unlocked
kref_put                                         mutex_lock
...                                              i915_gem_evict
...                                              kref_get -> BUG
...                                              i915_gem_unbind
...                                              kref_put
...                                              i915_gem_object_free
...                                              mutex_unlock
mutex_lock
i915_gem_object_free -> BUG
i915_gem_object_unbind
kfree
mutex_unlock

Note that no driver is currently using the free_unlocked vfunc and it is
scheduled for removal, hasten that process.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30454
Reported-and-Tested-by: Magnus Kessler <Magnus.Kessler@gmx.net>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/drm_gem.c
include/drm/drmP.h