From: Erik Gilling konkers@android.com
Previously fence's pts were freed before the were the fence was removed from the global fence list. This led to a race with the debugfs support where it would iterate over sync_pts that had been freed.
Cc: Maarten Lankhorst maarten.lankhorst@canonical.com Cc: Erik Gilling konkers@android.com Cc: Daniel Vetter daniel.vetter@ffwll.ch Cc: Rob Clark robclark@gmail.com Cc: Sumit Semwal sumit.semwal@linaro.org Cc: Greg KH gregkh@linuxfoundation.org Cc: dri-devel@lists.freedesktop.org Cc: Android Kernel Team kernel-team@android.com Signed-off-by: Erik Gilling konkers@android.com Signed-off-by: John Stultz john.stultz@linaro.org --- drivers/staging/android/sync.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c index 6739a84..2afbd69 100644 --- a/drivers/staging/android/sync.c +++ b/drivers/staging/android/sync.c @@ -520,12 +520,12 @@ static int sync_fence_release(struct inode *inode, struct file *file) struct sync_fence *fence = file->private_data; unsigned long flags;
- sync_fence_free_pts(fence); - spin_lock_irqsave(&sync_fence_list_lock, flags); list_del(&fence->sync_fence_list); spin_unlock_irqrestore(&sync_fence_list_lock, flags);
+ sync_fence_free_pts(fence); + kfree(fence);
return 0;