drm/nouveau: Fix race condition in channel refcount handling.

nouveau_channel_put() can be executed after the 'refcount == 0' check
in nouveau_channel_get() and before the channel reference count is
incremented. In that case CPU0 will take the context down while CPU1
thinks it owns the channel and 'refcount == 1'.

Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

diff --git a/drivers/gpu/drm/nouveau/nouveau_channel.c b/drivers/gpu/drm/nouveau/nouveau_channel.c
index 9a051fa..c46a6f6 100644 (file)
--- a/drivers/gpu/drm/nouveau/nouveau_channel.c
+++ b/drivers/gpu/drm/nouveau/nouveau_channel.c
@@ -247,17 +247,16 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id)
        spin_lock_irqsave(&dev_priv->channels.lock, flags);
        chan = dev_priv->channels.ptr[id];
 
-       if (unlikely(!chan || atomic_read(&chan->refcount) == 0)) {
+       if (unlikely(!chan || (file_priv && chan->file_priv != file_priv))) {
                spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
                return ERR_PTR(-EINVAL);
        }
 
-       if (unlikely(file_priv && chan->file_priv != file_priv)) {
+       if (unlikely(!atomic_inc_not_zero(&chan->refcount))) {
                spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
                return ERR_PTR(-EINVAL);
        }
 
-       atomic_inc(&chan->refcount);
        spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
 
        mutex_lock(&chan->mutex);