From 3137fbd9b4c715f9c8f945fea922092c33ef230f Mon Sep 17 00:00:00 2001 From: Mainak Sen Date: Thu, 22 May 2025 05:31:52 +0000 Subject: [PATCH] gpu: host1x: Fix race in syncpt alloc/free Fix riace condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking. This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release. Remove explicit mutex locking in syncpt_release as kref_put_mutex() handles this atomically. Bug 5170956 Change-Id: I9e2348482d5c9646556576772f6b90fa7df3acd2 Signed-off-by: Mainak Sen Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3369121 Reviewed-by: mobile promotions Tested-by: mobile promotions Reviewed-by: Mikko Perttunen GVS: buildbot_gerritrpt --- drivers/gpu/host1x/syncpt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/gpu/host1x/syncpt.c b/drivers/gpu/host1x/syncpt.c index 6337a736..e3091df3 100644 --- a/drivers/gpu/host1x/syncpt.c +++ b/drivers/gpu/host1x/syncpt.c @@ -428,8 +428,6 @@ static void syncpt_release(struct kref *ref) sp->locked = false; - mutex_lock(&sp->host->syncpt_mutex); - #ifdef CONFIG_HOST1X_HAVE_SYNCPT_BASE host1x_syncpt_base_free(sp->base); sp->base = NULL; @@ -454,7 +452,7 @@ void host1x_syncpt_put(struct host1x_syncpt *sp) if (!sp) return; - kref_put(&sp->ref, syncpt_release); + kref_put_mutex(&sp->ref, syncpt_release, &sp->host->syncpt_mutex); } EXPORT_SYMBOL(host1x_syncpt_put);