From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Date: Tue, 12 Mar 2013 14:38:43 +0000 (+0100)
Subject: drm/shmobile: Fix race condition between page flip request and handler
X-Git-Tag: v3.10-rc1~110^2~25
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=17f0efc4f463e5b74026863521cbd47fb93f5686;p=linux.git

drm/shmobile: Fix race condition between page flip request and handler

The page flip handler stores the page flip event pointer and then calls
drm_vblank_get() to enable the vblank interrupt. Due to the vblank off
delay, the vblank interrupt can be enabled in the hardware at that
point, even if the vblank reference count is equal to 0. If a vblank
interrupt is triggered between storing the event pointer and calling
drm_vblank_get(), the page flip completion handler will process the
event and call drm_vblank_put() with a reference count equal to 0. This
will result in a BUG_ON.

Fix the race condition by calling drm_vblank_get() before storing the
event pointer.

Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---

diff --git a/drivers/gpu/drm/shmobile/shmob_drm_crtc.c b/drivers/gpu/drm/shmobile/shmob_drm_crtc.c
index d917a411ca85..7dff49ed66e7 100644
--- a/drivers/gpu/drm/shmobile/shmob_drm_crtc.c
+++ b/drivers/gpu/drm/shmobile/shmob_drm_crtc.c
@@ -494,10 +494,10 @@ static int shmob_drm_crtc_page_flip(struct drm_crtc *crtc,
 
 	if (event) {
 		event->pipe = 0;
+		drm_vblank_get(dev, 0);
 		spin_lock_irqsave(&dev->event_lock, flags);
 		scrtc->event = event;
 		spin_unlock_irqrestore(&dev->event_lock, flags);
-		drm_vblank_get(dev, 0);
 	}
 
 	return 0;