drm/nouveau: Fix race condition in channel refcount handling.

nouveau_channel_put() can be executed after the 'refcount == 0' check
in nouveau_channel_get() and before the channel reference count is
incremented. In that case CPU0 will take the context down while CPU1
thinks it owns the channel and 'refcount == 1'.

Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

1 files changed, 2 insertions, 3 deletions

diff --git a/drivers/gpu/drm/nouveau/nouveau_channel.c b/drivers/gpu/drm/nouveau/nouveau_channel.c
index 9a051fafa7c3..c46a6f641964 100644
--- a/drivers/gpu/drm/nouveau/nouveau_channel.c
+++ b/drivers/gpu/drm/nouveau/nouveau_channel.c
@@ -247,17 +247,16 @@ nouveau_channel_get(struct drm_device *dev, struct drm_file *file_priv, int id)
 	spin_lock_irqsave(&dev_priv->channels.lock, flags);
 	chan = dev_priv->channels.ptr[id];
 
-	if (unlikely(!chan || atomic_read(&chan->refcount) == 0)) {
+	if (unlikely(!chan || (file_priv && chan->file_priv != file_priv))) {
 		spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
 		return ERR_PTR(-EINVAL);
 	}
 
-	if (unlikely(file_priv && chan->file_priv != file_priv)) {
+	if (unlikely(!atomic_inc_not_zero(&chan->refcount))) {
 		spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
 		return ERR_PTR(-EINVAL);
 	}
 
-	atomic_inc(&chan->refcount);
 	spin_unlock_irqrestore(&dev_priv->channels.lock, flags);
 
 	mutex_lock(&chan->mutex);