Commit c7d39326 authored Jul 07, 2025 by Mainak Sen Committed by Thierry Reding Sep 11, 2025

gpu: host1x: Fix race in syncpt alloc/free



Fix race condition between host1x_syncpt_alloc()
and host1x_syncpt_put() by using kref_put_mutex()
instead of kref_put() + manual mutex locking.

This ensures no thread can acquire the
syncpt_mutex after the refcount drops to zero
but before syncpt_release acquires it.
This prevents races where syncpoints could
be allocated while still being cleaned up
from a previous release.

Remove explicit mutex locking in syncpt_release
as kref_put_mutex() handles this atomically.

Signed-off-by: Mainak Sen <msen@nvidia.com>
Fixes: f5ba33fb ("gpu: host1x: Reserve VBLANK syncpoints at initialization")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20250707-host1x-syncpt-race-fix-v1-1-28b0776e70bc@nvidia.com

parent 1beee8d0

drivers/gpu/host1x/syncpt.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -345,8 +345,6 @@ static void syncpt_release(struct kref *ref)

		sp->locked = false;

		mutex_lock(&sp->host->syncpt_mutex);

		host1x_syncpt_base_free(sp->base);
		kfree(sp->name);
		sp->base = NULL;
		@@ -369,7 +367,7 @@ void host1x_syncpt_put(struct host1x_syncpt *sp)
		if (!sp)
		return;

		kref_put(&sp->ref, syncpt_release);
		kref_put_mutex(&sp->ref, syncpt_release, &sp->host->syncpt_mutex);
		}
		EXPORT_SYMBOL(host1x_syncpt_put);