1 From 53de1d6daf22ab3d0f36ca81bb4eaec81f698886 Mon Sep 17 00:00:00 2001
2 From: Phil Elwell <phil@raspberrypi.org>
3 Date: Wed, 23 Mar 2016 14:16:25 +0000
4 Subject: [PATCH] vchiq_arm: Access the dequeue_pending flag locked
6 Reading through this code looking for another problem (now found in userland)
7 the use of dequeue_pending outside a lock didn't seem safe.
9 Signed-off-by: Phil Elwell <phil@raspberrypi.org>
11 .../misc/vc04_services/interface/vchiq_arm/vchiq_arm.c | 17 ++++++++++++-----
12 1 file changed, 12 insertions(+), 5 deletions(-)
14 --- a/drivers/misc/vc04_services/interface/vchiq_arm/vchiq_arm.c
15 +++ b/drivers/misc/vc04_services/interface/vchiq_arm/vchiq_arm.c
16 @@ -279,6 +279,7 @@ service_callback(VCHIQ_REASON_T reason,
17 USER_SERVICE_T *user_service;
18 VCHIQ_SERVICE_T *service;
19 VCHIQ_INSTANCE_T instance;
20 + int skip_completion = 0;
21 DEBUG_INITIALISE(g_state.local)
23 DEBUG_TRACE(SERVICE_CALLBACK_LINE);
24 @@ -345,9 +346,6 @@ service_callback(VCHIQ_REASON_T reason,
25 user_service->msg_queue[user_service->msg_insert &
26 (MSG_QUEUE_SIZE - 1)] = header;
27 user_service->msg_insert++;
28 - spin_unlock(&msg_queue_spinlock);
30 - up(&user_service->insert_event);
32 /* If there is a thread waiting in DEQUEUE_MESSAGE, or if
33 ** there is a MESSAGE_AVAILABLE in the completion queue then
34 @@ -356,13 +354,22 @@ service_callback(VCHIQ_REASON_T reason,
35 if (((user_service->message_available_pos -
36 instance->completion_remove) >= 0) ||
37 user_service->dequeue_pending) {
38 - DEBUG_TRACE(SERVICE_CALLBACK_LINE);
39 user_service->dequeue_pending = 0;
40 - return VCHIQ_SUCCESS;
41 + skip_completion = 1;
44 + spin_unlock(&msg_queue_spinlock);
46 + up(&user_service->insert_event);
51 + if (skip_completion) {
52 + DEBUG_TRACE(SERVICE_CALLBACK_LINE);
53 + return VCHIQ_SUCCESS;
56 DEBUG_TRACE(SERVICE_CALLBACK_LINE);
58 return add_completion(instance, reason, header, user_service,