From 7a47627a88faa692baa3f0eef220ef2c36162363 Mon Sep 17 00:00:00 2001
From: Erik Gilling <konkers@android.com>
Date: Thu, 11 Oct 2012 12:35:22 -0700
Subject: [PATCH] sync: protect unlocked access to fence status

Fence status is checked outside of locks in both sync_fence_wait and
sync_fence_poll.  This patch adds propper barrier protection in these
cases to avoid seeing stale status.

Change-Id: I9d8b6ce6accb415e797df58068a1ccd54e6be445
Signed-off-by: Erik Gilling <konkers@android.com>
---
 drivers/base/sync.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/drivers/base/sync.c b/drivers/base/sync.c
index 326e184a9bbd..4c5689ba56ce 100644
--- a/drivers/base/sync.c
+++ b/drivers/base/sync.c
@@ -556,6 +556,16 @@ int sync_fence_cancel_async(struct sync_fence *fence,
 }
 EXPORT_SYMBOL(sync_fence_cancel_async);
 
+static bool sync_fence_check(struct sync_fence *fence)
+{
+	/*
+	 * Make sure that reads to fence->status are ordered with the
+	 * wait queue event triggering
+	 */
+	smp_rmb();
+	return fence->status != 0;
+}
+
 int sync_fence_wait(struct sync_fence *fence, long timeout)
 {
 	int err = 0;
@@ -563,7 +573,7 @@ int sync_fence_wait(struct sync_fence *fence, long timeout)
 	if (timeout > 0) {
 		timeout = msecs_to_jiffies(timeout);
 		err = wait_event_interruptible_timeout(fence->wq,
-						       fence->status != 0,
+						       sync_fence_check(fence),
 						       timeout);
 	} else if (timeout < 0) {
 		err = wait_event_interruptible(fence->wq, fence->status != 0);
@@ -627,6 +637,12 @@ static unsigned int sync_fence_poll(struct file *file, poll_table *wait)
 
 	poll_wait(file, &fence->wq, wait);
 
+	/*
+	 * Make sure that reads to fence->status are ordered with the
+	 * wait queue event triggering
+	 */
+	smp_rmb();
+
 	if (fence->status == 1)
 		return POLLIN;
 	else if (fence->status < 0)
-- 
GitLab