gpu: host1x: Assign intr waiter inside lock

Move the assignment of the ref out-pointer in host1x_intr_add_action
to happen within the spinlock. With the current arrangement,
it is possible for the waiter to complete before the assignment
has happened, which breaks horribly if the waiter completion
callback tries to use the reference.

In practice, there is currently no situation where this issue can
manifest -- it was first noticed with the upcoming DMA fence
implementation patches. As such this doesn't need to be backported.

Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>

diff --git a/drivers/gpu/host1x/intr.c b/drivers/gpu/host1x/intr.c
index 69b0e8e41466cba1a343cf78190d5b1131c71133..6d1f3c0fdbe7779a07fb119d5ed780813507ad48 100644 (file)
--- a/drivers/gpu/host1x/intr.c
+++ b/drivers/gpu/host1x/intr.c
@@ -235,10 +235,11 @@ int host1x_intr_add_action(struct host1x *host, struct host1x_syncpt *syncpt,
                        host1x_hw_intr_enable_syncpt_intr(host, syncpt->id);
        }
 
-       spin_unlock(&syncpt->intr.lock);
-
        if (ref)
                *ref = waiter;
+
+       spin_unlock(&syncpt->intr.lock);
+
        return 0;
 }