From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0750F35A92E; Fri, 9 Jan 2026 12:25:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767961516; cv=none; b=D3+nedziPyq3k+W0SOE16nzAxkaWhXR8ka0udleZxMRMBVLelF7zBvWUI/pvg3xjJoues0hS9b8YZAD5W+B2rwK+ir3dRO4ssn9Fxna1Dx649wM6ugWl2mU3Lcp+rrgGbv/rEvo3u0pKrIv/6LhrMfyBZlQuBKPJRkvXx4vpKTE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767961516; c=relaxed/simple; bh=rzHyIRawzlRYeGDo2iq5PxmHdV+s1LwEZLo80kdEh+o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hPkvJtqlu5uCRuegU0G/inmnV66H7uKH7s3rW6kWU2uE7j25YBXtghu50gfMyjF1UspabO+PCXYJjI5XoL0dXjWTefTTCKci2nrk9ReNBRCmQWSzRH2a00eUAHtSJ/D9E8SgUuuurEDM1q93qVZTJTbmA4GpjLlQRra1DvXuTRg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=LVYghBjg; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="LVYghBjg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4BDE4C4CEF1; Fri, 9 Jan 2026 12:25:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1767961515; bh=rzHyIRawzlRYeGDo2iq5PxmHdV+s1LwEZLo80kdEh+o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LVYghBjgBnS0YD75iqaMGEVfk0fDEtFu8EvwDBUDr9wBtkpQUAUR36oGBgIjlqfej bcDoDNTq4Yvc7DZuwpZZszAeOGs4pAGHEzIo0dFWjcxAYEqG1BgkZBEN4hwoCNOQyC nG3JNWxG9D0FoOQCI7PuhACTBlBvsI1HMznMgx58= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mainak Sen , Mikko Perttunen , Thierry Reding , Sasha Levin Subject: [PATCH 6.1 042/634] gpu: host1x: Fix race in syncpt alloc/free Date: Fri, 9 Jan 2026 12:35:20 +0100 Message-ID: <20260109112119.029864705@linuxfoundation.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260109112117.407257400@linuxfoundation.org> References: <20260109112117.407257400@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mainak Sen [ Upstream commit c7d393267c497502fa737607f435f05dfe6e3d9b ] Fix race condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking. This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release. Remove explicit mutex locking in syncpt_release as kref_put_mutex() handles this atomically. Signed-off-by: Mainak Sen Fixes: f5ba33fb9690 ("gpu: host1x: Reserve VBLANK syncpoints at initialization") Signed-off-by: Mikko Perttunen Signed-off-by: Thierry Reding Link: https://lore.kernel.org/r/20250707-host1x-syncpt-race-fix-v1-1-28b0776e70bc@nvidia.com Signed-off-by: Sasha Levin --- drivers/gpu/host1x/syncpt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/gpu/host1x/syncpt.c b/drivers/gpu/host1x/syncpt.c index f87a8705f5183..51a1d2f95621b 100644 --- a/drivers/gpu/host1x/syncpt.c +++ b/drivers/gpu/host1x/syncpt.c @@ -393,8 +393,6 @@ static void syncpt_release(struct kref *ref) sp->locked = false; - mutex_lock(&sp->host->syncpt_mutex); - host1x_syncpt_base_free(sp->base); kfree(sp->name); sp->base = NULL; @@ -417,7 +415,7 @@ void host1x_syncpt_put(struct host1x_syncpt *sp) if (!sp) return; - kref_put(&sp->ref, syncpt_release); + kref_put_mutex(&sp->ref, syncpt_release, &sp->host->syncpt_mutex); } EXPORT_SYMBOL(host1x_syncpt_put); -- 2.51.0