Alistair Strachan  committed 5a0383f

sync: Fix a race condition between release_obj and print_obj

Before this change, a timeline would only be removed from the timeline
list *after* the sync driver had its release_obj() called. However, the
driver's release_obj() may free resources needed by print_obj().

Although the timeline list is locked when print_obj() is called, it is
not locked when release_obj() is called. If one CPU was in print_obj()
when another was in release_obj(), the print_obj() may make unsafe

It is not actually necessary to hold the timeline list lock when calling
release_obj() if the call is made after the timeline is unlinked from
the list, since there is no possibility another thread could be in --
or enter -- print_obj() for that timeline.

This change moves the release_obj() call to after the timeline is
unlinked, preventing the above race from occurring.

Signed-off-by: Alistair Strachan <>

File drivers/base/sync.c

 		container_of(kref, struct sync_timeline, kref);
 	unsigned long flags;
-	if (obj->ops->release_obj)
-		obj->ops->release_obj(obj);
 	spin_lock_irqsave(&sync_timeline_list_lock, flags);
 	spin_unlock_irqrestore(&sync_timeline_list_lock, flags);
+	if (obj->ops->release_obj)
+		obj->ops->release_obj(obj);