[Intel-gfx] [PATCH] drm: Fix race when checking for fb in the generic kms obj lookup

Thu, 24 Jul 2014 00:30:01 -0700 

In my review of

commit 98f75de40e9d83c3a90d294b8fd25fa2874212a9
Author: Rob Clark <robdcl...@gmail.com>
Date:   Fri May 30 11:37:03 2014 -0400

    drm: add object property typ

I asked for a check to make sure that we never leak an fb from the
generic mode object lookup since those have completely different
lifetime rules. Rob added it, but outside of the idr mutex, which
means that our dereference of obj->type can already chase free'd
memory.

Somehow I didn't spot this, so fix this asap.

Cc: Rob Clark <robdcl...@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vet...@ffwll.ch>
---
 drivers/gpu/drm/drm_crtc.c      | 6 +++---
 drivers/gpu/drm/drm_fb_helper.c | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index f0a777747907..853ab9cad071 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -429,6 +429,9 @@ static struct drm_mode_object *_object_find(struct 
drm_device *dev,
        if (!obj || (type != DRM_MODE_OBJECT_ANY && obj->type != type) ||
            (obj->id != id))
                obj = NULL;
+       /* don't leak out unref'd fb's */
+       if (obj && (obj->type == DRM_MODE_OBJECT_FB))
+               obj = NULL;
        mutex_unlock(&dev->mode_config.idr_mutex);
 
        return obj;
@@ -454,9 +457,6 @@ struct drm_mode_object *drm_mode_object_find(struct 
drm_device *dev,
         * function.*/
        WARN_ON(type == DRM_MODE_OBJECT_FB);
        obj = _object_find(dev, id, type);
-       /* don't leak out unref'd fb's */
-       if (obj && (obj->type == DRM_MODE_OBJECT_FB))
-               obj = NULL;
        return obj;
 }
 EXPORT_SYMBOL(drm_mode_object_find);
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index d5d8cea1a679..ff586ae3d92a 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -303,6 +303,7 @@ static bool restore_fbdev_mode(struct drm_fb_helper 
*fb_helper)
        }
        return error;
 }
+
 /**
  * drm_fb_helper_restore_fbdev_mode - restore fbdev configuration
  * @fb_helper: fbcon to restore
-- 
2.0.1

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx

Reply via email to