| Message ID | 20180903093155.3825-1-chris@chris-wilson.co.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm: Remove "protection" around drm_vma_offset_manager_destroy() | expand |
On Mon, Sep 03, 2018 at 10:31:55AM +0100, Chris Wilson wrote: > Using a spinlock to serialize the destroy function, within the destroy > function itself does not prevent the buggy driver from shooting > themselves in the foot - either way they still have a use-after-free > issue. > > Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com> > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> > Cc: Davidlohr Bueso <dave@stgolabs.net> > Cc: Liviu Dudau <Liviu.Dudau@arm.com> > Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Ah, now I understand a bit more ... Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> > --- > drivers/gpu/drm/drm_vma_manager.c | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/drivers/gpu/drm/drm_vma_manager.c b/drivers/gpu/drm/drm_vma_manager.c > index a6b2fe36b025..c5d0d2358301 100644 > --- a/drivers/gpu/drm/drm_vma_manager.c > +++ b/drivers/gpu/drm/drm_vma_manager.c > @@ -103,10 +103,7 @@ EXPORT_SYMBOL(drm_vma_offset_manager_init); > */ > void drm_vma_offset_manager_destroy(struct drm_vma_offset_manager *mgr) > { > - /* take the lock to protect against buggy drivers */ > - write_lock(&mgr->vm_lock); > drm_mm_takedown(&mgr->vm_addr_space_mm); > - write_unlock(&mgr->vm_lock); > } > EXPORT_SYMBOL(drm_vma_offset_manager_destroy); > > -- > 2.19.0.rc1 >
diff --git a/drivers/gpu/drm/drm_vma_manager.c b/drivers/gpu/drm/drm_vma_manager.c index a6b2fe36b025..c5d0d2358301 100644 --- a/drivers/gpu/drm/drm_vma_manager.c +++ b/drivers/gpu/drm/drm_vma_manager.c @@ -103,10 +103,7 @@ EXPORT_SYMBOL(drm_vma_offset_manager_init); */ void drm_vma_offset_manager_destroy(struct drm_vma_offset_manager *mgr) { - /* take the lock to protect against buggy drivers */ - write_lock(&mgr->vm_lock); drm_mm_takedown(&mgr->vm_addr_space_mm); - write_unlock(&mgr->vm_lock); } EXPORT_SYMBOL(drm_vma_offset_manager_destroy);
Using a spinlock to serialize the destroy function, within the destroy function itself does not prevent the buggy driver from shooting themselves in the foot - either way they still have a use-after-free issue. Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Liviu Dudau <Liviu.Dudau@arm.com> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> --- drivers/gpu/drm/drm_vma_manager.c | 3 --- 1 file changed, 3 deletions(-)