From patchwork Thu Jul 24 10:12:45 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Vetter X-Patchwork-Id: 4616291 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id B68629F295 for ; Thu, 24 Jul 2014 10:12:44 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id EBF7E20179 for ; Thu, 24 Jul 2014 10:12:43 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id E4DCE201D3 for ; Thu, 24 Jul 2014 10:12:42 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id C55B96E0D5; Thu, 24 Jul 2014 03:12:41 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-we0-f173.google.com (mail-we0-f173.google.com [74.125.82.173]) by gabe.freedesktop.org (Postfix) with ESMTP id 3A6A76E0D5 for ; Thu, 24 Jul 2014 03:12:40 -0700 (PDT) Received: by mail-we0-f173.google.com with SMTP id q58so2539796wes.32 for ; Thu, 24 Jul 2014 03:12:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dN/a6wMfSL/edxxQ5brX5EjXVd1cc2QHFyI20c6O4c8=; b=kHa7xMHq0URqY5fAmX8lnSfB5zmKKmGokeDNwDuvKxv9rPGuqVDdp0MSt/fABCYlL4 wXqienROrOCBg76QlLFfqnA3+GDFE9GZzFjz9N4/OLFv90uJZQaLArXowyaV9calQKqN yrxzka0+7YA+At1EuFwKx3t+smIPKM/sd1YGk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dN/a6wMfSL/edxxQ5brX5EjXVd1cc2QHFyI20c6O4c8=; b=isu6t1aGbVxV5eOK2TPvpoCBhoWIqFqld5XxDMHVE/CzlL2O4hpOohp7bl20b2IkKZ MtvZUQUT4gP6wD1l+WhxIv4V+C4ixXONQrf4SeOBXSbJd6Wji+C5PqqlNZHdf0V6r/5b g7nwIlrUJaP3FrzgWD4jZnbOhWFi8piy6I3oTowb6izDkYMMW+ystZhtGlgLQX4a3omP iCCVmyDWb+RtmD9nvULjOJUW2CUqkzLFUJFbw3DrbT1YKu4d+onrgXRJlFpE6oZmqD6R bXwOleIvwFO8P2NoqddBYZGPJmNjgmEjqbxKX62j0Lzug4ejhtqFIDWNGHIgzpOWcycT sRRA== X-Gm-Message-State: ALoCoQkymQPWa4c1+ji/sG9gMud8ss6FvBw8xsyjtFZolQZiY1DcV94nWWUmW4M9bppl+ohpDkB3 X-Received: by 10.194.79.135 with SMTP id j7mr11022089wjx.56.1406196759151; Thu, 24 Jul 2014 03:12:39 -0700 (PDT) Received: from phenom.ffwll.local (84-73-67-144.dclient.hispeed.ch. [84.73.67.144]) by mx.google.com with ESMTPSA id w10sm20882033wie.22.2014.07.24.03.12.37 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 24 Jul 2014 03:12:38 -0700 (PDT) From: Daniel Vetter To: Intel Graphics Development Subject: [PATCH] drm: Fix race when checking for fb in the generic kms obj lookup Date: Thu, 24 Jul 2014 12:12:45 +0200 Message-Id: <1406196765-2428-1-git-send-email-daniel.vetter@ffwll.ch> X-Mailer: git-send-email 2.0.1 In-Reply-To: <20140724080829.GH29372@nuc-i3427.alporthouse.com> References: <20140724080829.GH29372@nuc-i3427.alporthouse.com> Cc: Daniel Vetter , DRI Development X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In my review of commit 98f75de40e9d83c3a90d294b8fd25fa2874212a9 Author: Rob Clark Date: Fri May 30 11:37:03 2014 -0400 drm: add object property typ I asked for a check to make sure that we never leak an fb from the generic mode object lookup since those have completely different lifetime rules. Rob added it, but outside of the idr mutex, which means that our dereference of obj->type can already chase free'd memory. Somehow I didn't spot this, so fix this asap. v2: Simplify the conditionals as suggested by Chris. Cc: Rob Clark Cc: Chris Wilson Signed-off-by: Daniel Vetter Reviewed-by: Rob Clark --- drivers/gpu/drm/drm_crtc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index f0a777747907..d87df8836aa5 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -426,8 +426,12 @@ static struct drm_mode_object *_object_find(struct drm_device *dev, mutex_lock(&dev->mode_config.idr_mutex); obj = idr_find(&dev->mode_config.crtc_idr, id); - if (!obj || (type != DRM_MODE_OBJECT_ANY && obj->type != type) || - (obj->id != id)) + if (obj && type != DRM_MODE_OBJECT_ANY && obj->type != type) + obj = NULL; + if (obj && obj->id != id) + obj = NULL; + /* don't leak out unref'd fb's */ + if (obj && (obj->type == DRM_MODE_OBJECT_FB)) obj = NULL; mutex_unlock(&dev->mode_config.idr_mutex); @@ -454,9 +458,6 @@ struct drm_mode_object *drm_mode_object_find(struct drm_device *dev, * function.*/ WARN_ON(type == DRM_MODE_OBJECT_FB); obj = _object_find(dev, id, type); - /* don't leak out unref'd fb's */ - if (obj && (obj->type == DRM_MODE_OBJECT_FB)) - obj = NULL; return obj; } EXPORT_SYMBOL(drm_mode_object_find);