@@ -294,18 +294,21 @@ drm_gem_handle_delete(struct drm_file *filp, u32 handle)
spin_lock(&filp->table_lock);
/* Check if we currently have a reference on the object */
- obj = idr_find(&filp->object_idr, handle);
- if (obj == NULL) {
+ obj = idr_replace(&filp->object_idr, ERR_PTR(-ENOENT), handle);
+ if (IS_ERR(obj)) {
spin_unlock(&filp->table_lock);
return -EINVAL;
}
dev = obj->dev;
+ spin_unlock(&filp->table_lock);
/* Release reference and decrement refcount. */
+ drm_gem_object_release_handle(handle, obj, filp);
+
+ spin_lock(&filp->table_lock);
idr_remove(&filp->object_idr, handle);
spin_unlock(&filp->table_lock);
- drm_gem_object_release_handle(handle, obj, filp);
return 0;
}
EXPORT_SYMBOL(drm_gem_handle_delete);
@@ -597,7 +600,7 @@ drm_gem_object_lookup(struct drm_device *dev, struct drm_file *filp,
/* Check if we currently have a reference on the object */
obj = idr_find(&filp->object_idr, handle);
- if (obj == NULL) {
+ if (IS_ERR_OR_NULL(obj)) {
spin_unlock(&filp->table_lock);
return NULL;
}
@@ -78,7 +78,7 @@ static int submit_lookup_objects(struct etnaviv_gem_submit *submit,
* all under single table_lock just hit object_idr directly:
*/
obj = idr_find(&file->object_idr, bo->handle);
- if (!obj) {
+ if (IS_ERR_OR_NULL(obj)) {
DRM_ERROR("invalid handle %u at index %u\n",
bo->handle, i);
ret = -EINVAL;
@@ -106,7 +106,7 @@ eb_lookup_vmas(struct eb_vmas *eb,
* or create the VMA without using GFP_ATOMIC */
for (i = 0; i < args->buffer_count; i++) {
obj = to_intel_bo(idr_find(&file->object_idr, exec[i].handle));
- if (obj == NULL) {
+ if (IS_ERR_OR_NULL(obj)) {
spin_unlock(&file->table_lock);
DRM_DEBUG("Invalid object handle %d at index %d\n",
exec[i].handle, i);
@@ -90,7 +90,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit,
* all under single table_lock just hit object_idr directly:
*/
obj = idr_find(&file->object_idr, submit_bo.handle);
- if (!obj) {
+ if (IS_ERR_OR_NULL(obj)) {
DRM_ERROR("invalid handle %u at index %u\n", submit_bo.handle, i);
ret = -EINVAL;
goto out_unlock;
@@ -494,7 +494,7 @@ vc4_cl_lookup_bos(struct drm_device *dev,
for (i = 0; i < exec->bo_count; i++) {
struct drm_gem_object *bo = idr_find(&file_priv->object_idr,
handles[i]);
- if (!bo) {
+ if (IS_ERR_OR_NULL(bo)) {
DRM_ERROR("Failed to look up GEM BO %d: %d\n",
i, handles[i]);
ret = -EINVAL;
When userspace closes a handle, we remove it from the file->object_idr and then tell the driver to drop its references to that file/handle. However, as the file/handle is already available again for reuse, it may be reallocated back to userspace and active on a new object before the driver has had a chance to drop the old file/handle references. Whilst calling back into the driver, we have to drop the file->table_lock spinlock and so to prevent reusing the closed handle we mark that handle as stale in the idr, perform the callback and then remove the handle. It is then possible for a lookup on that handle to return an error object and so all callers of idr_find(file->object_idr) need to check against IS_ERR_OR_NULL() instead. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: dri-devel@lists.freedesktop.org Cc: David Airlie <airlied@linux.ie> Cc: Lucas Stach <l.stach@pengutronix.de> Cc: Russell King <linux+etnaviv@arm.linux.org.uk> Cc: Christian Gmeiner <christian.gmeiner@gmail.com> Cc: Daniel Vetter <daniel.vetter@intel.com> Cc: Jani Nikula <jani.nikula@linux.intel.com> Cc: Rob Clark <robdclark@gmail.com> Cc: Eric Anholt <eric@anholt.net> Cc: Dan Carpenter <dan.carpenter@oracle.com> Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> --- drivers/gpu/drm/drm_gem.c | 11 +++++++---- drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/gpu/drm/msm/msm_gem_submit.c | 2 +- drivers/gpu/drm/vc4/vc4_gem.c | 2 +- 5 files changed, 11 insertions(+), 8 deletions(-)