From patchwork Wed Aug 6 01:22:46 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mario Kleiner X-Patchwork-Id: 4682851 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id D6F5DC0338 for ; Wed, 6 Aug 2014 01:23:57 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 1520A20173 for ; Wed, 6 Aug 2014 01:23:57 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 33BCC20170 for ; Wed, 6 Aug 2014 01:23:56 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 3FF306E56D; Tue, 5 Aug 2014 18:23:55 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-wg0-f41.google.com (mail-wg0-f41.google.com [74.125.82.41]) by gabe.freedesktop.org (Postfix) with ESMTP id E7FB56E56D for ; Tue, 5 Aug 2014 18:23:52 -0700 (PDT) Received: by mail-wg0-f41.google.com with SMTP id z12so1852527wgg.12 for ; Tue, 05 Aug 2014 18:23:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=3DImZrxfTAX6X22Du1pYbvjvnDbN3nzilBSjtWoKUmQ=; b=rQfUPxPj5TX38hptPz4J4HYB8XE+4g4DK+cRfxfcFo+0NNfvJPn5I8uF+wS371uuSP qfdGvAa7i/7Uot5vfAueaUPad3f5u8VqKYj+xDroJH7RAr/5LVPfrNcAWQ+c0m7/UXma G61z6FzeRZWTt++Bu+RsetteAxfQw6pn0byRqbPgf8y667QJqXf5TYvpNzLPT3Ga0q5u G7pYIO0hU8kLcxkQz2pLwBpa54kOheQ4D8BH1ryoY176d36j+Ka7RWR8apYIlpDUJmcw QSkNz0eVFUthfxdUepqYQm4hMON7ImoW0N6EPVoeyliq0D4EhkELS9K92h2Si7nmFrjG TxEA== X-Received: by 10.194.84.105 with SMTP id x9mr960370wjy.67.1407288232156; Tue, 05 Aug 2014 18:23:52 -0700 (PDT) Received: from twisty.fritz.box (stgt-4d02fac6.pool.mediaWays.net. [77.2.250.198]) by mx.google.com with ESMTPSA id wi9sm7913539wjc.23.2014.08.05.18.23.50 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 05 Aug 2014 18:23:51 -0700 (PDT) From: Mario Kleiner To: dri-devel@lists.freedesktop.org Subject: [PATCH 3/3] drm: Use vblank_disable_and_save in drm_vblank_cleanup() Date: Wed, 6 Aug 2014 03:22:46 +0200 Message-Id: <1407288166-19881-4-git-send-email-mario.kleiner.de@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1407288166-19881-1-git-send-email-mario.kleiner.de@gmail.com> References: <1407288166-19881-1-git-send-email-mario.kleiner.de@gmail.com> Cc: airlied@redhat.com, stable@vger.kernel.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Calling vblank_disable_fn() will cause that function to no-op if !dev->vblank_disable_allowed for some kms drivers, e.g., on nouveau-kms. This can cause the gpu vblank irq's to not get disabled before freeing the dev->vblank array, so if a vblank irq fires and calls into drm_handle_vblank() after drm_vblank_cleanup() completes, it will cause use-after-free access to dev->vblank array. Call vblank_disable_and_save unconditionally, so vblank irqs are guaranteed to be off, before we delete the data structures on which they operate. Signed-off-by: Mario Kleiner Cc: stable@vger.kernel.org Reviewed-by: Ville Syrjälä --- drivers/gpu/drm/drm_irq.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c index 89e91e3..22e2bba9 100644 --- a/drivers/gpu/drm/drm_irq.c +++ b/drivers/gpu/drm/drm_irq.c @@ -164,6 +164,7 @@ static void vblank_disable_fn(unsigned long arg) void drm_vblank_cleanup(struct drm_device *dev) { int crtc; + unsigned long irqflags; /* Bail if the driver didn't call drm_vblank_init() */ if (dev->num_crtcs == 0) @@ -171,7 +172,9 @@ void drm_vblank_cleanup(struct drm_device *dev) for (crtc = 0; crtc < dev->num_crtcs; crtc++) { del_timer_sync(&dev->vblank[crtc].disable_timer); - vblank_disable_fn((unsigned long)&dev->vblank[crtc]); + spin_lock_irqsave(&dev->vbl_lock, irqflags); + vblank_disable_and_save(dev, crtc); + spin_unlock_irqrestore(&dev->vbl_lock, irqflags); } kfree(dev->vblank);