From patchwork Fri Apr 22 20:10:28 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Vetter <daniel.vetter@ffwll.ch>
X-Patchwork-Id: 8915561
Return-Path: <intel-gfx-bounces@lists.freedesktop.org>
X-Original-To: patchwork-intel-gfx@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id EE111BF29F
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Fri, 22 Apr 2016 20:11:01 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 1887F20270
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Fri, 22 Apr 2016 20:11:01 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id 2F7EA20221
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Fri, 22 Apr 2016 20:11:00 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id C1A6E6EF7A;
	Fri, 22 Apr 2016 20:10:58 +0000 (UTC)
X-Original-To: intel-gfx@lists.freedesktop.org
Delivered-To: intel-gfx@lists.freedesktop.org
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com
	[IPv6:2a00:1450:400c:c09::234])
	by gabe.freedesktop.org (Postfix) with ESMTPS id BB7E76EF74
	for <intel-gfx@lists.freedesktop.org>;
	Fri, 22 Apr 2016 20:10:42 +0000 (UTC)
Received: by mail-wm0-x234.google.com with SMTP id v188so33305910wme.1
	for <intel-gfx@lists.freedesktop.org>;
	Fri, 22 Apr 2016 13:10:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=wbKKFIYMLR3DOu8SrMfJ6/aKqh8F7arBkH+EPUl44kc=;
	b=eep/zBZhou+2PK0HVkC3J7a8EEdxN9FKUWUvcFqHD4Wj+tL9K+QI8Z50rbifLRFjFp
	ap0+Jl+Jr2oC/anCp8FpKWDfDgFzOs4SHelTEqNFF8KzKIbqzqZjoxcEhvkoKOEVDA4y
	odCmi118Zq/Z9J2wRVhOQNjGLul07KDaNR1sc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=wbKKFIYMLR3DOu8SrMfJ6/aKqh8F7arBkH+EPUl44kc=;
	b=efa+aG5DE8A8rpRmV9qPLlVYvENMcSzISCbpYSC10LdhIp1X4YgDW5lkrjCKSpbH2B
	8VMhK3bQD0HN73w7/zzub2j58KdNKRB+ndcmkimzL3gZoQHTMXsQqBr8BIZ0eK9Iorro
	srvjmtZ/M/yo9thhNxf3Lw33eUGtfiZrMZQrCiuOyxQOA86brJICrXIjBrhUz849cHZC
	ONp+phiSTsQzFPSpSsb5Tssgul6VkdSL1ML/Zi13aE3ESghmbz8lt0Nmn9AlPDbblRHw
	PSbO4f9GAvO90WMNpSpJT9Eiv92Zlx/dtt6KxKtWhOcsIuJz7R9ShW55JpDqMwPpsDbw
	THOw==
X-Gm-Message-State: 
 AOPr4FVj7PkImIvuooR/5q6IYDusVaDDnsc/nuon/A+dhlDJjvlnRpdSfmKgafIJiDp7pg==
X-Received: by 10.28.47.208 with SMTP id v199mr5831527wmv.56.1461355840630;
	Fri, 22 Apr 2016 13:10:40 -0700 (PDT)
Received: from wespe.ffwll.local ([2a02:168:56b5:0:6631:50ff:fe8d:fd2e])
	by smtp.gmail.com with ESMTPSA id
	w79sm4912488wme.19.2016.04.22.13.10.39
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 22 Apr 2016 13:10:40 -0700 (PDT)
From: Daniel Vetter <daniel.vetter@ffwll.ch>
To: Intel Graphics Development <intel-gfx@lists.freedesktop.org>,
	DRI Development <dri-devel@lists.freedesktop.org>
Date: Fri, 22 Apr 2016 22:10:28 +0200
Message-Id: <1461355830-14338-2-git-send-email-daniel.vetter@ffwll.ch>
X-Mailer: git-send-email 2.5.0
In-Reply-To: <1461355830-14338-1-git-send-email-daniel.vetter@ffwll.ch>
References: <1461355830-14338-1-git-send-email-daniel.vetter@ffwll.ch>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>,
	Daniel Vetter <daniel.vetter@intel.com>
Subject: [Intel-gfx] [PATCH 2/4] drm: Fix fb leaks and WARN spew in
	get/set_prop ioctls
X-BeenThere: intel-gfx@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Intel graphics driver community testing & development
	<intel-gfx.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
X-Spam-Status: No, score=-5.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Dave Airlie had at least the refcount leak fixed in a later patch (but
that patch does other things which need a bit more work). But we still
have the trouble that silly userspace could hit the WARN_ON in
drm_mode_object_find.

Fix this all up to make sure we don't leak objects, and don't spew
into demsg.

Fixes: d0f37cf62979 ("drm/mode: move framebuffer reference into object.")
Testcase: igt/kms_addfb_basic/invalid-*-prop*
Cc: Dave Airlie <airlied@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
---
 drivers/gpu/drm/drm_crtc.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 52e6001a40e4..4089c81fe710 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -389,9 +389,7 @@ struct drm_mode_object *drm_mode_object_find(struct drm_device *dev,
 {
 	struct drm_mode_object *obj = NULL;
 
-	/* Framebuffers are reference counted and need their own lookup
-	 * function.*/
-	WARN_ON(type == DRM_MODE_OBJECT_FB || type == DRM_MODE_OBJECT_BLOB);
+	WARN_ON(type == DRM_MODE_OBJECT_BLOB);
 	obj = _object_find(dev, id, type);
 	return obj;
 }
@@ -5005,7 +5003,7 @@ int drm_mode_obj_get_properties_ioctl(struct drm_device *dev, void *data,
 	}
 	if (!obj->properties) {
 		ret = -EINVAL;
-		goto out;
+		goto out_unref;
 	}
 
 	ret = get_properties(obj, file_priv->atomic,
@@ -5013,6 +5011,8 @@ int drm_mode_obj_get_properties_ioctl(struct drm_device *dev, void *data,
 			(uint64_t __user *)(unsigned long)(arg->prop_values_ptr),
 			&arg->count_props);
 
+out_unref:
+	drm_mode_object_unreference(obj);
 out:
 	drm_modeset_unlock_all(dev);
 	return ret;
@@ -5055,20 +5055,20 @@ int drm_mode_obj_set_property_ioctl(struct drm_device *dev, void *data,
 		goto out;
 	}
 	if (!arg_obj->properties)
-		goto out;
+		goto out_unref;
 
 	for (i = 0; i < arg_obj->properties->count; i++)
 		if (arg_obj->properties->properties[i]->base.id == arg->prop_id)
 			break;
 
 	if (i == arg_obj->properties->count)
-		goto out;
+		goto out_unref;
 
 	prop_obj = drm_mode_object_find(dev, arg->prop_id,
 					DRM_MODE_OBJECT_PROPERTY);
 	if (!prop_obj) {
 		ret = -ENOENT;
-		goto out;
+		goto out_unref;
 	}
 	property = obj_to_property(prop_obj);
 
@@ -5091,6 +5091,8 @@ int drm_mode_obj_set_property_ioctl(struct drm_device *dev, void *data,
 
 	drm_property_change_valid_put(property, ref);
 
+out_unref:
+	drm_mode_object_unreference(arg_obj);
 out:
 	drm_modeset_unlock_all(dev);
 	return ret;