From 168c02ec06f891990617cee2abbba70858c071e7 Mon Sep 17 00:00:00 2001 From: Daniel Vetter Date: Thu, 24 Jul 2014 12:12:45 +0200 Subject: drm: Fix race when checking for fb in the generic kms obj lookup In my review of commit 98f75de40e9d83c3a90d294b8fd25fa2874212a9 Author: Rob Clark Date: Fri May 30 11:37:03 2014 -0400 drm: add object property typ I asked for a check to make sure that we never leak an fb from the generic mode object lookup since those have completely different lifetime rules. Rob added it, but outside of the idr mutex, which means that our dereference of obj->type can already chase free'd memory. Somehow I didn't spot this, so fix this asap. v2: Simplify the conditionals as suggested by Chris. Cc: Rob Clark Cc: Chris Wilson Signed-off-by: Daniel Vetter Reviewed-by: Rob Clark Signed-off-by: Dave Airlie diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 3c4a621..fa2be24 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -446,8 +446,12 @@ static struct drm_mode_object *_object_find(struct drm_device *dev, mutex_lock(&dev->mode_config.idr_mutex); obj = idr_find(&dev->mode_config.crtc_idr, id); - if (!obj || (type != DRM_MODE_OBJECT_ANY && obj->type != type) || - (obj->id != id)) + if (obj && type != DRM_MODE_OBJECT_ANY && obj->type != type) + obj = NULL; + if (obj && obj->id != id) + obj = NULL; + /* don't leak out unref'd fb's */ + if (obj && (obj->type == DRM_MODE_OBJECT_FB)) obj = NULL; mutex_unlock(&dev->mode_config.idr_mutex); @@ -474,9 +478,6 @@ struct drm_mode_object *drm_mode_object_find(struct drm_device *dev, * function.*/ WARN_ON(type == DRM_MODE_OBJECT_FB); obj = _object_find(dev, id, type); - /* don't leak out unref'd fb's */ - if (obj && (obj->type == DRM_MODE_OBJECT_FB)) - obj = NULL; return obj; } EXPORT_SYMBOL(drm_mode_object_find); -- cgit v0.10.2