From ac4f0901e50673e27a0490717c0f0045f8b2b55e Mon Sep 17 00:00:00 2001 From: Daniel Vetter Date: Thu, 24 Jul 2014 12:12:45 +0200 Subject: [PATCH] drm: Fix race when checking for fb in the generic kms obj lookup In my review of commit 99d17424d264658dace8ca19348783ca0665a343 Author: Rob Clark Date: Fri May 30 11:37:03 2014 -0400 drm: add object property typ I asked for a check to make sure that we never leak an fb from the generic mode object lookup since those have completely different lifetime rules. Rob added it, but outside of the idr mutex, which means that our dereference of obj->type can already chase free'd memory. Somehow I didn't spot this, so fix this asap. v2: Simplify the conditionals as suggested by Chris. Cc: Rob Clark Cc: Chris Wilson Signed-off-by: Daniel Vetter Reviewed-by: Rob Clark Signed-off-by: Dave Airlie --- drivers/gpu/drm/drm_crtc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 3c4a62169f288..fa2be249999c7 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -446,8 +446,12 @@ static struct drm_mode_object *_object_find(struct drm_device *dev, mutex_lock(&dev->mode_config.idr_mutex); obj = idr_find(&dev->mode_config.crtc_idr, id); - if (!obj || (type != DRM_MODE_OBJECT_ANY && obj->type != type) || - (obj->id != id)) + if (obj && type != DRM_MODE_OBJECT_ANY && obj->type != type) + obj = NULL; + if (obj && obj->id != id) + obj = NULL; + /* don't leak out unref'd fb's */ + if (obj && (obj->type == DRM_MODE_OBJECT_FB)) obj = NULL; mutex_unlock(&dev->mode_config.idr_mutex); @@ -474,9 +478,6 @@ struct drm_mode_object *drm_mode_object_find(struct drm_device *dev, * function.*/ WARN_ON(type == DRM_MODE_OBJECT_FB); obj = _object_find(dev, id, type); - /* don't leak out unref'd fb's */ - if (obj && (obj->type == DRM_MODE_OBJECT_FB)) - obj = NULL; return obj; } EXPORT_SYMBOL(drm_mode_object_find); -- 2.39.5