diff options
| author | Chris Wilson <chris@chris-wilson.co.uk> | 2013-12-04 09:52:06 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-01-09 15:24:22 -0500 |
| commit | ef1bd33b2131909475cca757eaa29d7f9b3bf7f2 (patch) | |
| tree | c183eef1954c8dedec0cda40c9f7192bccfe2bbb | |
| parent | 5c9dce6be58638a8457cf8ad6e84c5d4fe7431d6 (diff) | |
drm/i915: Hold mutex across i915_gem_release
commit 0d1430a3f4b7cfd8779b78740a4182321f3ca7f3 upstream.
Inorder to serialise the closing of the file descriptor and its
subsequent release of client requests with i915_gem_free_request(), we
need to hold the struct_mutex in i915_gem_release(). Failing to do so
has the potential to trigger an OOPS, later with a use-after-free.
Testcase: igt/gem_close_race
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70874
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=71029
Reported-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/gpu/drm/i915/i915_dma.c | 2 | ||||
| -rw-r--r-- | drivers/gpu/drm/i915/i915_gem_context.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c index 17d9b0b6afc5..6accd04b02a7 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c | |||
| @@ -1847,8 +1847,10 @@ void i915_driver_lastclose(struct drm_device * dev) | |||
| 1847 | 1847 | ||
| 1848 | void i915_driver_preclose(struct drm_device * dev, struct drm_file *file_priv) | 1848 | void i915_driver_preclose(struct drm_device * dev, struct drm_file *file_priv) |
| 1849 | { | 1849 | { |
| 1850 | mutex_lock(&dev->struct_mutex); | ||
| 1850 | i915_gem_context_close(dev, file_priv); | 1851 | i915_gem_context_close(dev, file_priv); |
| 1851 | i915_gem_release(dev, file_priv); | 1852 | i915_gem_release(dev, file_priv); |
| 1853 | mutex_unlock(&dev->struct_mutex); | ||
| 1852 | } | 1854 | } |
| 1853 | 1855 | ||
| 1854 | void i915_driver_postclose(struct drm_device *dev, struct drm_file *file) | 1856 | void i915_driver_postclose(struct drm_device *dev, struct drm_file *file) |
diff --git a/drivers/gpu/drm/i915/i915_gem_context.c b/drivers/gpu/drm/i915/i915_gem_context.c index 3bc8a58a8d5f..b10b1b1b4873 100644 --- a/drivers/gpu/drm/i915/i915_gem_context.c +++ b/drivers/gpu/drm/i915/i915_gem_context.c | |||
| @@ -291,10 +291,8 @@ void i915_gem_context_close(struct drm_device *dev, struct drm_file *file) | |||
| 291 | { | 291 | { |
| 292 | struct drm_i915_file_private *file_priv = file->driver_priv; | 292 | struct drm_i915_file_private *file_priv = file->driver_priv; |
| 293 | 293 | ||
| 294 | mutex_lock(&dev->struct_mutex); | ||
| 295 | idr_for_each(&file_priv->context_idr, context_idr_cleanup, NULL); | 294 | idr_for_each(&file_priv->context_idr, context_idr_cleanup, NULL); |
| 296 | idr_destroy(&file_priv->context_idr); | 295 | idr_destroy(&file_priv->context_idr); |
| 297 | mutex_unlock(&dev->struct_mutex); | ||
| 298 | } | 296 | } |
| 299 | 297 | ||
| 300 | static struct i915_hw_context * | 298 | static struct i915_hw_context * |