[PATCH 1/2] drm: fix idr_remove warning during fuzzing

Tue Feb 19 15:40:11 PST 2013

From: Dave Airlie <airlied at redhat.com>

Lookup the context first to see if its valid before trying to remove it.

Saw this WARNING a few times while fuzzing the kernel with Trinity in
a qemu virtual machine:

[   22.883257] idr_remove called for id=4096 which is not allocated.
[   22.884487] Pid: 2303, comm: trinity-child1 Not tainted 3.8.0+ #87
[   22.885601] Call Trace:
[   22.886080]  [<ffffffff8134b111>] idr_remove+0x131/0x1f0
[   22.887107]  [<ffffffff8143c678>] drm_ctxbitmap_free+0x38/0x50
[   22.888158]  [<ffffffff8143cbd3>] drm_rmctx+0x63/0x100
[   22.889091]  [<ffffffff8143d710>] drm_ioctl+0x3d0/0x4d0
[   22.890034]  [<ffffffff8143cb70>] ? drm_newctx+0xb0/0xb0
[   22.890970]  [<ffffffff812fb640>] ? avc_has_perm_flags+0x1d0/0x2a0
[   22.892127]  [<ffffffff812fb498>] ? avc_has_perm_flags+0x28/0x2a0
[   22.893218]  [<ffffffff810f5b18>] ? trace_hardirqs_off_caller+0x28/0xd0
[   22.894401]  [<ffffffff810f5bcd>] ? trace_hardirqs_off+0xd/0x10
[   22.895461]  [<ffffffff811b5ff2>] do_vfs_ioctl+0x532/0x580
[   22.896447]  [<ffffffff812fc7d3>] ? file_has_perm+0x83/0xa0
[   22.897453]  [<ffffffff811b609d>] sys_ioctl+0x5d/0xa0
[   22.898429]  [<ffffffff813571de>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[   22.899629]  [<ffffffff81ca07e9>] system_call_fastpath+0x16/0x1b

Reported-by: Tommi Rantala <tt.rantala at gmail.com>
Signed-off-by: Dave Airlie <airlied at redhat.com>
---
 drivers/gpu/drm/drm_context.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/drivers/gpu/drm/drm_context.c b/drivers/gpu/drm/drm_context.c
index 45adf97..a186563 100644
--- a/drivers/gpu/drm/drm_context.c
+++ b/drivers/gpu/drm/drm_context.c
@@ -438,6 +438,13 @@ int drm_rmctx(struct drm_device *dev, void *data,
 
 	DRM_DEBUG("%d\n", ctx->handle);
 	if (ctx->handle != DRM_KERNEL_CONTEXT) {
+		struct drm_local_map *map;
+		mutex_lock(&dev->struct_mutex);
+		map = idr_find(&dev->ctx_idr, ctx->handle);
+		mutex_unlock(&dev->struct_mutex);
+
+		if (!map)
+			return -EINVAL;
 		if (dev->driver->context_dtor)
 			dev->driver->context_dtor(dev, ctx->handle);
 		drm_ctxbitmap_free(dev, ctx->handle);
-- 
1.7.1

