[PATCH] drm: Fix use-after-free in the shadow-attache exit code

David Herrmann dh.herrmann at gmail.com
Thu Jan 30 09:08:57 PST 2014


Hi

On Thu, Jan 30, 2014 at 5:58 PM, Daniel Vetter <daniel.vetter at ffwll.ch> wrote:
> This regression has been introduced in
>
> commit b3f2333de8e81b089262b26d52272911523e605f
> Author: Daniel Vetter <daniel.vetter at ffwll.ch>
> Date:   Wed Dec 11 11:34:31 2013 +0100
>
>     drm: restrict the device list for shadow attached drivers
>
> Reported-by: Dave Jones <davej at redhat.com>
> Cc: Dave Jones <davej at redhat.com>
> Cc: Dave Airlie <airlied at redhat.com>
> Cc: David Herrmann <dh.herrmann at gmail.com>
> Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> ---
>  drivers/gpu/drm/drm_pci.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_pci.c b/drivers/gpu/drm/drm_pci.c
> index 5736aaa7e86c..f7af69bcf3f4 100644
> --- a/drivers/gpu/drm/drm_pci.c
> +++ b/drivers/gpu/drm/drm_pci.c
> @@ -468,8 +468,8 @@ void drm_pci_exit(struct drm_driver *driver, struct pci_driver *pdriver)
>         } else {
>                 list_for_each_entry_safe(dev, tmp, &driver->legacy_dev_list,
>                                          legacy_dev_list) {
> -                       drm_put_dev(dev);
>                         list_del(&dev->legacy_dev_list);
> +                       drm_put_dev(dev);

This code-path is the only user of legacy_dev_list (besides ->probe)
and both are locked against each other. So removing the device before
destroying it is fine. So no objections from me:

Reviewed-by: David Herrmann <dh.herrmann at gmail.com>

Thanks
David

>                 }
>         }
>         DRM_INFO("Module unloaded\n");
> --
> 1.8.5.2
>


More information about the dri-devel mailing list