[PATCH] drm: Fix use-after-free in the shadow-attache exit code
David Herrmann
dh.herrmann at gmail.com
Thu Jan 30 09:08:57 PST 2014
Hi
On Thu, Jan 30, 2014 at 5:58 PM, Daniel Vetter <daniel.vetter at ffwll.ch> wrote:
> This regression has been introduced in
>
> commit b3f2333de8e81b089262b26d52272911523e605f
> Author: Daniel Vetter <daniel.vetter at ffwll.ch>
> Date: Wed Dec 11 11:34:31 2013 +0100
>
> drm: restrict the device list for shadow attached drivers
>
> Reported-by: Dave Jones <davej at redhat.com>
> Cc: Dave Jones <davej at redhat.com>
> Cc: Dave Airlie <airlied at redhat.com>
> Cc: David Herrmann <dh.herrmann at gmail.com>
> Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> ---
> drivers/gpu/drm/drm_pci.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_pci.c b/drivers/gpu/drm/drm_pci.c
> index 5736aaa7e86c..f7af69bcf3f4 100644
> --- a/drivers/gpu/drm/drm_pci.c
> +++ b/drivers/gpu/drm/drm_pci.c
> @@ -468,8 +468,8 @@ void drm_pci_exit(struct drm_driver *driver, struct pci_driver *pdriver)
> } else {
> list_for_each_entry_safe(dev, tmp, &driver->legacy_dev_list,
> legacy_dev_list) {
> - drm_put_dev(dev);
> list_del(&dev->legacy_dev_list);
> + drm_put_dev(dev);
This code-path is the only user of legacy_dev_list (besides ->probe)
and both are locked against each other. So removing the device before
destroying it is fine. So no objections from me:
Reviewed-by: David Herrmann <dh.herrmann at gmail.com>
Thanks
David
> }
> }
> DRM_INFO("Module unloaded\n");
> --
> 1.8.5.2
>
More information about the dri-devel
mailing list