[Intel-gfx] [PATCH v3] drm/i915: Fix use after free in lpe_audio_platdev_destroy()
Chris Wilson
chris at chris-wilson.co.uk
Wed Apr 12 09:03:17 UTC 2017
On Wed, Apr 12, 2017 at 11:52:54AM +0300, Ville Syrjälä wrote:
> On Wed, Apr 12, 2017 at 09:31:39AM +0100, Chris Wilson wrote:
> > drivers/gpu/drm/i915/intel_lpe_audio.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/intel_lpe_audio.c b/drivers/gpu/drm/i915/intel_lpe_audio.c
> > index d8ca187ae001..dace2fb3154f 100644
> > --- a/drivers/gpu/drm/i915/intel_lpe_audio.c
> > +++ b/drivers/gpu/drm/i915/intel_lpe_audio.c
> > @@ -108,7 +108,6 @@ lpe_audio_platdev_create(struct drm_i915_private *dev_priv)
> > pinfo.num_res = 2;
> > pinfo.data = pdata;
> > pinfo.size_data = sizeof(*pdata);
> > - pinfo.dma_mask = DMA_BIT_MASK(32);
> >
> > spin_lock_init(&pdata->lpe_audio_slock);
> >
> > @@ -119,6 +118,8 @@ lpe_audio_platdev_create(struct drm_i915_private *dev_priv)
> > goto err;
> > }
> >
> > + dma_coerce_mask_and_coherent(&platdev->dev, DMA_BIT_MASK(32));
> > +
>
> Not sure how racy that is since we've already registered the platdev at
> that point. The whole platform_register_full() API looks misdesigned to
> me since you can't do stuff between alloc and register.
I had the same sinking feeling looking over
platform_device_register_full().
> We could shovel the dma_coerce_mask_and_coherent() call into
> platform_register_full() itself I suppose. Or we just stop using the
> register_full() stuff and do each step ourselves, but that looks a bit
> tedious.
I'm quite happy to use v2 and ask CI to file all bug reports to GregKH.
Let's be democratic, the version with the most r-b wins.
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
More information about the Intel-gfx
mailing list