* [PATCH] drm/i915: Hold mutex across i915_gem_release
@ 2013-12-04 14:52 Chris Wilson
2013-12-04 16:07 ` [Intel-gfx] " Daniel Vetter
0 siblings, 1 reply; 2+ messages in thread
From: Chris Wilson @ 2013-12-04 14:52 UTC (permalink / raw)
To: intel-gfx; +Cc: Chris Wilson, stable
Inorder to serialise the closing of the file descriptor and its
subsequent release of client requests with i915_gem_free_request(), we
need to hold the struct_mutex in i915_gem_release(). Failing to do so
has the potential to trigger an OOPS, later with a use-after-free.
Testcase: igt/gem_close_race
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70874
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=71029
Reported-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/i915/i915_dma.c | 2 ++
drivers/gpu/drm/i915/i915_gem_context.c | 2 --
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
index 38181a5691e2..0864a39a1b09 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1847,8 +1847,10 @@ void i915_driver_lastclose(struct drm_device * dev)
void i915_driver_preclose(struct drm_device * dev, struct drm_file *file_priv)
{
+ mutex_lock(&dev->struct_mutex);
i915_gem_context_close(dev, file_priv);
i915_gem_release(dev, file_priv);
+ mutex_unlock(&dev->struct_mutex);
}
void i915_driver_postclose(struct drm_device *dev, struct drm_file *file)
diff --git a/drivers/gpu/drm/i915/i915_gem_context.c b/drivers/gpu/drm/i915/i915_gem_context.c
index ad31d865047a..dd3b8cdfd72e 100644
--- a/drivers/gpu/drm/i915/i915_gem_context.c
+++ b/drivers/gpu/drm/i915/i915_gem_context.c
@@ -348,10 +348,8 @@ void i915_gem_context_close(struct drm_device *dev, struct drm_file *file)
{
struct drm_i915_file_private *file_priv = file->driver_priv;
- mutex_lock(&dev->struct_mutex);
idr_for_each(&file_priv->context_idr, context_idr_cleanup, NULL);
idr_destroy(&file_priv->context_idr);
- mutex_unlock(&dev->struct_mutex);
}
static struct i915_hw_context *
--
1.8.5.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915: Hold mutex across i915_gem_release
2013-12-04 14:52 [PATCH] drm/i915: Hold mutex across i915_gem_release Chris Wilson
@ 2013-12-04 16:07 ` Daniel Vetter
0 siblings, 0 replies; 2+ messages in thread
From: Daniel Vetter @ 2013-12-04 16:07 UTC (permalink / raw)
To: Chris Wilson; +Cc: intel-gfx, stable
On Wed, Dec 04, 2013 at 02:52:06PM +0000, Chris Wilson wrote:
> Inorder to serialise the closing of the file descriptor and its
> subsequent release of client requests with i915_gem_free_request(), we
> need to hold the struct_mutex in i915_gem_release(). Failing to do so
> has the potential to trigger an OOPS, later with a use-after-free.
>
> Testcase: igt/gem_close_race
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70874
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=71029
> Reported-by: Eric Anholt <eric@anholt.net>
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: stable@vger.kernel.org
Picked up for -fixes, thanks for the patch.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-12-04 16:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-04 14:52 [PATCH] drm/i915: Hold mutex across i915_gem_release Chris Wilson
2013-12-04 16:07 ` [Intel-gfx] " Daniel Vetter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox