path: root/drivers/gpu/drm
diff options
authorYoungJun Cho <>2013-10-29 20:30:26 +0900
committerChanho Park <>2015-01-04 20:49:43 -0800
commit942d62204e43fa8280f702e4bed9f65aa3cde745 (patch)
treea6a304e704142795a99a05957484c69e9bdb59be /drivers/gpu/drm
parent490141d1f70f8a7f6cec16b510541e70020eaf96 (diff)
drm: delete unconsumed pending event list in drm_events_release
When there are unconsumed pending events, the events are destroyed by calling destroy callback, but the events list are remained, because there is no list_del(). It is possible that the page flip request is handled after drm_events_release() is called and before drm_fb_release(). In this case a drm_pending_event is remained not freed. So exynos driver checks again to remove it in its post close routine. But the file_priv->event_list contains undeleted ones, this can make oops for accessing invalid memory. Signed-off-by: YoungJun Cho <> Signed-off-by: Kyungmin Park <> Signed-off-by: Dave Airlie <> Change-Id: I25a471f4f4929150542eb6273c7673b9f44936b6 [back-ported from mainline to fix use after free issue] Signed-off-by: Seung-Woo Kim <>
Diffstat (limited to 'drivers/gpu/drm')
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
index 3653955746e..bbe3bc0ce0a 100644
--- a/drivers/gpu/drm/drm_fops.c
+++ b/drivers/gpu/drm/drm_fops.c
@@ -410,8 +410,10 @@ static void drm_events_release(struct drm_file *file_priv)
/* Remove unconsumed events */
- list_for_each_entry_safe(e, et, &file_priv->event_list, link)
+ list_for_each_entry_safe(e, et, &file_priv->event_list, link) {
+ list_del(&e->link);
+ }
spin_unlock_irqrestore(&dev->event_lock, flags);