diff options
author | YoungJun Cho <yj44.cho@samsung.com> | 2013-10-29 20:30:26 +0900 |
---|---|---|
committer | Chanho Park <chanho61.park@samsung.com> | 2015-01-04 20:49:43 -0800 |
commit | 942d62204e43fa8280f702e4bed9f65aa3cde745 (patch) | |
tree | a6a304e704142795a99a05957484c69e9bdb59be /drivers | |
parent | 490141d1f70f8a7f6cec16b510541e70020eaf96 (diff) | |
download | linux-3.10-942d62204e43fa8280f702e4bed9f65aa3cde745.tar.gz linux-3.10-942d62204e43fa8280f702e4bed9f65aa3cde745.tar.bz2 linux-3.10-942d62204e43fa8280f702e4bed9f65aa3cde745.zip |
drm: delete unconsumed pending event list in drm_events_release
When there are unconsumed pending events, the events are
destroyed by calling destroy callback, but the events list
are remained, because there is no list_del().
It is possible that the page flip request is handled after
drm_events_release() is called and before drm_fb_release().
In this case a drm_pending_event is remained not freed.
So exynos driver checks again to remove it in its post
close routine. But the file_priv->event_list contains
undeleted ones, this can make oops for accessing invalid
memory.
Signed-off-by: YoungJun Cho <yj44.cho@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Change-Id: I25a471f4f4929150542eb6273c7673b9f44936b6
[back-ported from mainline to fix use after free issue]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/gpu/drm/drm_fops.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c index 3653955746e..bbe3bc0ce0a 100644 --- a/drivers/gpu/drm/drm_fops.c +++ b/drivers/gpu/drm/drm_fops.c @@ -410,8 +410,10 @@ static void drm_events_release(struct drm_file *file_priv) } /* Remove unconsumed events */ - list_for_each_entry_safe(e, et, &file_priv->event_list, link) + list_for_each_entry_safe(e, et, &file_priv->event_list, link) { + list_del(&e->link); e->destroy(e); + } spin_unlock_irqrestore(&dev->event_lock, flags); } |