summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMario Kleiner <mario.kleiner.de@gmail.com>2014-08-06 03:22:46 +0200
committerDaniel Vetter <daniel.vetter@ffwll.ch>2014-09-10 09:41:29 +0200
commit2368ffb18b1d2b04eb80478d225676caa7a3c4c8 (patch)
treedf045778d0c44fb8d4d729fce32e3d0fcda4c771
parent79a093aea44f11fda0a5b4dbe4c1e29b2f586f4e (diff)
drm: Use vblank_disable_and_save in drm_vblank_cleanup()topic/vblank-rework-2014-09-10
Calling vblank_disable_fn() will cause that function to no-op if !dev->vblank_disable_allowed for some kms drivers, e.g., on nouveau-kms. This can cause the gpu vblank irq's to not get disabled before freeing the dev->vblank array, so if a vblank irq fires and calls into drm_handle_vblank() after drm_vblank_cleanup() completes, it will cause use-after-free access to dev->vblank array. Call vblank_disable_and_save unconditionally, so vblank irqs are guaranteed to be off, before we delete the data structures on which they operate. Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com> Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> [danvet: Fix subsystem name in patch subject.] Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
-rw-r--r--drivers/gpu/drm/drm_irq.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index 6473089e5fd3..9be760145cb7 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -239,6 +239,7 @@ static void vblank_disable_fn(unsigned long arg)
void drm_vblank_cleanup(struct drm_device *dev)
{
int crtc;
+ unsigned long irqflags;
/* Bail if the driver didn't call drm_vblank_init() */
if (dev->num_crtcs == 0)
@@ -248,7 +249,10 @@ void drm_vblank_cleanup(struct drm_device *dev)
struct drm_vblank_crtc *vblank = &dev->vblank[crtc];
del_timer_sync(&vblank->disable_timer);
- vblank_disable_fn((unsigned long)vblank);
+
+ spin_lock_irqsave(&dev->vbl_lock, irqflags);
+ vblank_disable_and_save(dev, crtc);
+ spin_unlock_irqrestore(&dev->vbl_lock, irqflags);
}
kfree(dev->vblank);