From 4693b1bd5b5c381e8b7b68a6f7f0c6696d6a68df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
Date: Thu, 31 Mar 2016 17:02:55 +0900
Subject: Identify DRM event queue entries by sequence number instead of by
 pointer

If the memory for an entry was allocated at the same address as that for
a previously cancelled entry, the handler could theoretically be called
prematurely, triggered by the DRM event which was submitted for the
cancelled entry.

Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
---
 src/radeon_drm_queue.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

(limited to 'src/radeon_drm_queue.c')

diff --git a/src/radeon_drm_queue.c b/src/radeon_drm_queue.c
index 25fb1835..0d999dde 100644
--- a/src/radeon_drm_queue.c
+++ b/src/radeon_drm_queue.c
@@ -40,6 +40,7 @@
 struct radeon_drm_queue_entry {
     struct xorg_list list;
     uint64_t id;
+    uintptr_t seq;
     void *data;
     ClientPtr client;
     xf86CrtcPtr crtc;
@@ -49,6 +50,7 @@ struct radeon_drm_queue_entry {
 
 static int radeon_drm_queue_refcnt;
 static struct xorg_list radeon_drm_queue;
+static uintptr_t radeon_drm_queue_seq;
 
 
 /*
@@ -58,11 +60,11 @@ void
 radeon_drm_queue_handler(int fd, unsigned int frame, unsigned int sec,
 			 unsigned int usec, void *user_ptr)
 {
-	struct radeon_drm_queue_entry *user_data = user_ptr;
+	uintptr_t seq = (uintptr_t)user_ptr;
 	struct radeon_drm_queue_entry *e, *tmp;
 
 	xorg_list_for_each_entry_safe(e, tmp, &radeon_drm_queue, list) {
-		if (e == user_data) {
+		if (e->seq == seq) {
 			xorg_list_del(&e->list);
 			if (e->handler)
 				e->handler(e->crtc, frame,
@@ -80,7 +82,7 @@ radeon_drm_queue_handler(int fd, unsigned int frame, unsigned int sec,
  * Enqueue a potential drm response; when the associated response
  * appears, we've got data to pass to the handler from here
  */
-struct radeon_drm_queue_entry *
+uintptr_t
 radeon_drm_queue_alloc(xf86CrtcPtr crtc, ClientPtr client,
 		       uint64_t id, void *data,
 		       radeon_drm_handler_proc handler,
@@ -92,6 +94,9 @@ radeon_drm_queue_alloc(xf86CrtcPtr crtc, ClientPtr client,
     if (!e)
 	return NULL;
 
+    if (!radeon_drm_queue_seq)
+	radeon_drm_queue_seq = 1;
+    e->seq = radeon_drm_queue_seq++;
     e->client = client;
     e->crtc = crtc;
     e->id = id;
@@ -101,7 +106,7 @@ radeon_drm_queue_alloc(xf86CrtcPtr crtc, ClientPtr client,
 
     xorg_list_add(&e->list, &radeon_drm_queue);
 
-    return e;
+    return e->seq;
 }
 
 /*
@@ -139,9 +144,16 @@ radeon_drm_abort_client(ClientPtr client)
  * Abort specific drm queue entry
  */
 void
-radeon_drm_abort_entry(struct radeon_drm_queue_entry *entry)
+radeon_drm_abort_entry(uintptr_t seq)
 {
-    radeon_drm_abort_one(entry);
+    struct radeon_drm_queue_entry *e, *tmp;
+
+    xorg_list_for_each_entry_safe(e, tmp, &radeon_drm_queue, list) {
+	if (e->seq == seq) {
+	    radeon_drm_abort_one(e);
+	    break;
+	}
+    }
 }
 
 /*
-- 
cgit v1.2.3