diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2020-01-17 23:17:02 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2020-01-17 23:17:02 +0000 |
| commit | fc00dc0699a48a23d77ddc64dd1f9c1766caad64 (patch) | |
| tree | 9adaa69fb6019f11686576ebd91967135220a901 /sys/dev/pci | |
| parent | 2969d729dfaa4195ed418c306f4dc705e5d57941 (diff) | |
drm/i915: Fix use-after-free when destroying GEM context
From Tyler Hicks
afb89cd5f2ba2d5d04b85b2692a9a3d86b6fabd7 in linux 4.19.y/4.19.97
7dc40713618c884bf07c030d1ab1f47a9dc1f310 in mainline linux
Diffstat (limited to 'sys/dev/pci')
| -rw-r--r-- | sys/dev/pci/drm/i915/i915_gem_context.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/sys/dev/pci/drm/i915/i915_gem_context.c b/sys/dev/pci/drm/i915/i915_gem_context.c index fbc7d4db006..8a5bec73db2 100644 --- a/sys/dev/pci/drm/i915/i915_gem_context.c +++ b/sys/dev/pci/drm/i915/i915_gem_context.c @@ -781,18 +781,19 @@ int i915_gem_context_destroy_ioctl(struct drm_device *dev, void *data, if (args->ctx_id == DEFAULT_CONTEXT_HANDLE) return -ENOENT; + ret = i915_mutex_lock_interruptible(dev); + if (ret) + return ret; + ctx = i915_gem_context_lookup(file_priv, args->ctx_id); - if (!ctx) + if (!ctx) { + mutex_unlock(&dev->struct_mutex); return -ENOENT; - - ret = mutex_lock_interruptible(&dev->struct_mutex); - if (ret) - goto out; + } __destroy_hw_context(ctx, file_priv); mutex_unlock(&dev->struct_mutex); -out: i915_gem_context_put(ctx); return 0; } |