On Mon, Sep 03, 2018 at 10:31:55AM +0100, Chris Wilson wrote:
Using a spinlock to serialize the destroy function, within the destroy function itself does not prevent the buggy driver from shooting themselves in the foot - either way they still have a use-after-free issue.
Reported-by: Jia-Ju Bai baijiaju1990@gmail.com Signed-off-by: Chris Wilson chris@chris-wilson.co.uk Cc: Davidlohr Bueso dave@stgolabs.net Cc: Liviu Dudau Liviu.Dudau@arm.com Cc: Daniel Vetter daniel.vetter@ffwll.ch
Ah, now I understand a bit more ...
Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch
drivers/gpu/drm/drm_vma_manager.c | 3 --- 1 file changed, 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_vma_manager.c b/drivers/gpu/drm/drm_vma_manager.c index a6b2fe36b025..c5d0d2358301 100644 --- a/drivers/gpu/drm/drm_vma_manager.c +++ b/drivers/gpu/drm/drm_vma_manager.c @@ -103,10 +103,7 @@ EXPORT_SYMBOL(drm_vma_offset_manager_init); */ void drm_vma_offset_manager_destroy(struct drm_vma_offset_manager *mgr) {
- /* take the lock to protect against buggy drivers */
- write_lock(&mgr->vm_lock); drm_mm_takedown(&mgr->vm_addr_space_mm);
- write_unlock(&mgr->vm_lock);
} EXPORT_SYMBOL(drm_vma_offset_manager_destroy);
-- 2.19.0.rc1