Skip to content

L
linux
Commit fad20834 authored by Chris Wilson's avatar Chris Wilson
Browse files
Options

drm/i915: Fix use-after-free of context during free_contexts 

When iterating the list of contexts to free, we need to use a safe
iterator as we are freeing the link as we go. Pass an extra thick brown
paper bag.

Fixes: 5f09a9c8 ("drm/i915: Allow contexts to be unreferenced locklessly")
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Matthew Auld <matthew.auld@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170630230517.1938-1-chris@chris-wilson.co.ukReviewed-by: default avatarMatthew Auld <matthew.auld@intel.com>
parent a874b6a3
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 2 deletions
drivers/gpu/drm/i915/i915_gem_context.c
View file @ fad20834
......@@ -193,11 +193,11 @@ static void i915_gem_context_free(struct i915_gem_context *ctx)
static void contexts_free(struct drm_i915_private *i915)
{
struct llist_node *freed = llist_del_all(&i915->contexts.free_list);
struct i915_gem_context *ctx;
struct i915_gem_context *ctx, *cn;
lockdep_assert_held(&i915->drm.struct_mutex);
llist_for_each_entry(ctx, freed, free_link)
llist_for_each_entry_safe(ctx, cn, freed, free_link)
i915_gem_context_free(ctx);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7