drm/i915: Fix use-after-free of context during free_contexts
authorChris Wilson <chris@chris-wilson.co.uk>
Fri, 30 Jun 2017 23:05:17 +0000 (00:05 +0100)
committerChris Wilson <chris@chris-wilson.co.uk>
Tue, 4 Jul 2017 10:55:27 +0000 (11:55 +0100)
When iterating the list of contexts to free, we need to use a safe
iterator as we are freeing the link as we go. Pass an extra thick brown
paper bag.

Fixes: 5f09a9c8ab6b ("drm/i915: Allow contexts to be unreferenced locklessly")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Matthew Auld <matthew.auld@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170630230517.1938-1-chris@chris-wilson.co.uk
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
drivers/gpu/drm/i915/i915_gem_context.c

index 71d2ea7dab6494fb9f916892c09fcc788e8e2c9b..2eb5d8203999642e0fb867393e90b5eccc06599f 100644 (file)
@@ -193,11 +193,11 @@ static void i915_gem_context_free(struct i915_gem_context *ctx)
 static void contexts_free(struct drm_i915_private *i915)
 {
        struct llist_node *freed = llist_del_all(&i915->contexts.free_list);
-       struct i915_gem_context *ctx;
+       struct i915_gem_context *ctx, *cn;
 
        lockdep_assert_held(&i915->drm.struct_mutex);
 
-       llist_for_each_entry(ctx, freed, free_link)
+       llist_for_each_entry_safe(ctx, cn, freed, free_link)
                i915_gem_context_free(ctx);
 }