drm/amdgpu: Avoid use-after-free

Submitted by Tom St Denis on Sept. 12, 2016, 6:18 p.m.

Details

Message ID 20160912181838.26814-1-tom.stdenis@amd.com
State New
Headers show
Series "drm/amdgpu: Avoid use-after-free" ( rev: 1 ) in AMD X.Org drivers

Not browsing as part of any series.

Commit Message

Tom St Denis Sept. 12, 2016, 6:18 p.m.
Switch to _SAFE variant of list macro to avoid use-after-free bug.

Signed-off-by: Tom St Denis <tom.stdenis@amd.com>
---
 amdgpu/amdgpu_cs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/amdgpu/amdgpu_cs.c b/amdgpu/amdgpu_cs.c
index fb5b3a8c4bc4..cd92a0957293 100644
--- a/amdgpu/amdgpu_cs.c
+++ b/amdgpu/amdgpu_cs.c
@@ -124,8 +124,8 @@  int amdgpu_cs_ctx_free(amdgpu_context_handle context)
 	for (i = 0; i < AMDGPU_HW_IP_NUM; i++) {
 		for (j = 0; j < AMDGPU_HW_IP_INSTANCE_MAX_COUNT; j++) {
 			for (k = 0; k < AMDGPU_CS_MAX_RINGS; k++) {
-				amdgpu_semaphore_handle sem;
-				LIST_FOR_EACH_ENTRY(sem, &context->sem_list[i][j][k], list) {
+				amdgpu_semaphore_handle sem, tmp;
+				LIST_FOR_EACH_ENTRY_SAFE(sem, tmp, &context->sem_list[i][j][k], list) {
 					list_del(&sem->list);
 					amdgpu_cs_reset_sem(sem);
 					amdgpu_cs_unreference_sem(sem);

Comments

Am 12.09.2016 um 20:18 schrieb Tom St Denis:
> Switch to _SAFE variant of list macro to avoid use-after-free bug.
>
> Signed-off-by: Tom St Denis <tom.stdenis@amd.com>
> ---
>   amdgpu/amdgpu_cs.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/amdgpu/amdgpu_cs.c b/amdgpu/amdgpu_cs.c
> index fb5b3a8c4bc4..cd92a0957293 100644
> --- a/amdgpu/amdgpu_cs.c
> +++ b/amdgpu/amdgpu_cs.c
> @@ -124,8 +124,8 @@ int amdgpu_cs_ctx_free(amdgpu_context_handle context)
>   	for (i = 0; i < AMDGPU_HW_IP_NUM; i++) {
>   		for (j = 0; j < AMDGPU_HW_IP_INSTANCE_MAX_COUNT; j++) {
>   			for (k = 0; k < AMDGPU_CS_MAX_RINGS; k++) {
> -				amdgpu_semaphore_handle sem;
> -				LIST_FOR_EACH_ENTRY(sem, &context->sem_list[i][j][k], list) {
> +				amdgpu_semaphore_handle sem, tmp;

A newline between deceleration and code please.

With that fixed the patch is Reviewed-by: Christian König 
<christian.koenig@amd.com>.

> +				LIST_FOR_EACH_ENTRY_SAFE(sem, tmp, &context->sem_list[i][j][k], list) {
>   					list_del(&sem->list);
>   					amdgpu_cs_reset_sem(sem);
>   					amdgpu_cs_unreference_sem(sem);