drm: remove minor-id during unplug

Don't delay minor removal to drm_put_minor(). Otherwise, user-space can still open the minor and cause the kernel to oops. Instead, remove the minor during unplug so any new open() will fail to access this minor. Note that open() and drm_unplug_minor() are both protected by the global DRM mutex so we're fine. Signed-off-by: N David Herrmann <dh.herrmann@gmail.com> Signed-off-by: N Dave Airlie <airlied@redhat.com>

drm: remove minor-id during unplug
Don't delay minor removal to drm_put_minor(). Otherwise, user-space can still open the minor and cause the kernel to oops. Instead, remove the minor during unplug so any new open() will fail to access this minor. Note that open() and drm_unplug_minor() are both protected by the global DRM mutex so we're fine. Signed-off-by: N David Herrmann <dh.herrmann@gmail.com> Signed-off-by: N Dave Airlie <airlied@redhat.com>
f67e946b · David Herrmann · Dave Airlie · 865fb47f · f67e946b
隐藏空白更改
内联并排

Showing with 1 addition and 3 deletion

drivers/gpu/drm/drm_stub.c drivers/gpu/drm/drm_stub.c +1 -3

未找到文件。
--- a/drivers/gpu/drm/drm_stub.c
+++ b/drivers/gpu/drm/drm_stub.c
@@ -346,6 +346,7 @@ static void drm_unplug_minor(struct drm_minor *minor)
 #endif

 	drm_sysfs_device_remove(minor);
+	idr_remove(&drm_minors_idr, minor->index);
 }

 /**
@@ -365,9 +366,6 @@ static void drm_put_minor(struct drm_minor *minor)
 	DRM_DEBUG("release secondary minor %d\n", minor->index);

 	drm_unplug_minor(minor);
-
-	idr_remove(&drm_minors_idr, minor->index);
-
 	kfree(minor);
 }