From patchwork Mon Jul  2 16:40:54 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Jerome Glisse <j.glisse@gmail.com>
X-Patchwork-Id: 1147491
Return-Path: 
 <dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork1.kernel.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by patchwork1.kernel.org (Postfix) with ESMTP id 515B940ABE
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon,  2 Jul 2012 16:44:15 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 185CE9F57D
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon,  2 Jul 2012 09:44:15 -0700 (PDT)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-yw0-f52.google.com (mail-yw0-f52.google.com
	[209.85.213.52])
	by gabe.freedesktop.org (Postfix) with ESMTP id B43CD9F517
	for <dri-devel@lists.freedesktop.org>;
	Mon,  2 Jul 2012 09:43:56 -0700 (PDT)
Received: by yhpp61 with SMTP id p61so5526587yhp.25
	for <dri-devel@lists.freedesktop.org>;
	Mon, 02 Jul 2012 09:43:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer;
	bh=j0rOVrhVbJBLumQLqkTU10QfbRN5PoAYz1zEMw7o41k=;
	b=0/HkUvD3vFDvB73mS5OrZusehZw+Vjq7UviaOp/ntEaKNdNL98dvmFDZMLm1o99Dtt
	mbO8ga5K5zrTg/GOgBZ9o7LhxyfZUkOs/aF8PzaHWnTO+vOoTsBkBFGFeMmr6P5OObtT
	kCfFy6jNMF5xrwqXm3xgT4FN/n9USfOt0fmUkNC/KiIL5HRHhxMS/lQSV+m6+fEcnNOR
	6sPnqlzoxjugJRDyHWMr054MIfhGpl4r6R0KT7KJBs8xPX+wdyiimVlC6ZySK82oMLlc
	LyWuKzh41lAwv0Yi/4e/g4PoWIwIiwdGl65g24fN2X7HfEA4ZV5B8jKUhkDdRtc81rQ9
	yIUQ==
Received: by 10.42.29.202 with SMTP id s10mr6606390icc.1.1341247435988;
	Mon, 02 Jul 2012 09:43:55 -0700 (PDT)
Received: from localhost.boston.devel.redhat.com ([66.187.233.206])
	by mx.google.com with ESMTPS id
	gs4sm19825959igc.1.2012.07.02.09.43.54
	(version=SSLv3 cipher=OTHER); Mon, 02 Jul 2012 09:43:55 -0700 (PDT)
From: j.glisse@gmail.com
To: dri-devel@lists.freedesktop.org
Subject: [PATCH] drm/radeon: fix rare segfault
Date: Mon,  2 Jul 2012 12:40:54 -0400
Message-Id: <1341247254-10516-1-git-send-email-j.glisse@gmail.com>
X-Mailer: git-send-email 1.7.10.2
Cc: Jerome Glisse <jglisse@redhat.com>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Sender: 
 dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org
Errors-To: 
 dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org

From: Jerome Glisse <jglisse@redhat.com>

In gem idle/busy ioctl the radeon object was derefenced after
drm_gem_object_unreference_unlocked which in case the object
have been destroyed lead to use of a possibly free pointer with
possibly wrong data.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
---
 drivers/gpu/drm/radeon/radeon_gem.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
index 74176c5..c8838fc 100644
--- a/drivers/gpu/drm/radeon/radeon_gem.c
+++ b/drivers/gpu/drm/radeon/radeon_gem.c
@@ -325,6 +325,7 @@ int radeon_gem_mmap_ioctl(struct drm_device *dev, void *data,
 int radeon_gem_busy_ioctl(struct drm_device *dev, void *data,
 			  struct drm_file *filp)
 {
+	struct radeon_device *rdev = dev->dev_private;
 	struct drm_radeon_gem_busy *args = data;
 	struct drm_gem_object *gobj;
 	struct radeon_bo *robj;
@@ -350,13 +351,14 @@ int radeon_gem_busy_ioctl(struct drm_device *dev, void *data,
 		break;
 	}
 	drm_gem_object_unreference_unlocked(gobj);
-	r = radeon_gem_handle_lockup(robj->rdev, r);
+	r = radeon_gem_handle_lockup(rdev, r);
 	return r;
 }
 
 int radeon_gem_wait_idle_ioctl(struct drm_device *dev, void *data,
 			      struct drm_file *filp)
 {
+	struct radeon_device *rdev = dev->dev_private;
 	struct drm_radeon_gem_wait_idle *args = data;
 	struct drm_gem_object *gobj;
 	struct radeon_bo *robj;
@@ -369,10 +371,10 @@ int radeon_gem_wait_idle_ioctl(struct drm_device *dev, void *data,
 	robj = gem_to_radeon_bo(gobj);
 	r = radeon_bo_wait(robj, NULL, false);
 	/* callback hw specific functions if any */
-	if (robj->rdev->asic->ioctl_wait_idle)
-		robj->rdev->asic->ioctl_wait_idle(robj->rdev, robj);
+	if (rdev->asic->ioctl_wait_idle)
+		robj->rdev->asic->ioctl_wait_idle(rdev, robj);
 	drm_gem_object_unreference_unlocked(gobj);
-	r = radeon_gem_handle_lockup(robj->rdev, r);
+	r = radeon_gem_handle_lockup(rdev, r);
 	return r;
 }