From: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx>
The etnaviv_gpu structure can have a longer lifetime than the GPU
command buffer, MMU and drm_device structures. When these other
structures are freed (via the unbind method) we may be tempted to
access these via other functions after they've been freed. Leaving
pointers in them invites undetected use-after-free events. This
has happened while trying to develop runtime PM for the GPU.
Ensure that these bugs are obvious by NULLing out the pointers at
the end of their lifetime.
Signed-off-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx>
---
drivers/staging/etnaviv/etnaviv_gpu.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/etnaviv/etnaviv_gpu.c b/drivers/staging/etnaviv/etnaviv_gpu.c
index 7537ab13a47e..7f041a261d54 100644
--- a/drivers/staging/etnaviv/etnaviv_gpu.c
+++ b/drivers/staging/etnaviv/etnaviv_gpu.c
@@ -990,11 +990,17 @@ static void etnaviv_gpu_unbind(struct device *dev, struct device *master,
WARN_ON(!list_empty(&gpu->active_list));
- if (gpu->buffer)
+ if (gpu->buffer) {
drm_gem_object_unreference_unlocked(gpu->buffer);
+ gpu->buffer = NULL;
+ }
- if (gpu->mmu)
+ if (gpu->mmu) {
etnaviv_iommu_destroy(gpu->mmu);
+ gpu->mmu = NULL;
+ }
+
+ gpu->drm = NULL;
}
static const struct component_ops gpu_ops = {
--
2.1.4
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
