Hi, The patches in this series are largely fixes and prepwork leading up to the final patch which plugs races with modesetting rights. Most of the fixes don't have bug reports, so comments would be very appreciated. The biggest change from the previous version is that we convert drm_device.master_mutex into master_rwsem, instead of introducing master_rwsem as a third lock. Overall, this series makes the following changes: - Patch 1: Move master_lookup_lock into struct drm_device (enables us to use it to protect attributes accessed by different drm_files) - Patch 2: Add a missing master_lookup_lock in drm_master_release - Patch 3: Fix a potential race in drm_is_current_master_locked - Patch 4: Fix potential null ptr dereferences in drm_{auth, ioctl} - Patch 5: Move magic_map,unique{_len} out from master_mutex's protection into master_lookup_lock's protection (allows us to avoid read_lock -> write_lock deadlocks) - Patch 6: Convert master_mutex into rwsem (avoids creating a new lock) - Patch 7: Update global mutex locking in the ioctl handler (avoids deadlock when grabbing read lock on master_rwsem in drm_ioctl_kernel) - Patch 8: Export task_work_add (enables us to write drm_master_flush) - Patch 9: Plug races with drm modesetting rights v2 -> v3: - Unexport drm_master_flush, as suggested by Daniel Vetter. - Merge master_mutex and master_rwsem, as suggested by Daniel Vetter. - Export task_work_add, reported by kernel test robot. - Make master_flush static, reported by kernel test robot. - Move master_lookup_lock into struct drm_device. - Add a missing lock on master_lookup_lock in drm_master_release. - Fix a potential race in drm_is_current_master_locked. - Fix potential null ptr dereferences in drm_{auth, ioctl}. - Protect magic_map,unique{_len} with master_lookup_lock. - Convert master_mutex into a rwsem. - Update global mutex locking in the ioctl handler. v1 -> v2 (suggested by Daniel Vetter): - Address an additional race when drm_open runs. - Switch from SRCU to rwsem to synchronise readers and writers. - Implement drm_master_flush with task_work so that flushes can be queued to run before returning to userspace without creating a new DRM_MASTER_FLUSH ioctl flag. Best wishes, Desmond Desmond Cheong Zhi Xi (9): drm: move master_lookup_lock into drm_device drm: hold master_lookup_lock when releasing a drm_file's master drm: check for null master in drm_is_current_master_locked drm: fix potential null ptr dereferences in drm_{auth,ioctl} drm: protect magic_map,unique{_len} with master_lookup_lock drm: convert drm_device.master_mutex into a rwsem drm: update global mutex lock in the ioctl handler kernel: export task_work_add drm: avoid races with modesetting rights drivers/gpu/drm/drm_auth.c | 108 ++++++++++++++++++++++++--------- drivers/gpu/drm/drm_debugfs.c | 4 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_file.c | 1 - drivers/gpu/drm/drm_internal.h | 1 + drivers/gpu/drm/drm_ioctl.c | 39 +++++++----- drivers/gpu/drm/drm_lease.c | 1 + include/drm/drm_auth.h | 6 +- include/drm/drm_device.h | 27 +++++++-- include/drm/drm_file.h | 20 +++--- kernel/task_work.c | 1 + 11 files changed, 145 insertions(+), 67 deletions(-) -- 2.25.1