Op 30-12-2018 om 13:28 schreef Chris Wilson: > Delay the drm_modeset_acquire_init() until after we check for an > allocation failure so that we can return immediately upon error without > having to unwind. > > WARNING: lock held when returning to user space! > 4.20.0+ #174 Not tainted > ------------------------------------------------ > syz-executor556/8153 is leaving the kernel with locks still held! > 1 lock held by syz-executor556/8153: > #0: 000000005100c85c (crtc_ww_class_acquire){+.+.}, at: > set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462 > > Reported-by: syzbot+6ea337c427f5083ebdf2@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 144a7999d633 ("drm: Handle properties in the core for atomic drivers") > Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> > Cc: Daniel Vetter <daniel.vetter@xxxxxxxx> > Cc: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx> > Cc: Sean Paul <sean@xxxxxxxxxx> > Cc: David Airlie <airlied@xxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> # v4.14+ > --- > drivers/gpu/drm/drm_mode_object.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/drm_mode_object.c b/drivers/gpu/drm/drm_mode_object.c > index bb1dd46496cd..a9005c1c2384 100644 > --- a/drivers/gpu/drm/drm_mode_object.c > +++ b/drivers/gpu/drm/drm_mode_object.c > @@ -459,12 +459,13 @@ static int set_property_atomic(struct drm_mode_object *obj, > struct drm_modeset_acquire_ctx ctx; > int ret; > > - drm_modeset_acquire_init(&ctx, 0); > - > state = drm_atomic_state_alloc(dev); > if (!state) > return -ENOMEM; > + > + drm_modeset_acquire_init(&ctx, 0); > state->acquire_ctx = &ctx; > + > retry: > if (prop == state->dev->mode_config.dpms_property) { > if (obj->type != DRM_MODE_OBJECT_CONNECTOR) { Woops only now see you did the same.. :) Reviewed-by: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>