drm/prime: fix error path deadlock fail
authorRob Clark <robdclark@gmail.com>
Thu, 9 Jun 2016 19:29:19 +0000 (15:29 -0400)
committerDaniel Vetter <daniel.vetter@ffwll.ch>
Mon, 13 Jun 2016 15:32:18 +0000 (17:32 +0200)
There were a couple messed up things about this fail path.
(1) it would drop object_name_lock twice
(2) drm_gem_handle_delete() (in drm_gem_remove_prime_handles())
    needs to grab prime_lock

Reported-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1465500559-17873-1-git-send-email-robdclark@gmail.com
drivers/gpu/drm/drm_prime.c

index aab0f3f1f42d5528efb184770d9f5bc9d949ce9d..780589b420a4f24ece0d64868e22d89a40bd86d9 100644 (file)
@@ -593,7 +593,7 @@ int drm_gem_prime_fd_to_handle(struct drm_device *dev,
                get_dma_buf(dma_buf);
        }
 
-       /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */
+       /* _handle_create_tail unconditionally unlocks dev->object_name_lock. */
        ret = drm_gem_handle_create_tail(file_priv, obj, handle);
        drm_gem_object_unreference_unlocked(obj);
        if (ret)
@@ -601,11 +601,10 @@ int drm_gem_prime_fd_to_handle(struct drm_device *dev,
 
        ret = drm_prime_add_buf_handle(&file_priv->prime,
                        dma_buf, *handle);
+       mutex_unlock(&file_priv->prime.lock);
        if (ret)
                goto fail;
 
-       mutex_unlock(&file_priv->prime.lock);
-
        dma_buf_put(dma_buf);
 
        return 0;
@@ -615,11 +614,14 @@ fail:
         * to detach.. which seems ok..
         */
        drm_gem_handle_delete(file_priv, *handle);
+       dma_buf_put(dma_buf);
+       return ret;
+
 out_unlock:
        mutex_unlock(&dev->object_name_lock);
 out_put:
-       dma_buf_put(dma_buf);
        mutex_unlock(&file_priv->prime.lock);
+       dma_buf_put(dma_buf);
        return ret;
 }
 EXPORT_SYMBOL(drm_gem_prime_fd_to_handle);