From: Nick Hoath Date: Thu, 29 Jan 2015 16:55:07 +0000 (+0000) Subject: drm/i915: Fix a use-after-free in intel_execlists_retire_requests X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f82107950e9bda3779610e37bdfdccae6fc16f87;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git drm/i915: Fix a use-after-free in intel_execlists_retire_requests Remove request from list before unreferencing it, in case it's actually the only reference. (Found by Tvrtko Ursulin) This issue has been most likely introduced in commit 6d3d8274bc45de4babb62d64562d92af984dd238 Author: Nick Hoath Date: Thu Jan 15 13:10:39 2015 +0000 drm/i915: Subsume intel_ctx_submit_request in to drm_i915_gem_request Signed-off-by: Nick Hoath Reviewed-by: Mika Kuoppala Signed-off-by: Daniel Vetter --- diff --git a/drivers/gpu/drm/i915/intel_lrc.c b/drivers/gpu/drm/i915/intel_lrc.c index 70e449b702cc..a94346fee160 100644 --- a/drivers/gpu/drm/i915/intel_lrc.c +++ b/drivers/gpu/drm/i915/intel_lrc.c @@ -732,8 +732,8 @@ void intel_execlists_retire_requests(struct intel_engine_cs *ring) intel_lr_context_unpin(ring, ctx); intel_runtime_pm_put(dev_priv); i915_gem_context_unreference(ctx); - i915_gem_request_unreference(req); list_del(&req->execlist_link); + i915_gem_request_unreference(req); } }