Commit f67e946b authored Oct 20, 2013 by David Herrmann Committed by Dave Airlie Nov 06, 2013

drm: remove minor-id during unplug



Don't delay minor removal to drm_put_minor(). Otherwise, user-space can
still open the minor and cause the kernel to oops. Instead, remove the
minor during unplug so any new open() will fail to access this minor.

Note that open() and drm_unplug_minor() are both protected by the global
DRM mutex so we're fine.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

parent 865fb47f

drivers/gpu/drm/drm_stub.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -346,6 +346,7 @@ static void drm_unplug_minor(struct drm_minor *minor)
		#endif

		drm_sysfs_device_remove(minor);
		idr_remove(&drm_minors_idr, minor->index);
		}

		/**
		@@ -365,9 +366,6 @@ static void drm_put_minor(struct drm_minor *minor)
		DRM_DEBUG("release secondary minor %d\n", minor->index);

		drm_unplug_minor(minor);

		idr_remove(&drm_minors_idr, minor->index);

		kfree(minor);
		}