drm: Fix fb leaks and WARN spew in get/set_prop ioctls

Dave Airlie had at least the refcount leak fixed in a later patch (but that patch does other things which need a bit more work). But we still have the trouble that silly userspace could hit the WARN_ON in drm_mode_object_find. Fix this all up to make sure we don't leak objects, and don't spew into demsg. Fixes: d0f37cf6 ("drm/mode: move framebuffer reference into object.") Testcase: igt/kms_addfb_basic/invalid-*-prop* Cc: Dave Airlie <airlied@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Signed-off-by: Dave Airlie <airlied@redhat.com>

drm: Fix fb leaks and WARN spew in get/set_prop ioctls
Dave Airlie had at least the refcount leak fixed in a later patch (but that patch does other things which need a bit more work). But we still have the trouble that silly userspace could hit the WARN_ON in drm_mode_object_find. Fix this all up to make sure we don't leak objects, and don't spew into demsg. Fixes: d0f37cf6 ("drm/mode: move framebuffer reference into object.") Testcase: igt/kms_addfb_basic/invalid-*-prop* Cc: Dave Airlie <airlied@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
1649c33b · Daniel Vetter · Dave Airlie · 05981422 · 1649c33b
Commit 1649c33b authored Apr 22, 2016 by Daniel Vetter Committed by Dave Airlie Apr 27, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 7 deletions

drivers/gpu/drm/drm_crtc.c drivers/gpu/drm/drm_crtc.c +9 -7

No files found.
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -389,9 +389,7 @@ struct drm_mode_object *drm_mode_object_find(struct drm_device *dev,
 {
 	struct drm_mode_object *obj = NULL;
-	/* Framebuffers are reference counted and need their own lookup
+	WARN_ON(type == DRM_MODE_OBJECT_BLOB);
-	 * function.*/
-	WARN_ON(type == DRM_MODE_OBJECT_FB || type == DRM_MODE_OBJECT_BLOB);
 	obj = _object_find(dev, id, type);
 	return obj;
 }
@@ -5005,7 +5003,7 @@ int drm_mode_obj_get_properties_ioctl(struct drm_device *dev, void *data,
 	}
 	if (!obj->properties) {
 		ret = -EINVAL;
-		goto out;
+		goto out_unref;
 	}
 	ret = get_properties(obj, file_priv->atomic,
@@ -5013,6 +5011,8 @@ int drm_mode_obj_get_properties_ioctl(struct drm_device *dev, void *data,
 			(uint64_t __user *)(unsigned long)(arg->prop_values_ptr),
 			&arg->count_props);
+out_unref:
+	drm_mode_object_unreference(obj);
 out:
 	drm_modeset_unlock_all(dev);
 	return ret;
@@ -5055,20 +5055,20 @@ int drm_mode_obj_set_property_ioctl(struct drm_device *dev, void *data,
 		goto out;
 	}
 	if (!arg_obj->properties)
-		goto out;
+		goto out_unref;
 	for (i = 0; i < arg_obj->properties->count; i++)
 		if (arg_obj->properties->properties[i]->base.id == arg->prop_id)
 			break;
 	if (i == arg_obj->properties->count)
-		goto out;
+		goto out_unref;
 	prop_obj = drm_mode_object_find(dev, arg->prop_id,
 					DRM_MODE_OBJECT_PROPERTY);
 	if (!prop_obj) {
 		ret = -ENOENT;
-		goto out;
+		goto out_unref;
 	}
 	property = obj_to_property(prop_obj);
@@ -5091,6 +5091,8 @@ int drm_mode_obj_set_property_ioctl(struct drm_device *dev, void *data,
 	drm_property_change_valid_put(property, ref);
+out_unref:
+	drm_mode_object_unreference(arg_obj);
 out:
 	drm_modeset_unlock_all(dev);
 	return ret;