From: YoungJun Cho <yj44.cho@samsung.com>
Date: Tue, 29 Oct 2013 11:30:26 +0000 (+0900)
Subject: drm: delete unconsumed pending event list in drm_events_release
X-Git-Tag: accepted/tizen/common/20150114.162108~4
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=942d62204e43fa8280f702e4bed9f65aa3cde745;p=platform%2Fkernel%2Flinux-3.10.git

drm: delete unconsumed pending event list in drm_events_release

When there are unconsumed pending events, the events are
destroyed by calling destroy callback, but the events list
are remained, because there is no list_del().

It is possible that the page flip request is handled after
drm_events_release() is called and before drm_fb_release().
In this case a drm_pending_event is remained not freed.
So exynos driver checks again to remove it in its post
close routine. But the file_priv->event_list contains
undeleted ones, this can make oops for accessing invalid
memory.

Signed-off-by: YoungJun Cho <yj44.cho@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

Change-Id: I25a471f4f4929150542eb6273c7673b9f44936b6
[back-ported from mainline to fix use after free issue]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
---

diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
index 3653955..bbe3bc0 100644
--- a/drivers/gpu/drm/drm_fops.c
+++ b/drivers/gpu/drm/drm_fops.c
@@ -410,8 +410,10 @@ static void drm_events_release(struct drm_file *file_priv)
 		}
 
 	/* Remove unconsumed events */
-	list_for_each_entry_safe(e, et, &file_priv->event_list, link)
+	list_for_each_entry_safe(e, et, &file_priv->event_list, link) {
+		list_del(&e->link);
 		e->destroy(e);
+	}
 
 	spin_unlock_irqrestore(&dev->event_lock, flags);
 }