From f67e946bf215f05be51f5579fcfc164c01b9c4f2 Mon Sep 17 00:00:00 2001
From: David Herrmann <dh.herrmann@gmail.com>
Date: Sun, 20 Oct 2013 18:55:44 +0200
Subject: [PATCH] drm: remove minor-id during unplug

Don't delay minor removal to drm_put_minor(). Otherwise, user-space can
still open the minor and cause the kernel to oops. Instead, remove the
minor during unplug so any new open() will fail to access this minor.

Note that open() and drm_unplug_minor() are both protected by the global
DRM mutex so we're fine.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
 drivers/gpu/drm/drm_stub.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_stub.c b/drivers/gpu/drm/drm_stub.c
index b37b0d9..e7c31e8 100644
--- a/drivers/gpu/drm/drm_stub.c
+++ b/drivers/gpu/drm/drm_stub.c
@@ -346,6 +346,7 @@ static void drm_unplug_minor(struct drm_minor *minor)
 #endif
 
 	drm_sysfs_device_remove(minor);
+	idr_remove(&drm_minors_idr, minor->index);
 }
 
 /**
@@ -365,9 +366,6 @@ static void drm_put_minor(struct drm_minor *minor)
 	DRM_DEBUG("release secondary minor %d\n", minor->index);
 
 	drm_unplug_minor(minor);
-
-	idr_remove(&drm_minors_idr, minor->index);
-
 	kfree(minor);
 }
 
-- 
2.7.4