drm/prime: fix potential race in drm_gem_map_detach

Unpin the GEM object only after freeing the sg table.

Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Acked-by: Roger He <Hongbo.He@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180227115000.4105-1-christian.koenig@amd.com

diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
index e82a976f0fbadc746b51cead7632fa5066d9dd76..c38dacda6119645dc2fc9701cb3b2570c9d84be3 100644 (file)
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -230,26 +230,26 @@ void drm_gem_map_detach(struct dma_buf *dma_buf,
        struct drm_prime_attachment *prime_attach = attach->priv;
        struct drm_gem_object *obj = dma_buf->priv;
        struct drm_device *dev = obj->dev;
-       struct sg_table *sgt;
 
-       if (dev->driver->gem_prime_unpin)
-               dev->driver->gem_prime_unpin(obj);
+       if (prime_attach) {
+               struct sg_table *sgt = prime_attach->sgt;
 
-       if (!prime_attach)
-               return;
-
-       sgt = prime_attach->sgt;
-       if (sgt) {
-               if (prime_attach->dir != DMA_NONE)
-                       dma_unmap_sg_attrs(attach->dev, sgt->sgl, sgt->nents,
-                                          prime_attach->dir,
-                                          DMA_ATTR_SKIP_CPU_SYNC);
-               sg_free_table(sgt);
+               if (sgt) {
+                       if (prime_attach->dir != DMA_NONE)
+                               dma_unmap_sg_attrs(attach->dev, sgt->sgl,
+                                                  sgt->nents,
+                                                  prime_attach->dir,
+                                                  DMA_ATTR_SKIP_CPU_SYNC);
+                       sg_free_table(sgt);
+               }
+
+               kfree(sgt);
+               kfree(prime_attach);
+               attach->priv = NULL;
        }
 
-       kfree(sgt);
-       kfree(prime_attach);
-       attach->priv = NULL;
+       if (dev->driver->gem_prime_unpin)
+               dev->driver->gem_prime_unpin(obj);
 }
 EXPORT_SYMBOL(drm_gem_map_detach);