drm: Delete the vblank timer synchronously at cleanup time

A race condition exists in drm_vblank_cleanup() if the vblank disable
timer callback runs after freeing the memory that its callback function
tries to access. Fix this by deleting the timer synchronously.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index c869436e238a1b0fd375af236c57df29fb4be7a2..acd2cb45a513cbb669d56f30e1ec59a6d9e882da 100644 (file)
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -189,7 +189,7 @@ void drm_vblank_cleanup(struct drm_device *dev)
        if (dev->num_crtcs == 0)
                return;
 
-       del_timer(&dev->vblank_disable_timer);
+       del_timer_sync(&dev->vblank_disable_timer);
 
        vblank_disable_fn((unsigned long)dev);