[PATCH] drm: Unlink dead file_priv from list of active files first

[Chris Wilson <chris@chris-wilson.co.uk>]

In order to prevent external observers walking the list of open DRM
files from seeing an invalid drm_file_private in the process of being
torndown, the first operation we need to take is to unlink the
drm_file_private from that list.

	general protection fault: 0000 [#1] PREEMPT SMP
	Modules linked in: i915 i2c_algo_bit drm_kms_helper drm lpc_ich mfd_core nls_iso8859_1 i2c_hid video hid_generic usbhid hid e1000e ahci ptp libahci pps_core
	CPU: 3 PID: 8220 Comm: cat Not tainted 3.16.0-rc6+ #4
	Hardware name: Intel Corporation Shark Bay Client platform/WhiteTip Mountain 1, BIOS HSWLPTU1.86C.0119.R00.1303230105 03/23/2013
	task: ffff8800219642c0 ti: ffff880047024000 task.ti: ffff880047024000
	RIP: 0010:[<ffffffffa0137c70>]  [<ffffffffa0137c70>] per_file_stats+0x110/0x160 [i915]
	RSP: 0018:ffff880047027d48  EFLAGS: 00010246
	RAX: 6b6b6b6b6b6b6b6b RBX: ffff880047027e30 RCX: 0000000000000000
	RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88003a05cd00
	RBP: ffff880047027d58 R08: 0000000000000001 R09: 0000000000000000
	R10: ffff8800219642c0 R11: 0000000000000000 R12: ffff88003a05cd00
	R13: 0000000000000000 R14: ffff88003a05cd00 R15: ffff880047027d88
	FS:  00007f5f73a13740(0000) GS:ffff88014e380000(0000) knlGS:0000000000000000
	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00000000023ff038 CR3: 0000000021a4b000 CR4: 00000000001407e0
	Stack:
	 0000000000000001 000000000000ffff ffff880047027dc8 ffffffff813438e4
	 ffff880047027e30 ffffffffa0137b60 ffff880021a8af58 ffff880021a8f1a0
	 ffff8800a2061fb0 ffff8800a2062048 ffff8800a2061fb0 ffff8800a1e23478
	Call Trace:
	 [<ffffffff813438e4>] idr_for_each+0xf4/0x180
	 [<ffffffffa0137b60>] ? i915_gem_stolen_list_info+0x1f0/0x1f0 [i915]
	 [<ffffffffa013a17a>] i915_gem_object_info+0x5ca/0x6a0 [i915]
	 [<ffffffff81193ec5>] seq_read+0xf5/0x3a0
	 [<ffffffff8116d950>] vfs_read+0x90/0x150
	 [<ffffffff8116e509>] SyS_read+0x49/0xb0
	 [<ffffffff815d8622>] tracesys+0xd0/0xd5
	Code: 01 00 00 49 39 84 24 08 01 00 00 74 55 49 8b 84 24 b8 00 00 00 48 01 43 18 31 c0 5b 41 5c 5d c3 0f 1f 00 49 8b 44 24 08 4c 89 e7 <48> 8b 70 28 48 81 c6 48 80 00 00 e8 80 14 01 00 84 c0 74 bc 49
	RIP  [<ffffffffa0137c70>] per_file_stats+0x110/0x160 [i915]
	RSP <ffff880047027d48>

Reported-by: "Ursulin, Tvrtko" <tvrtko.ursulin@intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81712
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: "Ursulin, Tvrtko" <tvrtko.ursulin@intel.com>
---
 drivers/gpu/drm/drm_fops.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
index a0c63cf..aff8217 100644
--- a/drivers/gpu/drm/drm_fops.c
+++ b/drivers/gpu/drm/drm_fops.c
@@ -416,6 +416,10 @@ int drm_release(struct inode *inode, struct file *filp)
 
 	DRM_DEBUG("open_count = %d\n", dev->open_count);
 
+	mutex_lock(&dev->struct_mutex);
+	list_del(&file_priv->lhead);
+	mutex_unlock(&dev->struct_mutex);
+
 	if (dev->driver->preclose)
 		dev->driver->preclose(dev, file_priv);
 
@@ -509,10 +513,6 @@ int drm_release(struct inode *inode, struct file *filp)
 	file_priv->is_master = 0;
 	mutex_unlock(&dev->master_mutex);
 
-	mutex_lock(&dev->struct_mutex);
-	list_del(&file_priv->lhead);
-	mutex_unlock(&dev->struct_mutex);
-
 	if (dev->driver->postclose)
 		dev->driver->postclose(dev, file_priv);
 
-- 
1.9.1