Commit 9469244d authored by Ander Conselvan de Oliveira's avatar Ander Conselvan de Oliveira Committed by Daniel Vetter
Browse files

drm/atomic: Fix potential use of state after free 



The atomic helpers rely on drm_atomic_state_clear() to reset an atomic
state if a retry is needed due to the w/w mutexes. The subsequent calls
to drm_atomic_get_{crtc,plane,...}_state() would then return the stale
pointers in state->{crtc,plane,...}_states.

Signed-off-by: default avatarAnder Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
parent 95d6eb3b

drivers/gpu/drm/drm_atomic.c

+3 −0
Original line number Diff line number Diff line
@@ -134,6 +134,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state) 


		connector->funcs->atomic_destroy_state(connector,

						       state->connector_states[i]);

		state->connector_states[i] = NULL;

	}



	for (i = 0; i < config->num_crtc; i++) {
@@ -144,6 +145,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state) 


		crtc->funcs->atomic_destroy_state(crtc,

						  state->crtc_states[i]);

		state->crtc_states[i] = NULL;

	}



	for (i = 0; i < config->num_total_plane; i++) {
@@ -154,6 +156,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state) 


		plane->funcs->atomic_destroy_state(plane,

						   state->plane_states[i]);

		state->plane_states[i] = NULL;

	}

}

EXPORT_SYMBOL(drm_atomic_state_clear);

CRA Git | Maintained and supported by SUSTech CRA and CCSE