[PATCH] drm/atomic: Fix potential use of state after free
Daniel Vetter
daniel at ffwll.ch
Thu Jan 22 23:55:07 PST 2015
On Fri, Jan 23, 2015 at 09:27:59AM +0200, Ander Conselvan de Oliveira wrote:
> The atomic helpers rely on drm_atomic_state_clear() to reset an atomic
> state if a retry is needed due to the w/w mutexes. The subsequent calls
> to drm_atomic_get_{crtc,plane,...}_state() would then return the stale
> pointers in state->{crtc,plane,...}_states.
>
> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira at intel.com>
Oops, pretty bad oversight. Kinda wonder why that hasn't blown up
anywhere yet - plain legacy paths can't really fail with retries yet since
we usually grab all the locks. But real atomic_ioctl should have fallen
over with ww mutex debugging ...
Anyway, thanks for the patch, applied to my atomic branch.
-Daniel
> ---
> drivers/gpu/drm/drm_atomic.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
> index 1b31982..9d16fa4 100644
> --- a/drivers/gpu/drm/drm_atomic.c
> +++ b/drivers/gpu/drm/drm_atomic.c
> @@ -134,6 +134,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state)
>
> connector->funcs->atomic_destroy_state(connector,
> state->connector_states[i]);
> + state->connector_states[i] = NULL;
> }
>
> for (i = 0; i < config->num_crtc; i++) {
> @@ -144,6 +145,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state)
>
> crtc->funcs->atomic_destroy_state(crtc,
> state->crtc_states[i]);
> + state->crtc_states[i] = NULL;
> }
>
> for (i = 0; i < config->num_total_plane; i++) {
> @@ -154,6 +156,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state)
>
> plane->funcs->atomic_destroy_state(plane,
> state->plane_states[i]);
> + state->plane_states[i] = NULL;
> }
> }
> EXPORT_SYMBOL(drm_atomic_state_clear);
> --
> 1.9.1
>
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
More information about the dri-devel
mailing list