[PATCH 2/5] drm/core: Fix old_fb handling in drm_mode_atomic_ioctl.
Daniel Vetter
daniel at ffwll.ch
Tue Nov 17 01:54:28 PST 2015
On Wed, Nov 11, 2015 at 11:29:08AM +0100, Maarten Lankhorst wrote:
> From: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
>
> plane_mask should be cleared inside the retry loop,
> because it gets reset on every retry.
>
> Signed-off-by: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> Cc: stable at vger.kernel.org #v4.3
Nice catch, but a bit a terse commit message. We should add "Without this
fix the plane->fb refcounting might get out of sync on retries, resulting
in either leaked memory or use-after-free." With that:
Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> ---
> drivers/gpu/drm/drm_atomic.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
> index 7bb3845d9974..0ac31b1ecb67 100644
> --- a/drivers/gpu/drm/drm_atomic.c
> +++ b/drivers/gpu/drm/drm_atomic.c
> @@ -1446,7 +1446,7 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
> struct drm_plane *plane;
> struct drm_crtc *crtc;
> struct drm_crtc_state *crtc_state;
> - unsigned plane_mask = 0;
> + unsigned plane_mask;
> int ret = 0;
> unsigned int i, j;
>
> @@ -1486,6 +1486,7 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
> state->allow_modeset = !!(arg->flags & DRM_MODE_ATOMIC_ALLOW_MODESET);
>
> retry:
> + plane_mask = 0;
> copied_objs = 0;
> copied_props = 0;
>
> --
> 2.1.0
>
> _______________________________________________
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
More information about the dri-devel
mailing list