[RFC 4/7] drm/prime: Clear drm_gem_object->dma_buf on release

Sun Dec 31 13:58:40 UTC 2017

Clear the pointer so the buffer can be re-exported. Otherwise use
after free happens in the next call to drm_gem_prime_handle_to_fd().

Signed-off-by: Noralf Trønnes <noralf at tronnes.org>
---
 drivers/gpu/drm/drm_prime.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c
index 9a17725b0f7a..3214c0eb7466 100644
--- a/drivers/gpu/drm/drm_prime.c
+++ b/drivers/gpu/drm/drm_prime.c
@@ -343,6 +343,7 @@ void drm_gem_dmabuf_release(struct dma_buf *dma_buf)
 
 	/* drop the reference on the export fd holds */
 	drm_gem_object_put_unlocked(obj);
+	obj->dma_buf = NULL;
 
 	drm_dev_put(dev);
 }
-- 
2.14.2

