[BUG] drm: vc4: refcount_t: increment on 0; use-after-free.
Stefan Wahren
stefan.wahren at i2se.com
Wed Nov 22 18:17:53 UTC 2017
Hi Boris,
> Boris Brezillon <boris.brezillon at free-electrons.com> hat am 22. November 2017 um 18:51 geschrieben:
>
>
> Hi Stefan,
>
> On Wed, 22 Nov 2017 17:43:35 +0100 (CET)
> Stefan Wahren <stefan.wahren at i2se.com> wrote:
> ...
>
> Looks like I didn't test this code with CONFIG_REFCOUNT_FULL enabled :-/.
>
> Anyway, can you try to apply the following diff and let me know if it
> fixes the problem?
yes, this fixes the problem.
>
> Thanks,
>
> Boris
>
> --->8---
> diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
> index 4ae45d7dac42..2decc8e2c79f 100644
> --- a/drivers/gpu/drm/vc4/vc4_bo.c
> +++ b/drivers/gpu/drm/vc4/vc4_bo.c
> @@ -637,7 +637,8 @@ int vc4_bo_inc_usecnt(struct vc4_bo *bo)
> mutex_lock(&bo->madv_lock);
> switch (bo->madv) {
> case VC4_MADV_WILLNEED:
> - refcount_inc(&bo->usecnt);
> + if (!refcount_inc_not_zero(&bo->usecnt))
> + refcount_set(&bo->usecnt, 1);
> ret = 0;
> break;
> case VC4_MADV_DONTNEED:
>
More information about the dri-devel
mailing list