[PATCH] drm: use atomic helper function to get crtc_state of crtc

[Daniel Vetter]

On Tue, Jun 19, 2018 at 10:45:31AM -0400, mikita.lipski at amd.com wrote:
> From: Mikita Lipski <mikita.lipski at amd.com>
> 
> Use drm_atomic_get_crtc_state to get the crtc state in case
> it has been previously freed, that might prevent use-after-free issue.
> 
> This patch fixes the bugzilla bug:
> Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
> 
> Signed-off-by: Mikita Lipski <mikita.lipski at amd.com>
> ---
>  drivers/gpu/drm/drm_atomic_helper.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> index e8c2493..e083f85 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1276,9 +1276,11 @@ void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev,
>  	int i;
>  
>  	for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i) {
> -		struct drm_crtc_commit *commit = new_crtc_state->commit;
> +		struct drm_crtc_commit *commit;
>  		int ret;
>  
> +		new_crtc_state = drm_atomic_get_crtc_state(old_state, crtc);
> +		commit = new_crtc_state->commit;

Uh no. wait_for_flip done is supposed to be called from the
->atomic_commit hook, and duplicating state objects (as is done by the
various get_foo_state functions) is only allowed from the ->atomic_check
hook. What that blows up for you, this isn't the fix you're looking for.
Aside: get_foo_state can fail, the __must_check annotation should have
been a hint for that.

For starters it would be useful if you include the full details of what's
going boom in the amdgpu driver for you.
-Daniel
>  		if (!commit)
>  			continue;
>  
> -- 
> 2.7.4
> 

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch