From 9469244d869623e8b54d9f3d4d00737e377af273 Mon Sep 17 00:00:00 2001 From: Ander Conselvan de Oliveira Date: Fri, 23 Jan 2015 09:27:59 +0200 Subject: [PATCH] drm/atomic: Fix potential use of state after free The atomic helpers rely on drm_atomic_state_clear() to reset an atomic state if a retry is needed due to the w/w mutexes. The subsequent calls to drm_atomic_get_{crtc,plane,...}_state() would then return the stale pointers in state->{crtc,plane,...}_states. Signed-off-by: Ander Conselvan de Oliveira Signed-off-by: Daniel Vetter --- drivers/gpu/drm/drm_atomic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index ee68267bb326..dab838b02fb7 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -134,6 +134,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state) connector->funcs->atomic_destroy_state(connector, state->connector_states[i]); + state->connector_states[i] = NULL; } for (i = 0; i < config->num_crtc; i++) { @@ -144,6 +145,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state) crtc->funcs->atomic_destroy_state(crtc, state->crtc_states[i]); + state->crtc_states[i] = NULL; } for (i = 0; i < config->num_total_plane; i++) { @@ -154,6 +156,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state) plane->funcs->atomic_destroy_state(plane, state->plane_states[i]); + state->plane_states[i] = NULL; } } EXPORT_SYMBOL(drm_atomic_state_clear);