drm/atomic: Fix potential use of state after free
authorAnder Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Fri, 23 Jan 2015 07:27:59 +0000 (09:27 +0200)
committerDaniel Vetter <daniel.vetter@ffwll.ch>
Tue, 27 Jan 2015 09:02:52 +0000 (10:02 +0100)
The atomic helpers rely on drm_atomic_state_clear() to reset an atomic
state if a retry is needed due to the w/w mutexes. The subsequent calls
to drm_atomic_get_{crtc,plane,...}_state() would then return the stale
pointers in state->{crtc,plane,...}_states.

Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
drivers/gpu/drm/drm_atomic.c

index ee68267bb32624de47003710dabecf4f7fbed25e..dab838b02fb75db61ee9162f472924db9a89a017 100644 (file)
@@ -134,6 +134,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state)
 
                connector->funcs->atomic_destroy_state(connector,
                                                       state->connector_states[i]);
+               state->connector_states[i] = NULL;
        }
 
        for (i = 0; i < config->num_crtc; i++) {
@@ -144,6 +145,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state)
 
                crtc->funcs->atomic_destroy_state(crtc,
                                                  state->crtc_states[i]);
+               state->crtc_states[i] = NULL;
        }
 
        for (i = 0; i < config->num_total_plane; i++) {
@@ -154,6 +156,7 @@ void drm_atomic_state_clear(struct drm_atomic_state *state)
 
                plane->funcs->atomic_destroy_state(plane,
                                                   state->plane_states[i]);
+               state->plane_states[i] = NULL;
        }
 }
 EXPORT_SYMBOL(drm_atomic_state_clear);