From: Dan Carpenter <dan.carpenter@linaro.org>
Date: Wed, 12 Feb 2025 15:23:48 +0000 (+0300)
Subject: drm: writeback: Fix use after free in drm_writeback_connector_cleanup()
X-Git-Tag: block-6.15-20250403~41^2~19^2~59
X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=ff3881cc6a588f8cd714c9ffbbcc9ef6b02c8d0f;p=linux-block.git

drm: writeback: Fix use after free in drm_writeback_connector_cleanup()

The drm_writeback_cleanup_job() function frees "pos" so call
list_del(&pos->list_entry) first to avoid a use after free.

Fixes: 1914ba2b91ea ("drm: writeback: Create drmm variants for drm_writeback_connector initialization")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/78abd541-71e9-4b3b-a05d-2c7caf8d5b2f@stanley.mountain
Signed-off-by: Maxime Ripard <mripard@kernel.org>
---

diff --git a/drivers/gpu/drm/drm_writeback.c b/drivers/gpu/drm/drm_writeback.c
index 3628fbef7752..f139b49af4c9 100644
--- a/drivers/gpu/drm/drm_writeback.c
+++ b/drivers/gpu/drm/drm_writeback.c
@@ -360,8 +360,8 @@ static void drm_writeback_connector_cleanup(struct drm_device *dev,
 
 	spin_lock_irqsave(&wb_connector->job_lock, flags);
 	list_for_each_entry_safe(pos, n, &wb_connector->job_queue, list_entry) {
-		drm_writeback_cleanup_job(pos);
 		list_del(&pos->list_entry);
+		drm_writeback_cleanup_job(pos);
 	}
 	spin_unlock_irqrestore(&wb_connector->job_lock, flags);
 }