Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a989f5c6 authored by Lloyd Atkinson's avatar Lloyd Atkinson
Browse files

drm/msm: use local non-blocking flag to avoid use after free 



Avoid checking nonblock flag in the commit packet that gets
dispatched to a worker thread, since that worker thread may free
the commit packet before the dispatch thread has a chance to
read it again after the commit dispatch loop.

Change-Id: Idcbc17dd1cb6df15d0f9607b589587d6f03ee4ff
Signed-off-by: default avatarLloyd Atkinson <latkinso@codeaurora.org>
parent 1d9aee75

drivers/gpu/drm/msm/msm_atomic.c

+9 −2
Original line number Diff line number Diff line
@@ -476,6 +476,10 @@ static void msm_atomic_commit_dispatch(struct drm_device *dev, 
	struct drm_crtc *crtc = NULL;

	struct drm_crtc_state *crtc_state = NULL;

	int ret = -EINVAL, i = 0, j = 0;

	bool nonblock;



	/* cache since work will kfree commit in non-blocking case */

	nonblock = commit->nonblock;



	for_each_crtc_in_state(state, crtc, crtc_state, i) {

		for (j = 0; j < priv->num_crtcs; j++) {
@@ -515,10 +519,13 @@ static void msm_atomic_commit_dispatch(struct drm_device *dev, 
		 */

		DRM_ERROR("failed to dispatch commit to any CRTC\n");

		complete_commit(commit);

	} else if (!commit->nonblock) {

	} else if (!nonblock) {

		kthread_flush_work(&commit->commit_work);

		kfree(commit);

	}



	/* free nonblocking commits in this context, after processing */

	if (!nonblock)

		kfree(commit);

}



/**