Commit d1a59868 authored Mar 10, 2014 by Chris Wilson Committed by Daniel Vetter Mar 10, 2014

drm/i915: Prevent use-after-free of inherited framebuffer

During KMS takeover, we try to capture the current configuration and
preserve it across our initialisation. For a variety of reasons, we may
fail this, for example if the current mode was using the legacy VGA
plane. Under such circumstances, we discard the fb in the plane config
and tried to find a matching fb on another CRTC. This obviously also
failed, leaving the plane config fb dangling, pointing to the freed block.

Regression from
commit 484b41dd
Author: Jesse Barnes <jbarnes@virtuousgeek.org>
Date:   Fri Mar 7 08:57:55 2014 -0800

    drm/i915: remove early fb allocation dependency on CONFIG_FB v2

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=75963


Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

parent 484b41dd

drivers/gpu/drm/i915/intel_display.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -2125,6 +2125,7 @@ static void intel_find_plane_obj(struct intel_crtc *intel_crtc,
	return;		return;

	kfree(intel_crtc->base.fb);		kfree(intel_crtc->base.fb);
			intel_crtc->base.fb = NULL;

	/*		/*
	* Failed to alloc the obj, check to see if we should share		* Failed to alloc the obj, check to see if we should share