Commit 45723728 authored Nov 11, 2015 by Maarten Lankhorst Committed by Jani Nikula Nov 17, 2015

drm/core: Fix old_fb handling in drm_mode_atomic_ioctl.



plane_mask should be cleared inside the retry loop, because it gets
reset on every retry. Without this fix the plane->fb refcounting might
get out of sync on retries, resulting in either leaked memory or
use-after-free.

Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: stable@vger.kernel.org #v4.3
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1447237751-9663-3-git-send-email-maarten.lankhorst@ubuntu.com

parent 24e79d0d

drivers/gpu/drm/drm_atomic.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1446,7 +1446,7 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
		struct drm_plane *plane;
		struct drm_crtc *crtc;
		struct drm_crtc_state *crtc_state;
		unsigned plane_mask = 0;
		unsigned plane_mask;
		int ret = 0;
		unsigned int i, j;

		@@ -1486,6 +1486,7 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
		state->allow_modeset = !!(arg->flags & DRM_MODE_ATOMIC_ALLOW_MODESET);

		retry:
		plane_mask = 0;
		copied_objs = 0;
		copied_props = 0;