On Tue, Jun 19, 2018 at 10:45:31AM -0400, mikita.lipski@amd.com wrote:
From: Mikita Lipski mikita.lipski@amd.com
Use drm_atomic_get_crtc_state to get the crtc state in case it has been previously freed, that might prevent use-after-free issue.
This patch fixes the bugzilla bug: Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
Signed-off-by: Mikita Lipski mikita.lipski@amd.com
drivers/gpu/drm/drm_atomic_helper.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index e8c2493..e083f85 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -1276,9 +1276,11 @@ void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev, int i;
for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i) {
struct drm_crtc_commit *commit = new_crtc_state->commit;
struct drm_crtc_commit *commit;int ret;
new_crtc_state = drm_atomic_get_crtc_state(old_state, crtc);commit = new_crtc_state->commit;
Uh no. wait_for_flip done is supposed to be called from the ->atomic_commit hook, and duplicating state objects (as is done by the various get_foo_state functions) is only allowed from the ->atomic_check hook. What that blows up for you, this isn't the fix you're looking for. Aside: get_foo_state can fail, the __must_check annotation should have been a hint for that.
For starters it would be useful if you include the full details of what's going boom in the amdgpu driver for you. -Daniel
if (!commit) continue;-- 2.7.4