On Tue, Mar 22, 2016 at 03:42:14PM +0100, Maarten Lankhorst wrote:
__drm_atomic_helper_plane_destroy_state calls drm_framebuffer_unreference, which means that if drm_framebuffer_free is called before plane->destroy freed memory will be accessed.
A similar case happens for the blob list, which was freed before the crtc state was, resulting in the unreference_blob from crtc_destroy_state pointing to garbage memory causing another opportunity for a GPF.
Signed-off-by: Maarten Lankhorst maarten.lankhorst@linux.intel.com
drivers/gpu/drm/drm_crtc.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 51c5a00ffdff..5a13b1afccbe 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -5958,6 +5958,15 @@ void drm_mode_config_cleanup(struct drm_device *dev) drm_property_destroy(dev, property); }
And what about props? Any chance of explosion due to those being gone?
- list_for_each_entry_safe(plane, plt, &dev->mode_config.plane_list,
head) {plane->funcs->destroy(plane);- }
- list_for_each_entry_safe(crtc, ct, &dev->mode_config.crtc_list, head) {
crtc->funcs->destroy(crtc);- }
- list_for_each_entry_safe(blob, bt, &dev->mode_config.property_blob_list, head_global) { drm_property_unreference_blob(blob);
@@ -5976,15 +5985,6 @@ void drm_mode_config_cleanup(struct drm_device *dev) drm_framebuffer_free(&fb->refcount); }
- list_for_each_entry_safe(plane, plt, &dev->mode_config.plane_list,
head) {plane->funcs->destroy(plane);- }
- list_for_each_entry_safe(crtc, ct, &dev->mode_config.crtc_list, head) {
crtc->funcs->destroy(crtc);- }
- ida_destroy(&dev->mode_config.connector_ida); idr_destroy(&dev->mode_config.tile_idr); idr_destroy(&dev->mode_config.crtc_idr);
-- 2.1.0
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel