drm/core: Fix old_fb handling in drm_mode_atomic_ioctl.

plane_mask should be cleared inside the retry loop, because it gets reset on every retry. Without this fix the plane->fb refcounting might get out of sync on retries, resulting in either leaked memory or use-after-free. Signed-off-by: Maarten Lankhorst <[email protected]> Cc: [email protected] #v4.3 Reviewed-by: Daniel Vetter <[email protected]> Signed-off-by: Jani Nikula <[email protected]> Link: http://patchwork.freedesktop.org/patch/msgid/[email protected]
zubinmehta · Nov 17, 2015 · 4572372 · 4572372
1 parent 24e79d0
commit 4572372
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
@@ -1446,7 +1446,7 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
 	struct drm_plane *plane;
 	struct drm_crtc *crtc;
 	struct drm_crtc_state *crtc_state;
-	unsigned plane_mask = 0;
+	unsigned plane_mask;
 	int ret = 0;
 	unsigned int i, j;
 
@@ -1486,6 +1486,7 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
 	state->allow_modeset = !!(arg->flags & DRM_MODE_ATOMIC_ALLOW_MODESET);
 
 retry:
+	plane_mask = 0;
 	copied_objs = 0;
 	copied_props = 0;