From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Date: Wed, 17 Jan 2018 22:18:41 +0200
Subject: drm: rcar-du: Zero-out sg_tables when duplicating plane state
Git-commit: 75a07f399cd43bc7fb41a13723fbe04e61c5c470
Patch-mainline: v4.18-rc1
References: FATE#326289 FATE#326079 FATE#326049 FATE#322398 FATE#326166
The state structure for VSP-backed planes, rcar_du_vsp_plane_state,
contains sg tables that track framebuffer mapping performed in the
.prepare_fb() operation to unmap them in .cleanup_fb(). The tables are
incorrectly copied when duplicating state, which can result :
Zero-out sg_tables in original plane, effectively introducing move
semantic. Seems, this fixes issue with double-free,
when rcar_du_vsp_plane_cleanup_fb() freed the same sg_table
both in original plane and in the copy.
Reported-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Acked-by: Petr Tesarik <ptesarik@suse.com>
---
drivers/gpu/drm/rcar-du/rcar_du_vsp.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
+++ b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
@@ -295,18 +295,17 @@ static const struct drm_plane_helper_fun
static struct drm_plane_state *
rcar_du_vsp_plane_atomic_duplicate_state(struct drm_plane *plane)
{
- struct rcar_du_vsp_plane_state *state;
struct rcar_du_vsp_plane_state *copy;
if (WARN_ON(!plane->state))
return NULL;
- state = to_rcar_vsp_plane_state(plane->state);
- copy = kmemdup(state, sizeof(*state), GFP_KERNEL);
+ copy = kzalloc(sizeof(*copy), GFP_KERNEL);
if (copy == NULL)
return NULL;
__drm_atomic_helper_plane_duplicate_state(plane, ©->state);
+ copy->alpha = to_rcar_vsp_plane_state(plane->state)->alpha;
return ©->state;
}