Commit f35034f8 authored by Maarten Lankhorst's avatar Maarten Lankhorst Committed by Daniel Vetter

drm/core: Fix ordering in drm_mode_config_cleanup.

__drm_atomic_helper_plane_destroy_state calls
drm_framebuffer_unreference, which means that if drm_framebuffer_free
is called before plane->destroy freed memory will be accessed.

A similar case happens for the blob list, which was freed before the
crtc state was, resulting in the unreference_blob from crtc_destroy_state
pointing to garbage memory causing another opportunity for a GPF.
Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1458657734-21866-1-git-send-email-maarten.lankhorst@linux.intel.com
parent d00b39c1
...@@ -5914,6 +5914,15 @@ void drm_mode_config_cleanup(struct drm_device *dev) ...@@ -5914,6 +5914,15 @@ void drm_mode_config_cleanup(struct drm_device *dev)
drm_property_destroy(dev, property); drm_property_destroy(dev, property);
} }
list_for_each_entry_safe(plane, plt, &dev->mode_config.plane_list,
head) {
plane->funcs->destroy(plane);
}
list_for_each_entry_safe(crtc, ct, &dev->mode_config.crtc_list, head) {
crtc->funcs->destroy(crtc);
}
list_for_each_entry_safe(blob, bt, &dev->mode_config.property_blob_list, list_for_each_entry_safe(blob, bt, &dev->mode_config.property_blob_list,
head_global) { head_global) {
drm_property_unreference_blob(blob); drm_property_unreference_blob(blob);
...@@ -5932,15 +5941,6 @@ void drm_mode_config_cleanup(struct drm_device *dev) ...@@ -5932,15 +5941,6 @@ void drm_mode_config_cleanup(struct drm_device *dev)
drm_framebuffer_free(&fb->refcount); drm_framebuffer_free(&fb->refcount);
} }
list_for_each_entry_safe(plane, plt, &dev->mode_config.plane_list,
head) {
plane->funcs->destroy(plane);
}
list_for_each_entry_safe(crtc, ct, &dev->mode_config.crtc_list, head) {
crtc->funcs->destroy(crtc);
}
ida_destroy(&dev->mode_config.connector_ida); ida_destroy(&dev->mode_config.connector_ida);
idr_destroy(&dev->mode_config.tile_idr); idr_destroy(&dev->mode_config.tile_idr);
idr_destroy(&dev->mode_config.crtc_idr); idr_destroy(&dev->mode_config.crtc_idr);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment