mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-01-25 08:09:39 +07:00
drm: rcar-du: Zero-out sg_tables when duplicating plane state
The state structure for VSP-backed planes, rcar_du_vsp_plane_state, contains sg tables that track framebuffer mapping performed in the .prepare_fb() operation to unmap them in .cleanup_fb(). The tables are incorrectly copied when duplicating state, which can result : Zero-out sg_tables in original plane, effectively introducing move semantic. Seems, this fixes issue with double-free, when rcar_du_vsp_plane_cleanup_fb() freed the same sg_table both in original plane and in the copy. Reported-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
This commit is contained in:
parent
6d08b06e67
commit
75a07f399c
@ -299,18 +299,17 @@ static const struct drm_plane_helper_funcs rcar_du_vsp_plane_helper_funcs = {
|
||||
static struct drm_plane_state *
|
||||
rcar_du_vsp_plane_atomic_duplicate_state(struct drm_plane *plane)
|
||||
{
|
||||
struct rcar_du_vsp_plane_state *state;
|
||||
struct rcar_du_vsp_plane_state *copy;
|
||||
|
||||
if (WARN_ON(!plane->state))
|
||||
return NULL;
|
||||
|
||||
state = to_rcar_vsp_plane_state(plane->state);
|
||||
copy = kmemdup(state, sizeof(*state), GFP_KERNEL);
|
||||
copy = kzalloc(sizeof(*copy), GFP_KERNEL);
|
||||
if (copy == NULL)
|
||||
return NULL;
|
||||
|
||||
__drm_atomic_helper_plane_duplicate_state(plane, ©->state);
|
||||
copy->alpha = to_rcar_vsp_plane_state(plane->state)->alpha;
|
||||
|
||||
return ©->state;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user