| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d5ca271e-899f-4240-9a0a-99f70a81c000@suse.de> Date: Tue, 2 Sep 2025 15:30:18 +0200 From: Thomas Zimmermann <tzimmermann@...e.de> To: Maxime Ripard <mripard@...nel.org>, Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>, Andrzej Hajda <andrzej.hajda@...el.com>, Neil Armstrong <neil.armstrong@...aro.org>, Robert Foss <rfoss@...nel.org>, Laurent Pinchart <Laurent.pinchart@...asonboard.com>, Jonas Karlman <jonas@...boo.se>, Jernej Skrabec <jernej.skrabec@...il.com>, Jyri Sarha <jyri.sarha@....fi>, Tomi Valkeinen <tomi.valkeinen@...asonboard.com> Cc: Devarsh Thakkar <devarsht@...com>, dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 08/29] drm/atomic: Only call atomic_destroy_state on a !NULL pointer Am 02.09.25 um 10:32 schrieb Maxime Ripard: > The drm_atomic_state structure is freed through the > drm_atomic_state_put() function, that eventually calls > drm_atomic_state_default_clear() by default when there's no active > users of that state. > > It then iterates over all entities with a state, and will call the > atomic_destroy_state callback on the state pointer. The state pointer is > mostly used these days to point to which of the old or new state needs > to be freed, depending on whether the state was committed or not. > > So it all makes sense. > > However, with the hardware state readout support approaching, we might > have a state, with multiple entities in it, but no state to free because > we want them to persist. In such a case, state is going to be NULL, and > thus we'll end up with NULL pointer dereference. > > In order to make it work, let's first test if the state pointer isn't > NULL before calling atomic_destroy_state on it. > > Signed-off-by: Maxime Ripard <mripard@...nel.org> Reviewed-by: Thomas Zimmermann <tzimmermann@...e.de> > --- > drivers/gpu/drm/drm_atomic.c | 23 +++++++++++++++-------- > 1 file changed, 15 insertions(+), 8 deletions(-) > > diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c > index 38f2b2633fa992b3543e8c425c7faeab1ce69765..f26678835a94f40da56a8c1297d92f226d7ff2e2 100644 > --- a/drivers/gpu/drm/drm_atomic.c > +++ b/drivers/gpu/drm/drm_atomic.c > @@ -249,12 +249,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state) > struct drm_connector *connector = state->connectors[i].ptr; > > if (!connector) > continue; > > - connector->funcs->atomic_destroy_state(connector, > - state->connectors[i].state); > + if (state->connectors[i].state) > + connector->funcs->atomic_destroy_state(connector, > + state->connectors[i].state); > + > state->connectors[i].ptr = NULL; > state->connectors[i].state = NULL; > state->connectors[i].old_state = NULL; > state->connectors[i].new_state = NULL; > drm_connector_put(connector); > @@ -264,12 +266,13 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state) > struct drm_crtc *crtc = state->crtcs[i].ptr; > > if (!crtc) > continue; > > - crtc->funcs->atomic_destroy_state(crtc, > - state->crtcs[i].state); > + if (state->crtcs[i].state) > + crtc->funcs->atomic_destroy_state(crtc, > + state->crtcs[i].state); > > state->crtcs[i].ptr = NULL; > state->crtcs[i].state = NULL; > state->crtcs[i].old_state = NULL; > state->crtcs[i].new_state = NULL; > @@ -284,12 +287,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state) > struct drm_plane *plane = state->planes[i].ptr; > > if (!plane) > continue; > > - plane->funcs->atomic_destroy_state(plane, > - state->planes[i].state); > + if (state->planes[i].state) > + plane->funcs->atomic_destroy_state(plane, > + state->planes[i].state); > + > state->planes[i].ptr = NULL; > state->planes[i].state = NULL; > state->planes[i].old_state = NULL; > state->planes[i].new_state = NULL; > } > @@ -298,12 +303,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state) > struct drm_private_obj *obj = state->private_objs[i].ptr; > > if (!obj) > continue; > > - obj->funcs->atomic_destroy_state(obj, > - state->private_objs[i].state); > + if (state->private_objs[i].state) > + obj->funcs->atomic_destroy_state(obj, > + state->private_objs[i].state); > + > state->private_objs[i].ptr = NULL; > state->private_objs[i].state = NULL; > state->private_objs[i].old_state = NULL; > state->private_objs[i].new_state = NULL; > } > -- -- Thomas Zimmermann Graphics Driver Developer SUSE Software Solutions Germany GmbH Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman HRB 36809 (AG Nuernberg)
Powered by blists - more mailing lists