patches/1327-drm-rcar-du-Zero-out-sg_tables-when-duplicating-plan.patch - pub/scm/linux/kernel/git/geert/ltsi-kernel - Git at Google

 From 5712107e1ff253cdc7f0b34cbce7945d62f0c005 Mon Sep 17 00:00:00 2001
 From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
 Date: Wed, 17 Jan 2018 22:18:41 +0200
 Subject: [PATCH 1327/1795] drm: rcar-du: Zero-out sg_tables when duplicating
  plane state

 The state structure for VSP-backed planes, rcar_du_vsp_plane_state,
 contains sg tables that track framebuffer mapping performed in the
 .prepare_fb() operation to unmap them in .cleanup_fb(). The tables are
 incorrectly copied when duplicating state, which can result :

 Zero-out sg_tables in original plane, effectively introducing move
 semantic. Seems, this fixes issue with double-free,
 when rcar_du_vsp_plane_cleanup_fb() freed the same sg_table
 both in original plane and in the copy.

 Reported-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
 Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
 (cherry picked from commit 75a07f399cd43bc7fb41a13723fbe04e61c5c470)
 Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
 Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
 ---
  drivers/gpu/drm/rcar-du/rcar_du_vsp.c | 5 ++---
  1 file changed, 2 insertions(+), 3 deletions(-)

 diff --git a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
 index 2fc61253a095..b2ef0f5631e7 100644
 --- a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
 +++ b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
 @@ -301,18 +301,17 @@ static const struct drm_plane_helper_funcs rcar_du_vsp_plane_helper_funcs = {
  static struct drm_plane_state *
  rcar_du_vsp_plane_atomic_duplicate_state(struct drm_plane *plane)
  {
 -	struct rcar_du_vsp_plane_state *state;
  	struct rcar_du_vsp_plane_state *copy;

  	if (WARN_ON(!plane->state))
  		return NULL;

 -	state = to_rcar_vsp_plane_state(plane->state);
 -	copy = kmemdup(state, sizeof(*state), GFP_KERNEL);
 +	copy = kzalloc(sizeof(*copy), GFP_KERNEL);
  	if (copy == NULL)
  		return NULL;

  	__drm_atomic_helper_plane_duplicate_state(plane, &copy->state);
 +	copy->alpha = to_rcar_vsp_plane_state(plane->state)->alpha;

  	return &copy->state;
  }
 --
 2.19.0
	From 5712107e1ff253cdc7f0b34cbce7945d62f0c005 Mon Sep 17 00:00:00 2001
	From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
	Date: Wed, 17 Jan 2018 22:18:41 +0200
	Subject: [PATCH 1327/1795] drm: rcar-du: Zero-out sg_tables when duplicating
	plane state

	The state structure for VSP-backed planes, rcar_du_vsp_plane_state,
	contains sg tables that track framebuffer mapping performed in the
	.prepare_fb() operation to unmap them in .cleanup_fb(). The tables are
	incorrectly copied when duplicating state, which can result :

	Zero-out sg_tables in original plane, effectively introducing move
	semantic. Seems, this fixes issue with double-free,
	when rcar_du_vsp_plane_cleanup_fb() freed the same sg_table
	both in original plane and in the copy.

	Reported-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
	Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
	(cherry picked from commit 75a07f399cd43bc7fb41a13723fbe04e61c5c470)
	Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
	Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
	---
	drivers/gpu/drm/rcar-du/rcar_du_vsp.c \| 5 ++---
	1 file changed, 2 insertions(+), 3 deletions(-)

	diff --git a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
	index 2fc61253a095..b2ef0f5631e7 100644
	--- a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
	+++ b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
	@@ -301,18 +301,17 @@ static const struct drm_plane_helper_funcs rcar_du_vsp_plane_helper_funcs = {
	static struct drm_plane_state *
	rcar_du_vsp_plane_atomic_duplicate_state(struct drm_plane *plane)
	{
	- struct rcar_du_vsp_plane_state *state;
	struct rcar_du_vsp_plane_state *copy;

	if (WARN_ON(!plane->state))
	return NULL;

	- state = to_rcar_vsp_plane_state(plane->state);
	- copy = kmemdup(state, sizeof(*state), GFP_KERNEL);
	+ copy = kzalloc(sizeof(*copy), GFP_KERNEL);
	if (copy == NULL)
	return NULL;

	__drm_atomic_helper_plane_duplicate_state(plane, &copy->state);
	+ copy->alpha = to_rcar_vsp_plane_state(plane->state)->alpha;

	return &copy->state;
	}
	--
	2.19.0