summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris Wilson <chris@chris-wilson.co.uk>2014-03-10 08:07:01 +0000
committerDaniel Vetter <daniel.vetter@ffwll.ch>2014-03-10 09:18:10 +0100
commitd1a59868efa65379482c79de997973b06cefb9d2 (patch)
tree4904b23126e74b5e6b750f2de61a3383992cd8ad
parent484b41dd70a9fbea894632d8926bbb93f05021c7 (diff)
drm/i915: Prevent use-after-free of inherited framebuffer
During KMS takeover, we try to capture the current configuration and preserve it across our initialisation. For a variety of reasons, we may fail this, for example if the current mode was using the legacy VGA plane. Under such circumstances, we discard the fb in the plane config and tried to find a matching fb on another CRTC. This obviously also failed, leaving the plane config fb dangling, pointing to the freed block. Regression from commit 484b41dd70a9fbea894632d8926bbb93f05021c7 Author: Jesse Barnes <jbarnes@virtuousgeek.org> Date: Fri Mar 7 08:57:55 2014 -0800 drm/i915: remove early fb allocation dependency on CONFIG_FB v2 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=75963 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
-rw-r--r--drivers/gpu/drm/i915/intel_display.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 8710496bab4..1f180a45e08 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2125,6 +2125,7 @@ static void intel_find_plane_obj(struct intel_crtc *intel_crtc,
return;
kfree(intel_crtc->base.fb);
+ intel_crtc->base.fb = NULL;
/*
* Failed to alloc the obj, check to see if we should share