summaryrefslogtreecommitdiff
path: root/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
diff options
context:
space:
mode:
authorLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>2018-01-17 22:18:41 +0200
committerLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>2018-04-26 13:48:22 +0300
commit75a07f399cd43bc7fb41a13723fbe04e61c5c470 (patch)
tree6133301fb55e1a1791430c5215a62ee8ae5b4324 /drivers/gpu/drm/rcar-du/rcar_du_vsp.c
parent6d08b06e67cd117f6992c46611dfb4ce267cd71e (diff)
downloadlwn-75a07f399cd43bc7fb41a13723fbe04e61c5c470.tar.gz
lwn-75a07f399cd43bc7fb41a13723fbe04e61c5c470.zip
drm: rcar-du: Zero-out sg_tables when duplicating plane state
The state structure for VSP-backed planes, rcar_du_vsp_plane_state, contains sg tables that track framebuffer mapping performed in the .prepare_fb() operation to unmap them in .cleanup_fb(). The tables are incorrectly copied when duplicating state, which can result : Zero-out sg_tables in original plane, effectively introducing move semantic. Seems, this fixes issue with double-free, when rcar_du_vsp_plane_cleanup_fb() freed the same sg_table both in original plane and in the copy. Reported-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Diffstat (limited to 'drivers/gpu/drm/rcar-du/rcar_du_vsp.c')
-rw-r--r--drivers/gpu/drm/rcar-du/rcar_du_vsp.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
index 2c260c33840b..4a01a99a4674 100644
--- a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
+++ b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
@@ -299,18 +299,17 @@ static const struct drm_plane_helper_funcs rcar_du_vsp_plane_helper_funcs = {
static struct drm_plane_state *
rcar_du_vsp_plane_atomic_duplicate_state(struct drm_plane *plane)
{
- struct rcar_du_vsp_plane_state *state;
struct rcar_du_vsp_plane_state *copy;
if (WARN_ON(!plane->state))
return NULL;
- state = to_rcar_vsp_plane_state(plane->state);
- copy = kmemdup(state, sizeof(*state), GFP_KERNEL);
+ copy = kzalloc(sizeof(*copy), GFP_KERNEL);
if (copy == NULL)
return NULL;
__drm_atomic_helper_plane_duplicate_state(plane, &copy->state);
+ copy->alpha = to_rcar_vsp_plane_state(plane->state)->alpha;
return &copy->state;
}