From: Ben Skeggs Date: Wed, 5 Apr 2017 08:16:14 +0000 (+1000) Subject: drm/nouveau/kms/nv50: fix double dma_fence_put() when destroying plane state X-Git-Tag: v4.10.12~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2efa4bd3b644f115befbd225f45fce936e19cf2c;p=thirdparty%2Fkernel%2Fstable.git drm/nouveau/kms/nv50: fix double dma_fence_put() when destroying plane state commit 2907e8670b6ef253bffb33bf47fd2182969cf2a0 upstream. When the atomic support was added to nouveau, the DRM core did not do this. However, later in the same merge window, a commit (drm/fence: add in-fences support) was merged that added it, leading to use-after-frees of the fence object. Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/gpu/drm/nouveau/nv50_display.c b/drivers/gpu/drm/nouveau/nv50_display.c index 915c418510d35..96b510871631d 100644 --- a/drivers/gpu/drm/nouveau/nv50_display.c +++ b/drivers/gpu/drm/nouveau/nv50_display.c @@ -995,7 +995,6 @@ nv50_wndw_atomic_destroy_state(struct drm_plane *plane, { struct nv50_wndw_atom *asyw = nv50_wndw_atom(state); __drm_atomic_helper_plane_destroy_state(&asyw->state); - dma_fence_put(asyw->state.fence); kfree(asyw); } @@ -1007,7 +1006,6 @@ nv50_wndw_atomic_duplicate_state(struct drm_plane *plane) if (!(asyw = kmalloc(sizeof(*asyw), GFP_KERNEL))) return NULL; __drm_atomic_helper_plane_duplicate_state(plane, &asyw->state); - asyw->state.fence = NULL; asyw->interval = 1; asyw->sema = armw->sema; asyw->ntfy = armw->ntfy;