[PATCH 4.10 13/69] drm/nouveau/kms/nv50: fix double dma_fence_put() when destroying plane state

From: Greg Kroah-Hartman
Date: Wed Apr 19 2017 - 11:32:28 EST


4.10-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ben Skeggs <bskeggs@xxxxxxxxxx>

commit 2907e8670b6ef253bffb33bf47fd2182969cf2a0 upstream.

When the atomic support was added to nouveau, the DRM core did not do this.

However, later in the same merge window, a commit (drm/fence: add in-fences
support) was merged that added it, leading to use-after-frees of the fence
object.

Signed-off-by: Ben Skeggs <bskeggs@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/gpu/drm/nouveau/nv50_display.c | 2 --
1 file changed, 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/nv50_display.c
+++ b/drivers/gpu/drm/nouveau/nv50_display.c
@@ -995,7 +995,6 @@ nv50_wndw_atomic_destroy_state(struct dr
{
struct nv50_wndw_atom *asyw = nv50_wndw_atom(state);
__drm_atomic_helper_plane_destroy_state(&asyw->state);
- dma_fence_put(asyw->state.fence);
kfree(asyw);
}

@@ -1007,7 +1006,6 @@ nv50_wndw_atomic_duplicate_state(struct
if (!(asyw = kmalloc(sizeof(*asyw), GFP_KERNEL)))
return NULL;
__drm_atomic_helper_plane_duplicate_state(plane, &asyw->state);
- asyw->state.fence = NULL;
asyw->interval = 1;
asyw->sema = armw->sema;
asyw->ntfy = armw->ntfy;