[PATCH next] drm: writeback: Fix use after free in drm_writeback_connector_cleanup()

From: Dan Carpenter
Date: Wed Feb 12 2025 - 10:24:25 EST

Next message: Dan Carpenter: "[PATCH next] drm/tests: Fix a test in drm_test_check_valid_clones()"
Previous message: Wentao Liang: "[PATCH] mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw()"
Next in thread: Dmitry Baryshkov: "Re: [PATCH next] drm: writeback: Fix use after free in drm_writeback_connector_cleanup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The drm_writeback_cleanup_job() function frees "pos" so call
list_del(&pos->list_entry) first to avoid a use after free.

Fixes: 1914ba2b91ea ("drm: writeback: Create drmm variants for drm_writeback_connector initialization")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/gpu/drm/drm_writeback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_writeback.c b/drivers/gpu/drm/drm_writeback.c
index 3628fbef7752..f139b49af4c9 100644
--- a/drivers/gpu/drm/drm_writeback.c
+++ b/drivers/gpu/drm/drm_writeback.c
@@ -360,8 +360,8 @@ static void drm_writeback_connector_cleanup(struct drm_device *dev,

spin_lock_irqsave(&wb_connector->job_lock, flags);
list_for_each_entry_safe(pos, n, &wb_connector->job_queue, list_entry) {
- drm_writeback_cleanup_job(pos);
list_del(&pos->list_entry);
+ drm_writeback_cleanup_job(pos);
}
spin_unlock_irqrestore(&wb_connector->job_lock, flags);
}
--
2.47.2

Next message: Dan Carpenter: "[PATCH next] drm/tests: Fix a test in drm_test_check_valid_clones()"
Previous message: Wentao Liang: "[PATCH] mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw()"
Next in thread: Dmitry Baryshkov: "Re: [PATCH next] drm: writeback: Fix use after free in drm_writeback_connector_cleanup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]