[PATCH v4 3/3] drm/amd/display: Fix dangling pointer in connector reset function

From: Evgenii Burenchev

Date: Mon Jun 29 2026 - 05:12:06 EST


amdgpu_dm_connector_funcs_reset() frees the old state before allocating
a new one. If kzalloc_obj() fails, the function returns without updating
the state pointer, leaving a dangling pointer to already freed memory.

Fix this by allocating the new state first. On allocation failure, the
old state remains untouched and the function safely returns.

Additionally restore the explicit kfree(old_state) which was lost when
the function was refactored, as __drm_atomic_helper_connector_destroy_state()
only frees resources but not the state structure itself.

Fixes: e7b07ceef2a6 ("drm/amd/display: Merge amdgpu_dm_types and amdgpu_dm")
Signed-off-by: Evgenii Burenchev <evg28bur@xxxxxxxxx>
---
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 ++++++++++---------
1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index d3a8d681227a..b1f91dd0ab61 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -8151,33 +8151,34 @@ static void amdgpu_dm_connector_destroy(struct drm_connector *connector)

void amdgpu_dm_connector_funcs_reset(struct drm_connector *connector)
{
- struct dm_connector_state *state =
+ struct dm_connector_state *old_state =
to_dm_connector_state(connector->state);
+ struct dm_connector_state *state;
+
+ state = kzalloc_obj(*state);
+ if (!state)
+ return;

if (connector->state)
__drm_atomic_helper_connector_destroy_state(connector->state);

- kfree(state);
+ kfree(old_state);

- state = kzalloc_obj(*state);
+ __drm_atomic_helper_connector_reset(connector, &state->base);

- if (state) {
- state->scaling = RMX_OFF;
- state->underscan_enable = false;
- state->underscan_hborder = 0;
- state->underscan_vborder = 0;
- state->base.max_requested_bpc = 8;
- state->vcpi_slots = 0;
- state->pbn = 0;
-
- if (connector->connector_type == DRM_MODE_CONNECTOR_eDP) {
- if (amdgpu_dm_abm_level <= 0)
- state->abm_level = ABM_LEVEL_IMMEDIATE_DISABLE;
- else
- state->abm_level = amdgpu_dm_abm_level;
- }
+ state->scaling = RMX_OFF;
+ state->underscan_enable = false;
+ state->underscan_hborder = 0;
+ state->underscan_vborder = 0;
+ state->base.max_requested_bpc = 8;
+ state->vcpi_slots = 0;
+ state->pbn = 0;

- __drm_atomic_helper_connector_reset(connector, &state->base);
+ if (connector->connector_type == DRM_MODE_CONNECTOR_eDP) {
+ if (amdgpu_dm_abm_level <= 0)
+ state->abm_level = ABM_LEVEL_IMMEDIATE_DISABLE;
+ else
+ state->abm_level = amdgpu_dm_abm_level;
}
}

--
2.43.0