[PATCH v4 2/3] drm/amd/display: Fix dangling pointer in CRTC reset function

Next message: Bartosz Golaszewski: "[PATCH v2 04/19] driver core: platform: provide platform_device_set_of_node_from_dev()"
Previous message: Jan Kara: "Re: [PATCH] ext4: fix deadlock in ext4_evict_ea_inode() vs cache_find()"
In reply to: Evgenii Burenchev: "[PATCH v4 3/3] drm/amd/display: Fix dangling pointer in connector reset function"
Next in thread: Evgenii Burenchev: "[PATCH v4 1/3] drm/amd/display: Fix dangling pointer in plane reset function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Evgenii Burenchev

Date: Mon Jun 29 2026 - 05:14:25 EST

amdgpu_dm_crtc_reset_state() frees the old state before allocating
a new one. If kzalloc_obj() fails, the function returns without updating
the state pointer, leaving a dangling pointer to already freed memory.

Fix this by allocating the new state first. On allocation failure, the
old state remains untouched and the function safely returns.

Fixes: 473683a03495 ("drm/amd/display: Create a file dedicated for CRTC")
Signed-off-by: Evgenii Burenchev <evg28bur@xxxxxxxxx>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
index 3dcedaa67ed8..5b5c4023a514 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
@@ -437,13 +437,13 @@ static void amdgpu_dm_crtc_reset_state(struct drm_crtc *crtc)
{
struct dm_crtc_state *state;

- if (crtc->state)
- amdgpu_dm_crtc_destroy_state(crtc, crtc->state);
-
state = kzalloc_obj(*state);
- if (WARN_ON(!state))
+ if (!state)
return;

+ if (crtc->state)
+ amdgpu_dm_crtc_destroy_state(crtc, crtc->state);
+
__drm_atomic_helper_crtc_reset(crtc, &state->base);
}

--
2.43.0