From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Date: Wed, 17 Jan 2018 20:18:41 +0000 (+0200)
Subject: drm: rcar-du: Zero-out sg_tables when duplicating plane state
X-Git-Tag: v4.18-rc1~128^2~18^2~10
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=75a07f399cd43bc7fb41a13723fbe04e61c5c470;p=linux.git

drm: rcar-du: Zero-out sg_tables when duplicating plane state

The state structure for VSP-backed planes, rcar_du_vsp_plane_state,
contains sg tables that track framebuffer mapping performed in the
.prepare_fb() operation to unmap them in .cleanup_fb(). The tables are
incorrectly copied when duplicating state, which can result :

Zero-out sg_tables in original plane, effectively introducing move
semantic. Seems, this fixes issue with double-free,
when rcar_du_vsp_plane_cleanup_fb() freed the same sg_table
both in original plane and in the copy.

Reported-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
---

diff --git a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
index 2c260c33840b..4a01a99a4674 100644
--- a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
+++ b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c
@@ -299,18 +299,17 @@ static const struct drm_plane_helper_funcs rcar_du_vsp_plane_helper_funcs = {
 static struct drm_plane_state *
 rcar_du_vsp_plane_atomic_duplicate_state(struct drm_plane *plane)
 {
-	struct rcar_du_vsp_plane_state *state;
 	struct rcar_du_vsp_plane_state *copy;
 
 	if (WARN_ON(!plane->state))
 		return NULL;
 
-	state = to_rcar_vsp_plane_state(plane->state);
-	copy = kmemdup(state, sizeof(*state), GFP_KERNEL);
+	copy = kzalloc(sizeof(*copy), GFP_KERNEL);
 	if (copy == NULL)
 		return NULL;
 
 	__drm_atomic_helper_plane_duplicate_state(plane, &copy->state);
+	copy->alpha = to_rcar_vsp_plane_state(plane->state)->alpha;
 
 	return &copy->state;
 }