| Message ID | 78abd541-71e9-4b3b-a05d-2c7caf8d5b2f@stanley.mountain (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [next] drm: writeback: Fix use after free in drm_writeback_connector_cleanup() | expand |
On Wed, Feb 12, 2025 at 06:23:48PM +0300, Dan Carpenter wrote: > The drm_writeback_cleanup_job() function frees "pos" so call > list_del(&pos->list_entry) first to avoid a use after free. > > Fixes: 1914ba2b91ea ("drm: writeback: Create drmm variants for drm_writeback_connector initialization") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > drivers/gpu/drm/drm_writeback.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
On Wed, 12 Feb 2025 18:23:48 +0300, Dan Carpenter wrote: > The drm_writeback_cleanup_job() function frees "pos" so call > list_del(&pos->list_entry) first to avoid a use after free. > > Applied to misc/kernel.git (drm-misc-next). Thanks! Maxime
diff --git a/drivers/gpu/drm/drm_writeback.c b/drivers/gpu/drm/drm_writeback.c index 3628fbef7752..f139b49af4c9 100644 --- a/drivers/gpu/drm/drm_writeback.c +++ b/drivers/gpu/drm/drm_writeback.c @@ -360,8 +360,8 @@ static void drm_writeback_connector_cleanup(struct drm_device *dev, spin_lock_irqsave(&wb_connector->job_lock, flags); list_for_each_entry_safe(pos, n, &wb_connector->job_queue, list_entry) { - drm_writeback_cleanup_job(pos); list_del(&pos->list_entry); + drm_writeback_cleanup_job(pos); } spin_unlock_irqrestore(&wb_connector->job_lock, flags); }
The drm_writeback_cleanup_job() function frees "pos" so call list_del(&pos->list_entry) first to avoid a use after free. Fixes: 1914ba2b91ea ("drm: writeback: Create drmm variants for drm_writeback_connector initialization") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/gpu/drm/drm_writeback.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)