From: Daniel Vetter Date: Wed, 23 Apr 2014 13:15:32 +0000 (+0200) Subject: drm/tegra: restrict plane loops to legacy planes X-Git-Tag: firefly_0821_release~176^2~3977^2~5^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=2b4c36612efac173397756398000921a7771fdda;p=firefly-linux-kernel-4.4.55.git drm/tegra: restrict plane loops to legacy planes In Matt Ropers primary plane series a set of prep patches like commit af2b653bfb4ef40931b4d101ca842ce0c5da57ef Author: Matt Roper Date: Tue Apr 1 15:22:32 2014 -0700 drm/i915: Restrict plane loops to only operate on overlay planes (v2) ensured that all exisiting users of the mode_config->plane_list wouldn't change behaviour. Unfortunately tegra seems to have fallen through the cracks. Fix it. This regression was introduced in commit e13161af80c185ecd8dc4641d0f5df58f9e3e0af Author: Matt Roper Date: Tue Apr 1 15:22:38 2014 -0700 drm: Add drm_crtc_init_with_planes() (v2) The result was that we've unref'ed the fb for the primary plane twice, leading to a use-after free bug. This is because the drm core will already set crtc->primary->fb to NULL and do the unref for us, and the crtc disable hook is called by the drm crtc helpers for exactly this case. Aside: Now that the fbdev helpers clean up planes there's no longer a need to do this in drivers. So this could probably be nuked entirely in linux-next. Signed-off-by: Daniel Vetter Reviewed-by: Matt Roper Tested-by: Stephen Warren Signed-off-by: Thierry Reding --- diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index 36c717af6cf9..edb871d7d395 100644 --- a/drivers/gpu/drm/tegra/dc.c +++ b/drivers/gpu/drm/tegra/dc.c @@ -312,7 +312,7 @@ static void tegra_crtc_disable(struct drm_crtc *crtc) struct drm_device *drm = crtc->dev; struct drm_plane *plane; - list_for_each_entry(plane, &drm->mode_config.plane_list, head) { + drm_for_each_legacy_plane(plane, &drm->mode_config.plane_list) { if (plane->crtc == crtc) { tegra_plane_disable(plane); plane->crtc = NULL;