Re: [PATCH v2] drm/i915: clear CRTC color blob pointers after dropping refs

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing reference counting for `pre_csc_lut` and `post_csc_lut` when copying joiner CRTC state leads to refcount underflow and potential Use-After-Free.
--

commit 1f085640509d6db9ddf76a018415e1b475be3068
Author: Guangshuo Li <lgs201920130244@gmail.com>

drm/i915: clear CRTC color blob pointers after dropping refs

This commit modifies intel_crtc_free_hw_state() to explicitly clear the
CRTC color blob pointers after dropping their references. This ensures
that repeated cleanups of the same CRTC hw state won't attempt to drop
the same blob references again if an atomic operation fails later.

> diff --git a/drivers/gpu/drm/i915/display/intel_atomic.c b/drivers/gpu/drm/i915/display/intel_atomic.c
> index 0e4f0678c53cd..a80c863952529 100644
> --- a/drivers/gpu/drm/i915/display/intel_atomic.c
> +++ b/drivers/gpu/drm/i915/display/intel_atomic.c
> @@ -293,6 +293,12 @@ static void intel_crtc_put_color_blobs(struct intel_crtc_state *crtc_state)
>  void intel_crtc_free_hw_state(struct intel_crtc_state *crtc_state)
>  {
>  	intel_crtc_put_color_blobs(crtc_state);
> +
> +	crtc_state->hw.degamma_lut = NULL;
> +	crtc_state->hw.gamma_lut = NULL;
> +	crtc_state->hw.ctm = NULL;
> +	crtc_state->pre_csc_lut = NULL;
> +	crtc_state->post_csc_lut = NULL;

[Severity: High]
This is a pre-existing issue, but missing reference counting for pre_csc_lut
and post_csc_lut when copying joiner CRTC state can lead to a refcount
underflow and potential use-after-free.

In drivers/gpu/drm/i915/display/intel_display.c:
copy_joiner_crtc_state_modeset(), the primary state's pre_csc_lut and
post_csc_lut pointers are blindly copied into the secondary state without
acquiring references:

	memcpy(secondary_crtc_state, saved_state, sizeof(*secondary_crtc_state));

After the secondary state's existing blobs are freed, the state is
overwritten by this memcpy, so the secondary state now holds the primary's
blob pointers.

The subsequent memset(&secondary_crtc_state->hw, 0, ...) clears the hw struct
(including hw.degamma_lut), but pre_csc_lut and post_csc_lut reside outside
the hw struct and remain pointing to the primary's blobs.

Later in the atomic check phase, intel_assign_luts() replaces the
unreferenced pointer:

	drm_property_replace_blob(&crtc_state->pre_csc_lut,
				  crtc_state->hw.degamma_lut);

Because hw.degamma_lut is NULL, it drops the old pointer by calling
drm_property_blob_put() on it. Since the secondary CRTC never actually
acquired a reference, this drops the primary CRTC's reference instead.

Although the newly added NULL assignments here in intel_crtc_free_hw_state()
clear the pointers initially, could they still get overwritten again by the
blind memcpy in copy_joiner_crtc_state_modeset() before intel_assign_luts()
executes?

>  }
>  
>  /**

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610035419.1596963-1-lgs201920130244@gmail.com?part=1