[PATCH v2] drm/i915: clear CRTC color blob pointers after dropping refs

[PATCH v2] drm/i915: clear CRTC color blob pointers after dropping refs

[Guangshuo Li]

intel_crtc_free_hw_state() drops the CRTC color blob references, but
leaves the corresponding pointers unchanged.

This can matter in intel_crtc_prepare_cleared_state(), which frees the
old CRTC hw state before calling intel_dp_tunnel_atomic_clear_stream_bw().
The latter can fail while looking up the DP tunnel group state, for
example with -EDEADLK.

If that happens, the function returns without completing the cleared
state preparation. The failed atomic state will then be cleared by the
atomic core and intel_crtc_free_hw_state() can be called again for the
same state, dropping the same blob references again.

Clear the blob pointers after dropping the references so repeated cleanup
of the same CRTC hw state is safe.

Fixes: fb69d0076e68 ("drm/i915/dp_tunnel: Fix error handling when clearing stream BW in atomic state")
Suggested-by: Imre Deak <imre.deak@intel.com>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v2:
  - Keep the original ordering in intel_crtc_prepare_cleared_state().
  - Clear the blob reference pointers in intel_crtc_free_hw_state(), as
    suggested by Imre.

 drivers/gpu/drm/i915/display/intel_atomic.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/i915/display/intel_atomic.c b/drivers/gpu/drm/i915/display/intel_atomic.c
index 71b7325917b6..0cdae87e4bfc 100644
--- a/drivers/gpu/drm/i915/display/intel_atomic.c
+++ b/drivers/gpu/drm/i915/display/intel_atomic.c
@@ -294,6 +294,12 @@ static void intel_crtc_put_color_blobs(struct intel_crtc_state *crtc_state)
 void intel_crtc_free_hw_state(struct intel_crtc_state *crtc_state)
 {
 	intel_crtc_put_color_blobs(crtc_state);
+
+	crtc_state->hw.degamma_lut = NULL;
+	crtc_state->hw.gamma_lut = NULL;
+	crtc_state->hw.ctm = NULL;
+	crtc_state->pre_csc_lut = NULL;
+	crtc_state->post_csc_lut = NULL;
 }
 
 /**
-- 
2.43.0

Re: [PATCH v2] drm/i915: clear CRTC color blob pointers after dropping refs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing reference counting for `pre_csc_lut` and `post_csc_lut` when copying joiner CRTC state leads to refcount underflow and potential Use-After-Free.
--

commit 1f085640509d6db9ddf76a018415e1b475be3068
Author: Guangshuo Li <lgs201920130244@gmail.com>

drm/i915: clear CRTC color blob pointers after dropping refs

This commit modifies intel_crtc_free_hw_state() to explicitly clear the
CRTC color blob pointers after dropping their references. This ensures
that repeated cleanups of the same CRTC hw state won't attempt to drop
the same blob references again if an atomic operation fails later.

> diff --git a/drivers/gpu/drm/i915/display/intel_atomic.c b/drivers/gpu/drm/i915/display/intel_atomic.c
> index 0e4f0678c53cd..a80c863952529 100644
> --- a/drivers/gpu/drm/i915/display/intel_atomic.c
> +++ b/drivers/gpu/drm/i915/display/intel_atomic.c
> @@ -293,6 +293,12 @@ static void intel_crtc_put_color_blobs(struct intel_crtc_state *crtc_state)
>  void intel_crtc_free_hw_state(struct intel_crtc_state *crtc_state)
>  {
>  	intel_crtc_put_color_blobs(crtc_state);
> +
> +	crtc_state->hw.degamma_lut = NULL;
> +	crtc_state->hw.gamma_lut = NULL;
> +	crtc_state->hw.ctm = NULL;
> +	crtc_state->pre_csc_lut = NULL;
> +	crtc_state->post_csc_lut = NULL;

[Severity: High]
This is a pre-existing issue, but missing reference counting for pre_csc_lut
and post_csc_lut when copying joiner CRTC state can lead to a refcount
underflow and potential use-after-free.

In drivers/gpu/drm/i915/display/intel_display.c:
copy_joiner_crtc_state_modeset(), the primary state's pre_csc_lut and
post_csc_lut pointers are blindly copied into the secondary state without
acquiring references:

	memcpy(secondary_crtc_state, saved_state, sizeof(*secondary_crtc_state));

After the secondary state's existing blobs are freed, the state is
overwritten by this memcpy, so the secondary state now holds the primary's
blob pointers.

The subsequent memset(&secondary_crtc_state->hw, 0, ...) clears the hw struct
(including hw.degamma_lut), but pre_csc_lut and post_csc_lut reside outside
the hw struct and remain pointing to the primary's blobs.

Later in the atomic check phase, intel_assign_luts() replaces the
unreferenced pointer:

	drm_property_replace_blob(&crtc_state->pre_csc_lut,
				  crtc_state->hw.degamma_lut);

Because hw.degamma_lut is NULL, it drops the old pointer by calling
drm_property_blob_put() on it. Since the secondary CRTC never actually
acquired a reference, this drops the primary CRTC's reference instead.

Although the newly added NULL assignments here in intel_crtc_free_hw_state()
clear the pointers initially, could they still get overwritten again by the
blind memcpy in copy_joiner_crtc_state_modeset() before intel_assign_luts()
executes?

>  }
>  
>  /**

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610035419.1596963-1-lgs201920130244@gmail.com?part=1