From: Maxime Ripard <mripard@kernel.org>
To: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>,
Simona Vetter <simona@ffwll.ch>,
Andrzej Hajda <andrzej.hajda@intel.com>,
Neil Armstrong <neil.armstrong@linaro.org>,
Robert Foss <rfoss@kernel.org>,
Laurent Pinchart <Laurent.pinchart@ideasonboard.com>,
Jonas Karlman <jonas@kwiboo.se>,
Jernej Skrabec <jernej.skrabec@gmail.com>,
Jyri Sarha <jyri.sarha@iki.fi>,
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: Devarsh Thakkar <devarsht@ti.com>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
Maxime Ripard <mripard@kernel.org>
Subject: [PATCH 08/29] drm/atomic: Only call atomic_destroy_state on a !NULL pointer
Date: Tue, 02 Sep 2025 10:32:36 +0200 [thread overview]
Message-ID: <20250902-drm-state-readout-v1-8-14ad5315da3f@kernel.org> (raw)
In-Reply-To: <20250902-drm-state-readout-v1-0-14ad5315da3f@kernel.org>
The drm_atomic_state structure is freed through the
drm_atomic_state_put() function, that eventually calls
drm_atomic_state_default_clear() by default when there's no active
users of that state.
It then iterates over all entities with a state, and will call the
atomic_destroy_state callback on the state pointer. The state pointer is
mostly used these days to point to which of the old or new state needs
to be freed, depending on whether the state was committed or not.
So it all makes sense.
However, with the hardware state readout support approaching, we might
have a state, with multiple entities in it, but no state to free because
we want them to persist. In such a case, state is going to be NULL, and
thus we'll end up with NULL pointer dereference.
In order to make it work, let's first test if the state pointer isn't
NULL before calling atomic_destroy_state on it.
Signed-off-by: Maxime Ripard <mripard@kernel.org>
---
drivers/gpu/drm/drm_atomic.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
index 38f2b2633fa992b3543e8c425c7faeab1ce69765..f26678835a94f40da56a8c1297d92f226d7ff2e2 100644
--- a/drivers/gpu/drm/drm_atomic.c
+++ b/drivers/gpu/drm/drm_atomic.c
@@ -249,12 +249,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state)
struct drm_connector *connector = state->connectors[i].ptr;
if (!connector)
continue;
- connector->funcs->atomic_destroy_state(connector,
- state->connectors[i].state);
+ if (state->connectors[i].state)
+ connector->funcs->atomic_destroy_state(connector,
+ state->connectors[i].state);
+
state->connectors[i].ptr = NULL;
state->connectors[i].state = NULL;
state->connectors[i].old_state = NULL;
state->connectors[i].new_state = NULL;
drm_connector_put(connector);
@@ -264,12 +266,13 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state)
struct drm_crtc *crtc = state->crtcs[i].ptr;
if (!crtc)
continue;
- crtc->funcs->atomic_destroy_state(crtc,
- state->crtcs[i].state);
+ if (state->crtcs[i].state)
+ crtc->funcs->atomic_destroy_state(crtc,
+ state->crtcs[i].state);
state->crtcs[i].ptr = NULL;
state->crtcs[i].state = NULL;
state->crtcs[i].old_state = NULL;
state->crtcs[i].new_state = NULL;
@@ -284,12 +287,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state)
struct drm_plane *plane = state->planes[i].ptr;
if (!plane)
continue;
- plane->funcs->atomic_destroy_state(plane,
- state->planes[i].state);
+ if (state->planes[i].state)
+ plane->funcs->atomic_destroy_state(plane,
+ state->planes[i].state);
+
state->planes[i].ptr = NULL;
state->planes[i].state = NULL;
state->planes[i].old_state = NULL;
state->planes[i].new_state = NULL;
}
@@ -298,12 +303,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state)
struct drm_private_obj *obj = state->private_objs[i].ptr;
if (!obj)
continue;
- obj->funcs->atomic_destroy_state(obj,
- state->private_objs[i].state);
+ if (state->private_objs[i].state)
+ obj->funcs->atomic_destroy_state(obj,
+ state->private_objs[i].state);
+
state->private_objs[i].ptr = NULL;
state->private_objs[i].state = NULL;
state->private_objs[i].old_state = NULL;
state->private_objs[i].new_state = NULL;
}
--
2.50.1
next prev parent reply other threads:[~2025-09-02 8:33 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 8:32 [PATCH 00/29] drm: Implement state readout support Maxime Ripard
2025-09-02 8:32 ` [PATCH 01/29] drm/atomic: Document atomic state lifetime Maxime Ripard
2025-09-02 13:08 ` Thomas Zimmermann
2025-09-02 18:59 ` Laurent Pinchart
2025-09-02 8:32 ` [PATCH 02/29] drm/atomic: Fix unused but set warning in for_each_old_plane_in_state Maxime Ripard
2025-09-02 13:10 ` Thomas Zimmermann
2025-09-02 19:25 ` Laurent Pinchart
2025-09-02 8:32 ` [PATCH 03/29] drm/atomic: Fix unused but set warning in for_each_old_private_obj_in_state Maxime Ripard
2025-09-02 13:10 ` Thomas Zimmermann
2025-09-02 19:26 ` Laurent Pinchart
2025-09-02 8:32 ` [PATCH 04/29] drm/atomic_helper: Skip over NULL private_obj pointers Maxime Ripard
2025-09-02 13:13 ` Thomas Zimmermann
2025-09-02 19:29 ` Laurent Pinchart
2025-09-02 8:32 ` [PATCH 05/29] drm/atomic_state_helper: Fix bridge state initialization Maxime Ripard
2025-09-02 13:18 ` Thomas Zimmermann
2025-09-02 19:49 ` Laurent Pinchart
2025-09-02 8:32 ` [PATCH 06/29] drm/bridge: Implement atomic_print_state Maxime Ripard
2025-09-02 13:22 ` Thomas Zimmermann
2025-09-02 20:22 ` Laurent Pinchart
2025-09-02 8:32 ` [PATCH 07/29] drm/atomic: Implement drm_atomic_print_old_state Maxime Ripard
2025-09-02 13:26 ` Thomas Zimmermann
2025-09-02 20:35 ` Laurent Pinchart
2025-09-02 8:32 ` Maxime Ripard [this message]
2025-09-02 13:30 ` [PATCH 08/29] drm/atomic: Only call atomic_destroy_state on a !NULL pointer Thomas Zimmermann
2025-09-02 20:52 ` Laurent Pinchart
2025-09-02 8:32 ` [PATCH 09/29] drm/modeset: Create atomic_reset hook Maxime Ripard
2025-09-02 21:04 ` Laurent Pinchart
2025-09-02 8:32 ` [PATCH 10/29] drm/atomic: Add atomic_state_readout infrastructure Maxime Ripard
2025-09-02 13:44 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 11/29] drm/crtc: Drop no_vblank bit field Maxime Ripard
2025-09-02 13:45 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 12/29] drm/atomic_helper: Pass nonblock to commit_tail Maxime Ripard
2025-09-02 13:46 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 13/29] drm/atomic_helper: Compare actual and readout states once the commit is done Maxime Ripard
2025-09-02 8:32 ` [PATCH 14/29] drm/atomic_state_helper: Provide comparison macros Maxime Ripard
2025-09-02 8:32 ` [PATCH 15/29] drm/atomic_state_helper: Provide atomic_compare_state helpers Maxime Ripard
2025-09-02 8:32 ` [PATCH 16/29] drm/encoder: Create get_current_crtc hook Maxime Ripard
2025-09-02 8:32 ` [PATCH 17/29] drm/bridge_connector: Implement hw readout for connector Maxime Ripard
2025-09-02 8:32 ` [PATCH 18/29] drm/tidss: Convert to drm logging Maxime Ripard
2025-09-02 13:49 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 19/29] drm/tidss: Remove ftrace-like logs Maxime Ripard
2025-09-02 13:50 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 20/29] drm/tidss: crtc: Change variable name Maxime Ripard
2025-09-02 13:51 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 21/29] drm/tidss: crtc: Implement destroy_state Maxime Ripard
2025-09-02 13:52 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 22/29] drm/tidss: crtc: Cleanup reset implementation Maxime Ripard
2025-09-02 13:54 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 23/29] drm/tidss: dispc: Add format lookup by hw value Maxime Ripard
2025-09-02 8:32 ` [PATCH 24/29] drm/tidss: dispc: Improve mode checking logs Maxime Ripard
2025-09-02 14:06 ` Thomas Zimmermann
2025-09-02 8:32 ` [PATCH 25/29] drm/tidss: dispc: Move dispc_device definition to headers Maxime Ripard
2025-09-02 8:32 ` [PATCH 26/29] drm/tidss: dispc: make accessors accessible to other parts of the driver Maxime Ripard
2025-09-02 8:32 ` [PATCH 27/29] drm/tidss: Implement readout support Maxime Ripard
2025-09-02 8:32 ` [PATCH 28/29] drm/tidss: encoder: implement get_current_crtc Maxime Ripard
2025-09-02 8:32 ` [PATCH 29/29] drm/bridge: sii902x: Implement hw state readout Maxime Ripard
2025-09-02 14:13 ` [PATCH 00/29] drm: Implement state readout support Thomas Zimmermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902-drm-state-readout-v1-8-14ad5315da3f@kernel.org \
--to=mripard@kernel.org \
--cc=Laurent.pinchart@ideasonboard.com \
--cc=airlied@gmail.com \
--cc=andrzej.hajda@intel.com \
--cc=devarsht@ti.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jernej.skrabec@gmail.com \
--cc=jonas@kwiboo.se \
--cc=jyri.sarha@iki.fi \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=neil.armstrong@linaro.org \
--cc=rfoss@kernel.org \
--cc=simona@ffwll.ch \
--cc=tomi.valkeinen@ideasonboard.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).