From mboxrd@z Thu Jan 1 00:00:00 1970 From: Archit Taneja Subject: [PATCH] drm/msm: Fix mdp5_crtc->ctl NULL dereference Date: Mon, 8 Jun 2015 09:57:27 +0530 Message-ID: <1433737647-1926-1-git-send-email-architt@codeaurora.org> Return-path: Received: from smtp.codeaurora.org ([198.145.29.96]:33806 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751248AbbFHE1h (ORCPT ); Mon, 8 Jun 2015 00:27:37 -0400 Sender: linux-arm-msm-owner@vger.kernel.org List-Id: linux-arm-msm@vger.kernel.org To: robdclark@gmail.com, sviau@codeaurora.org Cc: dri-devel@lists.freedesktop.org, linux-arm-msm@vger.kernel.org, Archit Taneja A race condition between drm_release and drm_mode_rmfb can result in mdp5_crtc_disable() accessing mdp5_crtc->ctl when its already been set to NULL by a complete_flip() which disables the crtc. Move the ctl register write within complete_flip() when the crtc state is disabled. Signed-off-by: Archit Taneja --- drivers/gpu/drm/msm/mdp/mdp5/mdp5_crtc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_crtc.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_crtc.c index c153077..13dd7dd 100644 --- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_crtc.c +++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_crtc.c @@ -143,6 +143,8 @@ static void complete_flip(struct drm_crtc *crtc, struct drm_file *file) } if (mdp5_crtc->ctl && !crtc->state->enable) { + /* set STAGE_UNUSED for all layers */ + mdp5_ctl_blend(mdp5_crtc->ctl, mdp5_crtc->lm, 0x00000000); mdp5_ctl_release(mdp5_crtc->ctl); mdp5_crtc->ctl = NULL; } @@ -274,9 +276,6 @@ static void mdp5_crtc_disable(struct drm_crtc *crtc) if (WARN_ON(!mdp5_crtc->enabled)) return; - /* set STAGE_UNUSED for all layers */ - mdp5_ctl_blend(mdp5_crtc->ctl, mdp5_crtc->lm, 0x00000000); - mdp_irq_unregister(&mdp5_kms->base, &mdp5_crtc->err); mdp5_disable(mdp5_kms); -- The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, hosted by The Linux Foundation