From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 263FB313E31 for ; Sat, 28 Feb 2026 17:50:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301041; cv=none; b=lp5QfSRjuVnTZlb7FLqnjGbKTV5YtLmvhR1x1+NSimrbKnprfgTu3LbAYV869AI8qqGR4IhF9Wl/K3P+iNzG5l/2x+UofwPl7dOcaH0/Vdw/4eVsAihVZMbzUX/nieGMkvYIE/mW/UU+P5LrBmjeYMo8rviGB4hNvabns+rLvl4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301041; c=relaxed/simple; bh=dtdaXkC8AMMH4qL4bKU29KP4FYHxxjL/EgI1rpNqYXM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lZjNMl5w92EdM1dVIkXYa2yAAF5m7vAFL8R7zxDf6Q8pAsMCm90AERyzCqhupMlVciRpwD1SZstuoy1tSGeNhD6/G3S2b8siLrCoj19eS3w92lZzKHIdxk9PWv8hccTbZMgHIM+u1xAPk4lAzL19rqyVJGw0AgtEzVsWF6MsLEA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Tph1G2gy; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Tph1G2gy" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8C069C116D0; Sat, 28 Feb 2026 17:50:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772301041; bh=dtdaXkC8AMMH4qL4bKU29KP4FYHxxjL/EgI1rpNqYXM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tph1G2gyncouaVatFJCTtQnoewoIyLH+tb5CHI2kZ56lWrjnc5rPdaHGdTpHGiABH ehTPcftU67DPUz14X5XXLeidu7lBdafvVGOkw65u3o+tepnqByWlX5ii9pKiZLtQ64 VnNvrEFhZq8szIm6T8vvbGddWqh7lBHIaivZdsLecD2KkSgVV1OkpnIe19G3wg5lMS iSxOggkowO+q0dzTatcy/JROYufvIb6kQdhPJ4zxS31Y1fp6ndjH+6WCxPK5vAUE6f yK4fopSAcGr+vRz7ie//OB5MfCkeAwCnozWMvgIkLy6O4w3zoqlDp3vldH7mSm5xxO j1o8M3DSR1WxQ== From: Sasha Levin To: patches@lists.linux.dev Cc: Ludovic Desroches , Manikandan Muralidharan , Sasha Levin Subject: [PATCH 6.18 179/752] drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release Date: Sat, 28 Feb 2026 12:38:10 -0500 Message-ID: <20260228174750.1542406-179-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260228174750.1542406-1-sashal@kernel.org> References: <20260228174750.1542406-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit From: Ludovic Desroches [ Upstream commit bc847787233277a337788568e90a6ee1557595eb ] The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the atmel_hlcdc_plane state structure without properly duplicating the drm_plane_state. In particular, state->commit remained set to the old state commit, which can lead to a use-after-free in the next drm_atomic_commit() call. Fix this by calling __drm_atomic_helper_duplicate_plane_state(), which correctly clones the base drm_plane_state (including the ->commit pointer). It has been seen when closing and re-opening the device node while another DRM client (e.g. fbdev) is still attached: ============================================================================= BUG kmalloc-64 (Not tainted): Poison overwritten ----------------------------------------------------------------------------- 0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0 pid=29 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_framebuffer_remove+0x4cc/0x5a8 drm_mode_rmfb_work_fn+0x6c/0x80 process_one_work+0x12c/0x2cc worker_thread+0x2a8/0x400 kthread+0xc0/0xdc ret_from_fork+0x14/0x28 Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0 pid=169 drm_atomic_helper_commit_hw_done+0x100/0x150 drm_atomic_helper_commit_tail+0x64/0x8c commit_tail+0x168/0x18c drm_atomic_helper_commit+0x138/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0 flags=0x200(workingset|zone=0) Object 0xc611b340 @offset=832 fp=0xc611b7c0 Signed-off-by: Ludovic Desroches Reviewed-by: Manikandan Muralidharan Link: https://patch.msgid.link/20251024-lcd_fixes_mainlining-v1-2-79b615130dc3@microchip.com Signed-off-by: Manikandan Muralidharan Signed-off-by: Sasha Levin --- drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c index caf6deda717ce..ae8d7b017968d 100644 --- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c +++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c @@ -1174,8 +1174,7 @@ atmel_hlcdc_plane_atomic_duplicate_state(struct drm_plane *p) return NULL; } - if (copy->base.fb) - drm_framebuffer_get(copy->base.fb); + __drm_atomic_helper_plane_duplicate_state(p, ©->base); return ©->base; } -- 2.51.0