Clear the pointer so the buffer can be re-exported. Otherwise use after free happens in the next call to drm_gem_prime_handle_to_fd(). Signed-off-by: Noralf Trønnes <noralf@xxxxxxxxxxx> --- drivers/gpu/drm/drm_prime.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c index 9a17725b0f7a..3214c0eb7466 100644 --- a/drivers/gpu/drm/drm_prime.c +++ b/drivers/gpu/drm/drm_prime.c @@ -343,6 +343,7 @@ void drm_gem_dmabuf_release(struct dma_buf *dma_buf) /* drop the reference on the export fd holds */ drm_gem_object_put_unlocked(obj); + obj->dma_buf = NULL; drm_dev_put(dev); } -- 2.14.2 _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
