From: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx> ----------------------------------- stable inclusion from stable-v4.13.3 commit 4572372847680ee04f184df916d5cf007c94ff7e category: bugfix bugzilla: NA DTS: DTS2017101204004 CVE: NA ----------------------------------- plane_mask should be cleared inside the retry loop, because it gets reset on every retry. Without this fix the plane->fb refcounting might get out of sync on retries, resulting in either leaked memory or use-after-free. Signed-off-by: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx #v4.3 Reviewed-by: Daniel Vetter <daniel.vetter@xxxxxxxx> Signed-off-by: Jani Nikula <jani.nikula@xxxxxxxxx> Link: http://patchwork.freedesktop.org/patch/msgid/1447237751-9663-3-git-send-email-maarten.lankhorst@xxxxxxxxxx --- drivers/gpu/drm/drm_atomic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 74ca49b..5785b0b 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -1197,7 +1197,7 @@ int drm_mode_atomic_ioctl(struct drm_device *dev, struct drm_plane *plane; struct drm_crtc *crtc; struct drm_crtc_state *crtc_state; - unsigned plane_mask = 0; + unsigned plane_mask; int ret = 0; unsigned int i, j; @@ -1237,6 +1237,7 @@ int drm_mode_atomic_ioctl(struct drm_device *dev, state->allow_modeset = !!(arg->flags & DRM_MODE_ATOMIC_ALLOW_MODESET); retry: + plane_mask = 0; copied_objs = 0; copied_props = 0; -- 1.8.3.1