Op 02-05-18 om 20:32 schreef Ville Syrjala:
> From: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
>
> Clear the old_state and new_state pointers for every object in
> drm_atomic_state_default_clear(). Otherwise
> drm_atomic_get_{new,old}_*_state() will hand out stale pointers to
> anyone who hasn't first confirmed that the object is in fact part of
> the current atomic transcation, if they are called after we've done
> the ww backoff dance while hanging on to the same drm_atomic_state.
>
> For example, handle_conflicting_encoders() looks like it could hit
> this since it iterates the full connector list and just calls
> drm_atomic_get_new_connector_state() for each.
>
> And I believe we have now witnessed this happening at least once in
> i915 check_digital_port_conflicts(). Commit 8b69449d2663 ("drm/i915:
> Remove last references to drm_atomic_get_existing* macros") changed
> the safe drm_atomic_get_existing_connector_state() to the unsafe
> drm_atomic_get_new_connector_state(), which opened the doors for
> this particular bug there as well.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Cc: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
> Cc: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
> Cc: Abhay Kumar <abhay.kumar@xxxxxxxxx>
> Fixes: 581e49fe6b41 ("drm/atomic: Add new iterators over all state, v3.")
> Signed-off-by: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
> ---
OUCH! Good catch..
~Maarten
Reviewed-by: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
How come KASAN didn't complain?
