提交 ab483d1c 编写于 作者: T Thomas Zimmermann 提交者: Greg Kroah-Hartman

drm/vmwgfx: Don't double-free the mode stored in par->set_mode

commit c2d311553855395764e2e5bf401d987ba65c2056 upstream.

When calling vmw_fb_set_par(), the mode stored in par->set_mode gets free'd
twice. The first free is in vmw_fb_kms_detach(), the second is near the
end of vmw_fb_set_par() under the name of 'old_mode'. The mode-setting code
only works correctly if the mode doesn't actually change. Removing
'old_mode' in favor of using par->set_mode directly fixes the problem.

Cc: <stable@vger.kernel.org>
Fixes: a278724a ("drm/vmwgfx: Implement fbdev on kms v2")
Signed-off-by: NThomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: NDeepak Rawat <drawat@vmware.com>
Signed-off-by: NThomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
上级 42f358b2
...@@ -564,11 +564,9 @@ static int vmw_fb_set_par(struct fb_info *info) ...@@ -564,11 +564,9 @@ static int vmw_fb_set_par(struct fb_info *info)
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC) DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC)
}; };
struct drm_display_mode *old_mode;
struct drm_display_mode *mode; struct drm_display_mode *mode;
int ret; int ret;
old_mode = par->set_mode;
mode = drm_mode_duplicate(vmw_priv->dev, &new_mode); mode = drm_mode_duplicate(vmw_priv->dev, &new_mode);
if (!mode) { if (!mode) {
DRM_ERROR("Could not create new fb mode.\n"); DRM_ERROR("Could not create new fb mode.\n");
...@@ -579,11 +577,7 @@ static int vmw_fb_set_par(struct fb_info *info) ...@@ -579,11 +577,7 @@ static int vmw_fb_set_par(struct fb_info *info)
mode->vdisplay = var->yres; mode->vdisplay = var->yres;
vmw_guess_mode_timing(mode); vmw_guess_mode_timing(mode);
if (old_mode && drm_mode_equal(old_mode, mode)) { if (!vmw_kms_validate_mode_vram(vmw_priv,
drm_mode_destroy(vmw_priv->dev, mode);
mode = old_mode;
old_mode = NULL;
} else if (!vmw_kms_validate_mode_vram(vmw_priv,
mode->hdisplay * mode->hdisplay *
DIV_ROUND_UP(var->bits_per_pixel, 8), DIV_ROUND_UP(var->bits_per_pixel, 8),
mode->vdisplay)) { mode->vdisplay)) {
...@@ -620,8 +614,8 @@ static int vmw_fb_set_par(struct fb_info *info) ...@@ -620,8 +614,8 @@ static int vmw_fb_set_par(struct fb_info *info)
schedule_delayed_work(&par->local_work, 0); schedule_delayed_work(&par->local_work, 0);
out_unlock: out_unlock:
if (old_mode) if (par->set_mode)
drm_mode_destroy(vmw_priv->dev, old_mode); drm_mode_destroy(vmw_priv->dev, par->set_mode);
par->set_mode = mode; par->set_mode = mode;
mutex_unlock(&par->bo_mutex); mutex_unlock(&par->bo_mutex);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册