diff options
author | Maxime Ripard <maxime@cerno.tech> | 2020-12-04 16:11:33 +0100 |
---|---|---|
committer | Maxime Ripard <maxime@cerno.tech> | 2020-12-15 11:33:23 +0100 |
commit | 27125e86b797deea4c42dc35fb0a71fd1d5ae53a (patch) | |
tree | 45a0b6574a6b579882e18fbd9e1cbb161ecc63df /include/drm/drm_atomic.h | |
parent | drm: Introduce an atomic_commit_setup function (diff) | |
download | linux-27125e86b797deea4c42dc35fb0a71fd1d5ae53a.tar.xz linux-27125e86b797deea4c42dc35fb0a71fd1d5ae53a.zip |
drm: Document use-after-free gotcha with private objects
The private objects have a gotcha that could result in a use-after-free,
make sure it's properly documented.
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Link: https://patchwork.freedesktop.org/patch/msgid/20201204151138.1739736-3-maxime@cerno.tech
Diffstat (limited to 'include/drm/drm_atomic.h')
-rw-r--r-- | include/drm/drm_atomic.h | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/include/drm/drm_atomic.h b/include/drm/drm_atomic.h index 54e051a957df..ce7023e9115d 100644 --- a/include/drm/drm_atomic.h +++ b/include/drm/drm_atomic.h @@ -248,6 +248,26 @@ struct drm_private_state_funcs { * drm_dev_register() * 2/ all calls to drm_atomic_private_obj_fini() must be done after calling * drm_dev_unregister() + * + * If that private object is used to store a state shared by multiple + * CRTCs, proper care must be taken to ensure that non-blocking commits are + * properly ordered to avoid a use-after-free issue. + * + * Indeed, assuming a sequence of two non-blocking &drm_atomic_commit on two + * different &drm_crtc using different &drm_plane and &drm_connector, so with no + * resources shared, there's no guarantee on which commit is going to happen + * first. However, the second &drm_atomic_commit will consider the first + * &drm_private_obj its old state, and will be in charge of freeing it whenever + * the second &drm_atomic_commit is done. + * + * If the first &drm_atomic_commit happens after it, it will consider its + * &drm_private_obj the new state and will be likely to access it, resulting in + * an access to a freed memory region. Drivers should store (and get a reference + * to) the &drm_crtc_commit structure in our private state in + * &drm_mode_config_helper_funcs.atomic_commit_setup, and then wait for that + * commit to complete as the first step of + * &drm_mode_config_helper_funcs.atomic_commit_tail, similar to + * drm_atomic_helper_wait_for_dependencies(). */ struct drm_private_obj { /** |