From 64307f889583acf678697f844db63dce56125885 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 12 Feb 2025 18:23:48 +0300 Subject: [PATCH] FROMGIT: drm: writeback: Fix use after free in drm_writeback_connector_cleanup() The drm_writeback_cleanup_job() function frees "pos" so call list_del(&pos->list_entry) first to avoid a use after free. Fixes: 1914ba2b91ea ("drm: writeback: Create drmm variants for drm_writeback_connector initialization") Signed-off-by: Dan Carpenter Reviewed-by: Dmitry Baryshkov Link: https://patchwork.freedesktop.org/patch/msgid/78abd541-71e9-4b3b-a05d-2c7caf8d5b2f@stanley.mountain Signed-off-by: Maxime Ripard (cherry picked from commit ff3881cc6a588f8cd714c9ffbbcc9ef6b02c8d0f https://anongit.freedesktop.org/git/drm/drm-misc.git drm-misc-next) Fixes: 8d550a8ffc99 ("FROMGIT: drm: writeback: Create drmm variants for drm_writeback_connector initialization") Bug: 414366730 Test: atest VtsHalGraphicsComposer3_TargetTest Change-Id: I889a42e9651a41e7f98f4f9daa00796b896bdc8d Signed-off-by: Paz Zcharya --- drivers/gpu/drm/drm_writeback.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_writeback.c b/drivers/gpu/drm/drm_writeback.c index 905863ec8802..5b098891deb4 100644 --- a/drivers/gpu/drm/drm_writeback.c +++ b/drivers/gpu/drm/drm_writeback.c @@ -366,8 +366,8 @@ static void drm_writeback_connector_cleanup(struct drm_device *dev, spin_lock_irqsave(&wb_connector->job_lock, flags); list_for_each_entry_safe(pos, n, &wb_connector->job_queue, list_entry) { - drm_writeback_cleanup_job(pos); list_del(&pos->list_entry); + drm_writeback_cleanup_job(pos); } spin_unlock_irqrestore(&wb_connector->job_lock, flags); }