In vop2_crtc_reset(), if kzalloc() fails to allocate a new rockchip_crtc_state, the function returns early without setting crtc->state to NULL. However, the old state has already been destroyed and freed by __drm_atomic_helper_crtc_destroy_state() and kfree().
This leaves crtc->state as a dangling pointer. Any subsequent access to crtc->state (e.g., through to_rockchip_crtc_state()) will result in a use-after-free or NULL pointer dereference, leading to a kernel crash. Fix by setting crtc->state = NULL when kzalloc() fails, ensuring the pointer is in a well-defined state. Signed-off-by: Jiaqi <[email protected]> --- drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c index 8afabe2118a9..1234567890ab 100644 --- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c @@ -2082,8 +2082,10 @@ static void vop2_crtc_reset(struct drm_crtc *crtc) } vcstate = kzalloc(sizeof(*vcstate), GFP_KERNEL); - if (!vcstate) + if (!vcstate) { + crtc->state = NULL; return; + } crtc->state = &vcstate->base; crtc->state->crtc = crtc; -- 2.40.0
