Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] Missing reference counting for `pre_csc_lut` and `post_csc_lut` when copying joiner CRTC state leads to refcount underflow and potential Use-After-Free. -- commit 1f085640509d6db9ddf76a018415e1b475be3068 Author: Guangshuo Li <[email protected]> drm/i915: clear CRTC color blob pointers after dropping refs This commit modifies intel_crtc_free_hw_state() to explicitly clear the CRTC color blob pointers after dropping their references. This ensures that repeated cleanups of the same CRTC hw state won't attempt to drop the same blob references again if an atomic operation fails later. > diff --git a/drivers/gpu/drm/i915/display/intel_atomic.c > b/drivers/gpu/drm/i915/display/intel_atomic.c > index 0e4f0678c53cd..a80c863952529 100644 > --- a/drivers/gpu/drm/i915/display/intel_atomic.c > +++ b/drivers/gpu/drm/i915/display/intel_atomic.c > @@ -293,6 +293,12 @@ static void intel_crtc_put_color_blobs(struct > intel_crtc_state *crtc_state) > void intel_crtc_free_hw_state(struct intel_crtc_state *crtc_state) > { > intel_crtc_put_color_blobs(crtc_state); > + > + crtc_state->hw.degamma_lut = NULL; > + crtc_state->hw.gamma_lut = NULL; > + crtc_state->hw.ctm = NULL; > + crtc_state->pre_csc_lut = NULL; > + crtc_state->post_csc_lut = NULL; [Severity: High] This is a pre-existing issue, but missing reference counting for pre_csc_lut and post_csc_lut when copying joiner CRTC state can lead to a refcount underflow and potential use-after-free. In drivers/gpu/drm/i915/display/intel_display.c: copy_joiner_crtc_state_modeset(), the primary state's pre_csc_lut and post_csc_lut pointers are blindly copied into the secondary state without acquiring references: memcpy(secondary_crtc_state, saved_state, sizeof(*secondary_crtc_state)); After the secondary state's existing blobs are freed, the state is overwritten by this memcpy, so the secondary state now holds the primary's blob pointers. The subsequent memset(&secondary_crtc_state->hw, 0, ...) clears the hw struct (including hw.degamma_lut), but pre_csc_lut and post_csc_lut reside outside the hw struct and remain pointing to the primary's blobs. Later in the atomic check phase, intel_assign_luts() replaces the unreferenced pointer: drm_property_replace_blob(&crtc_state->pre_csc_lut, crtc_state->hw.degamma_lut); Because hw.degamma_lut is NULL, it drops the old pointer by calling drm_property_blob_put() on it. Since the secondary CRTC never actually acquired a reference, this drops the primary CRTC's reference instead. Although the newly added NULL assignments here in intel_crtc_free_hw_state() clear the pointers initially, could they still get overwritten again by the blind memcpy in copy_joiner_crtc_state_modeset() before intel_assign_luts() executes? > } > > /** -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=1
