On Tue, Sep 02, 2025 at 10:32:36AM +0200, Maxime Ripard wrote:
> The drm_atomic_state structure is freed through the
> drm_atomic_state_put() function, that eventually calls
> drm_atomic_state_default_clear() by default when there's no active
> users of that state.
>
> It then iterates over all entities with a state, and will call the
Did you mean s/with a state/within the state/ ?
I'd also replace "entity" with "object" as mentioned in the review of a
previous patch.
> atomic_destroy_state callback on the state pointer. The state pointer is
> mostly used these days to point to which of the old or new state needs
> to be freed, depending on whether the state was committed or not.
>
> So it all makes sense.
>
> However, with the hardware state readout support approaching, we might
> have a state, with multiple entities in it, but no state to free because
> we want them to persist. In such a case, state is going to be NULL, and
> thus we'll end up with NULL pointer dereference.
I'm not sure to follow you here. Are we talking with objects whose old
and new states will both need to be preserved ? Or objects that have no
old state ? I assume it's the latter, a clarification would be useful
here. With that,
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
> In order to make it work, let's first test if the state pointer isn't
> NULL before calling atomic_destroy_state on it.
>
> Signed-off-by: Maxime Ripard <mripard@kernel.org>
> ---
> drivers/gpu/drm/drm_atomic.c | 23 +++++++++++++++--------
> 1 file changed, 15 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
> index 38f2b2633fa992b3543e8c425c7faeab1ce69765..f26678835a94f40da56a8c1297d92f226d7ff2e2 100644
> --- a/drivers/gpu/drm/drm_atomic.c
> +++ b/drivers/gpu/drm/drm_atomic.c
> @@ -249,12 +249,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state)
> struct drm_connector *connector = state->connectors[i].ptr;
>
> if (!connector)
> continue;
>
> - connector->funcs->atomic_destroy_state(connector,
> - state->connectors[i].state);
> + if (state->connectors[i].state)
> + connector->funcs->atomic_destroy_state(connector,
> + state->connectors[i].state);
> +
> state->connectors[i].ptr = NULL;
> state->connectors[i].state = NULL;
> state->connectors[i].old_state = NULL;
> state->connectors[i].new_state = NULL;
> drm_connector_put(connector);
> @@ -264,12 +266,13 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state)
> struct drm_crtc *crtc = state->crtcs[i].ptr;
>
> if (!crtc)
> continue;
>
> - crtc->funcs->atomic_destroy_state(crtc,
> - state->crtcs[i].state);
> + if (state->crtcs[i].state)
> + crtc->funcs->atomic_destroy_state(crtc,
> + state->crtcs[i].state);
>
> state->crtcs[i].ptr = NULL;
> state->crtcs[i].state = NULL;
> state->crtcs[i].old_state = NULL;
> state->crtcs[i].new_state = NULL;
> @@ -284,12 +287,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state)
> struct drm_plane *plane = state->planes[i].ptr;
>
> if (!plane)
> continue;
>
> - plane->funcs->atomic_destroy_state(plane,
> - state->planes[i].state);
> + if (state->planes[i].state)
> + plane->funcs->atomic_destroy_state(plane,
> + state->planes[i].state);
> +
> state->planes[i].ptr = NULL;
> state->planes[i].state = NULL;
> state->planes[i].old_state = NULL;
> state->planes[i].new_state = NULL;
> }
> @@ -298,12 +303,14 @@ void drm_atomic_state_default_clear(struct drm_atomic_state *state)
> struct drm_private_obj *obj = state->private_objs[i].ptr;
>
> if (!obj)
> continue;
>
> - obj->funcs->atomic_destroy_state(obj,
> - state->private_objs[i].state);
> + if (state->private_objs[i].state)
> + obj->funcs->atomic_destroy_state(obj,
> + state->private_objs[i].state);
> +
> state->private_objs[i].ptr = NULL;
> state->private_objs[i].state = NULL;
> state->private_objs[i].old_state = NULL;
> state->private_objs[i].new_state = NULL;
> }
--
Regards,
Laurent Pinchart