* [PATCH i-g-t] igt_kms: Avoid NULL ptr deref when commiting disabled planes
@ 2015-04-28 10:57 Tvrtko Ursulin
2015-05-01 16:23 ` Thomas Wood
0 siblings, 1 reply; 2+ messages in thread
From: Tvrtko Ursulin @ 2015-04-28 10:57 UTC (permalink / raw)
To: Intel-gfx
From: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
I think;
commit a26f9f9ad0e679c7ce413a25d34f6914e1174151
Author: chandra konduru <chandra.konduru@intel.com>
Date: Mon Mar 30 13:52:04 2015 -0700
i-g-t: Adding plane scaling test case
introduced a condition where it attempts to update a disabled plane because
of the newly introduced size_changed flag which is set for disabled frame
buffers. Result is a NULL ptr deref in igt_drm_plane_commit (plane->fb->src_x).
Start recognising this case as disabled plane and act accordingly.
Also cleanup the code in igt_plane_set_fb a bit.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: chandra konduru <chandra.konduru@intel.com>
---
There might be a better fix, but this works for me.
---
lib/igt_kms.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/lib/igt_kms.c b/lib/igt_kms.c
index b7d1e90..b5ba273 100644
--- a/lib/igt_kms.c
+++ b/lib/igt_kms.c
@@ -1331,7 +1331,7 @@ static int igt_drm_plane_commit(igt_plane_t *plane,
fb_id = igt_plane_get_fb_id(plane);
crtc_id = output->config.crtc->crtc_id;
- if (plane->fb_changed && fb_id == 0) {
+ if ((plane->fb_changed || plane->size_changed) && fb_id == 0) {
LOG(display,
"%s: SetPlane pipe %s, plane %d, disabling\n",
igt_output_name(output),
@@ -1765,14 +1765,6 @@ void igt_plane_set_fb(igt_plane_t *plane, struct igt_fb *fb)
plane->fb = fb;
/* hack to keep tests working that don't call igt_plane_set_size() */
if (fb) {
- plane->crtc_w = fb->width;
- plane->crtc_h = fb->height;
- } else {
- plane->crtc_w = 0;
- plane->crtc_h = 0;
- }
-
- if (fb) {
/* set default plane pos/size as fb size */
plane->crtc_x = 0;
plane->crtc_y = 0;
@@ -1784,6 +1776,9 @@ void igt_plane_set_fb(igt_plane_t *plane, struct igt_fb *fb)
fb->src_y = 0;
fb->src_w = fb->width;
fb->src_h = fb->height;
+ } else {
+ plane->crtc_w = 0;
+ plane->crtc_h = 0;
}
plane->fb_changed = true;
--
2.3.5
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH i-g-t] igt_kms: Avoid NULL ptr deref when commiting disabled planes
2015-04-28 10:57 [PATCH i-g-t] igt_kms: Avoid NULL ptr deref when commiting disabled planes Tvrtko Ursulin
@ 2015-05-01 16:23 ` Thomas Wood
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Wood @ 2015-05-01 16:23 UTC (permalink / raw)
To: Tvrtko Ursulin; +Cc: Intel Graphics Development
On 28 April 2015 at 11:57, Tvrtko Ursulin
<tvrtko.ursulin@linux.intel.com> wrote:
> From: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
>
> I think;
>
> commit a26f9f9ad0e679c7ce413a25d34f6914e1174151
> Author: chandra konduru <chandra.konduru@intel.com>
> Date: Mon Mar 30 13:52:04 2015 -0700
>
> i-g-t: Adding plane scaling test case
>
> introduced a condition where it attempts to update a disabled plane because
> of the newly introduced size_changed flag which is set for disabled frame
> buffers. Result is a NULL ptr deref in igt_drm_plane_commit (plane->fb->src_x).
>
> Start recognising this case as disabled plane and act accordingly.
>
> Also cleanup the code in igt_plane_set_fb a bit.
The changes to igt_plane_set_fb look fine, but should really go in a
separate patch.
>
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
> Cc: chandra konduru <chandra.konduru@intel.com>
> ---
> There might be a better fix, but this works for me.
> ---
> lib/igt_kms.c | 13 ++++---------
> 1 file changed, 4 insertions(+), 9 deletions(-)
>
> diff --git a/lib/igt_kms.c b/lib/igt_kms.c
> index b7d1e90..b5ba273 100644
> --- a/lib/igt_kms.c
> +++ b/lib/igt_kms.c
> @@ -1331,7 +1331,7 @@ static int igt_drm_plane_commit(igt_plane_t *plane,
> fb_id = igt_plane_get_fb_id(plane);
> crtc_id = output->config.crtc->crtc_id;
>
> - if (plane->fb_changed && fb_id == 0) {
> + if ((plane->fb_changed || plane->size_changed) && fb_id == 0) {
> LOG(display,
> "%s: SetPlane pipe %s, plane %d, disabling\n",
> igt_output_name(output),
> @@ -1765,14 +1765,6 @@ void igt_plane_set_fb(igt_plane_t *plane, struct igt_fb *fb)
> plane->fb = fb;
> /* hack to keep tests working that don't call igt_plane_set_size() */
> if (fb) {
> - plane->crtc_w = fb->width;
> - plane->crtc_h = fb->height;
> - } else {
> - plane->crtc_w = 0;
> - plane->crtc_h = 0;
> - }
> -
> - if (fb) {
> /* set default plane pos/size as fb size */
> plane->crtc_x = 0;
> plane->crtc_y = 0;
> @@ -1784,6 +1776,9 @@ void igt_plane_set_fb(igt_plane_t *plane, struct igt_fb *fb)
> fb->src_y = 0;
> fb->src_w = fb->width;
> fb->src_h = fb->height;
> + } else {
> + plane->crtc_w = 0;
> + plane->crtc_h = 0;
> }
>
> plane->fb_changed = true;
> --
> 2.3.5
>
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/intel-gfx
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-05-01 16:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-28 10:57 [PATCH i-g-t] igt_kms: Avoid NULL ptr deref when commiting disabled planes Tvrtko Ursulin
2015-05-01 16:23 ` Thomas Wood
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.