From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751832AbeBTLRx (ORCPT ); Tue, 20 Feb 2018 06:17:53 -0500 Received: from mail-wr0-f195.google.com ([209.85.128.195]:38644 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751649AbeBTLRw (ORCPT ); Tue, 20 Feb 2018 06:17:52 -0500 X-Google-Smtp-Source: AH8x224p9vJjlxM99icsI7Gk9JwKWEZW3K1T155VfIPCxNEDkVwYuJZ0rjv2LswVr3gCGta3+s5xSg== Date: Tue, 20 Feb 2018 12:17:48 +0100 From: Daniel Vetter To: Oleksandr Andrushchenko Cc: Oleksandr Andrushchenko , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, airlied@linux.ie, daniel.vetter@intel.com Subject: Re: [PATCH] drm/simple_kms_helper: Fix NULL pointer dereference with no active CRTC Message-ID: <20180220111748.GJ22199@phenom.ffwll.local> Mail-Followup-To: Oleksandr Andrushchenko , Oleksandr Andrushchenko , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, airlied@linux.ie, daniel.vetter@intel.com References: <1518511456-28257-1-git-send-email-andr2000@gmail.com> <20180219143002.GC22199@phenom.ffwll.local> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: Linux phenom 4.14.0-3-amd64 User-Agent: Mutt/1.9.3 (2018-01-21) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 19, 2018 at 04:58:43PM +0200, Oleksandr Andrushchenko wrote: > On 02/19/2018 04:30 PM, Daniel Vetter wrote: > > On Tue, Feb 13, 2018 at 10:44:16AM +0200, Oleksandr Andrushchenko wrote: > > > From: Oleksandr Andrushchenko > > > > > > It is possible that drm_simple_kms_plane_atomic_check called > > > with no CRTC set, e.g. when user-space application sets CRTC_ID/FB_ID > > > to 0 before doing any actual drawing. This leads to NULL pointer > > > dereference because in this case new CRTC state is NULL and must be > > > checked before accessing. > > > > > > Signed-off-by: Oleksandr Andrushchenko > > > --- > > > drivers/gpu/drm/drm_simple_kms_helper.c | 6 ++++-- > > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/drm_simple_kms_helper.c b/drivers/gpu/drm/drm_simple_kms_helper.c > > > index 9ca8a4a59b74..a05eca9cec8b 100644 > > > --- a/drivers/gpu/drm/drm_simple_kms_helper.c > > > +++ b/drivers/gpu/drm/drm_simple_kms_helper.c > > > @@ -121,8 +121,10 @@ static int drm_simple_kms_plane_atomic_check(struct drm_plane *plane, > > > pipe = container_of(plane, struct drm_simple_display_pipe, plane); > > > crtc_state = drm_atomic_get_new_crtc_state(plane_state->state, > > > &pipe->crtc); > > > - if (!crtc_state->enable) > > > - return 0; /* nothing to check when disabling or disabled */ > > > + > > > + if (!crtc_state || !crtc_state->enable) > > > + /* nothing to check when disabling or disabled or no CRTC set */ > > > + return 0; > > > if (crtc_state->enable) > > > drm_mode_get_hv_timing(&crtc_state->mode, > > Hm, this is a bit annoying, since the can_position = false parameter to > > drm_atomic_helper_check_plane_state is supposed to catch all this. Would > > moving all the checks after the call to that helper, and gating them on > > plane_state->visible also work? > Yes, it does work if this is what you mean: I wasn't sure, thanks for figuring this out! > diff --git a/drivers/gpu/drm/drm_simple_kms_helper.c > b/drivers/gpu/drm/drm_simple_kms_helper.c > index a05eca9cec8b..c48858bb2823 100644 > --- a/drivers/gpu/drm/drm_simple_kms_helper.c > +++ b/drivers/gpu/drm/drm_simple_kms_helper.c > @@ -122,14 +122,6 @@ static int drm_simple_kms_plane_atomic_check(struct > drm_plane *plane, >         crtc_state = drm_atomic_get_new_crtc_state(plane_state->state, > &pipe->crtc); > > -       if (!crtc_state || !crtc_state->enable) > -               /* nothing to check when disabling or disabled or no CRTC > set */ > -               return 0; > - > -       if (crtc_state->enable) > -               drm_mode_get_hv_timing(&crtc_state->mode, > -                                      &clip.x2, &clip.y2); > - >         ret = drm_atomic_helper_check_plane_state(plane_state, crtc_state, >                                                   &clip, > DRM_PLANE_HELPER_NO_SCALING, > @@ -138,6 +130,13 @@ static int drm_simple_kms_plane_atomic_check(struct > drm_plane *plane, >         if (ret) >                 return ret; > > +       if (!plane_state->visible || !crtc_state->enable) > +               return 0; /* nothing to check when disabling or disabled */ if (!plane_state->visible) { WARN_ON(crtc_state->enabled); return 0; } The helper call above should guarantee this. > + > +       if (plane_state->visible && crtc_state->enable) Similar here. > +               drm_mode_get_hv_timing(&crtc_state->mode, > +                                      &clip.x2, &clip.y2); > + >         if (!plane_state->visible) >                 return -EINVAL; This can now be removed, the plane helper takes care of checking for plane_state->visible != crtc_state->enable. Please also remove. > > We'd need to add a guarantee to drm_atomic_helper_check_plane_state that > > it can cope with crtc_state == NULL, but I think that's a good idea > > anyway. Atm it shouldn't end up looking at the crtc_state pointer in that > > case. > It doesn't look at it at the moment > > Otherwise we'll just go with your fix, but it feels all a bit too fragile, > > hence why I want to explore more robust options a bit. > At list with the change above it passes my test which failed > before. Although I cannot confirm it works for others, but it > certainly does for me. > > -Daniel > Do you want me to send v1 with the code above? Yes please, with my above cleanup suggestions. Thanks, Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Vetter Subject: Re: [PATCH] drm/simple_kms_helper: Fix NULL pointer dereference with no active CRTC Date: Tue, 20 Feb 2018 12:17:48 +0100 Message-ID: <20180220111748.GJ22199@phenom.ffwll.local> References: <1518511456-28257-1-git-send-email-andr2000@gmail.com> <20180219143002.GC22199@phenom.ffwll.local> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail-wr0-x241.google.com (mail-wr0-x241.google.com [IPv6:2a00:1450:400c:c0c::241]) by gabe.freedesktop.org (Postfix) with ESMTPS id 631226E387 for ; Tue, 20 Feb 2018 11:17:52 +0000 (UTC) Received: by mail-wr0-x241.google.com with SMTP id s5so13273608wra.0 for ; Tue, 20 Feb 2018 03:17:52 -0800 (PST) Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Oleksandr Andrushchenko Cc: Oleksandr Andrushchenko , airlied@linux.ie, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, daniel.vetter@intel.com List-Id: dri-devel@lists.freedesktop.org T24gTW9uLCBGZWIgMTksIDIwMTggYXQgMDQ6NTg6NDNQTSArMDIwMCwgT2xla3NhbmRyIEFuZHJ1 c2hjaGVua28gd3JvdGU6Cj4gT24gMDIvMTkvMjAxOCAwNDozMCBQTSwgRGFuaWVsIFZldHRlciB3 cm90ZToKPiA+IE9uIFR1ZSwgRmViIDEzLCAyMDE4IGF0IDEwOjQ0OjE2QU0gKzAyMDAsIE9sZWtz YW5kciBBbmRydXNoY2hlbmtvIHdyb3RlOgo+ID4gPiBGcm9tOiBPbGVrc2FuZHIgQW5kcnVzaGNo ZW5rbyA8b2xla3NhbmRyX2FuZHJ1c2hjaGVua29AZXBhbS5jb20+Cj4gPiA+IAo+ID4gPiBJdCBp cyBwb3NzaWJsZSB0aGF0IGRybV9zaW1wbGVfa21zX3BsYW5lX2F0b21pY19jaGVjayBjYWxsZWQK PiA+ID4gd2l0aCBubyBDUlRDIHNldCwgZS5nLiB3aGVuIHVzZXItc3BhY2UgYXBwbGljYXRpb24g c2V0cyBDUlRDX0lEL0ZCX0lECj4gPiA+IHRvIDAgYmVmb3JlIGRvaW5nIGFueSBhY3R1YWwgZHJh d2luZy4gVGhpcyBsZWFkcyB0byBOVUxMIHBvaW50ZXIKPiA+ID4gZGVyZWZlcmVuY2UgYmVjYXVz ZSBpbiB0aGlzIGNhc2UgbmV3IENSVEMgc3RhdGUgaXMgTlVMTCBhbmQgbXVzdCBiZQo+ID4gPiBj aGVja2VkIGJlZm9yZSBhY2Nlc3NpbmcuCj4gPiA+IAo+ID4gPiBTaWduZWQtb2ZmLWJ5OiBPbGVr c2FuZHIgQW5kcnVzaGNoZW5rbyA8b2xla3NhbmRyX2FuZHJ1c2hjaGVua29AZXBhbS5jb20+Cj4g PiA+IC0tLQo+ID4gPiAgIGRyaXZlcnMvZ3B1L2RybS9kcm1fc2ltcGxlX2ttc19oZWxwZXIuYyB8 IDYgKysrKy0tCj4gPiA+ICAgMSBmaWxlIGNoYW5nZWQsIDQgaW5zZXJ0aW9ucygrKSwgMiBkZWxl dGlvbnMoLSkKPiA+ID4gCj4gPiA+IGRpZmYgLS1naXQgYS9kcml2ZXJzL2dwdS9kcm0vZHJtX3Np bXBsZV9rbXNfaGVscGVyLmMgYi9kcml2ZXJzL2dwdS9kcm0vZHJtX3NpbXBsZV9rbXNfaGVscGVy LmMKPiA+ID4gaW5kZXggOWNhOGE0YTU5Yjc0Li5hMDVlY2E5Y2VjOGIgMTAwNjQ0Cj4gPiA+IC0t LSBhL2RyaXZlcnMvZ3B1L2RybS9kcm1fc2ltcGxlX2ttc19oZWxwZXIuYwo+ID4gPiArKysgYi9k cml2ZXJzL2dwdS9kcm0vZHJtX3NpbXBsZV9rbXNfaGVscGVyLmMKPiA+ID4gQEAgLTEyMSw4ICsx MjEsMTAgQEAgc3RhdGljIGludCBkcm1fc2ltcGxlX2ttc19wbGFuZV9hdG9taWNfY2hlY2soc3Ry dWN0IGRybV9wbGFuZSAqcGxhbmUsCj4gPiA+ICAgCXBpcGUgPSBjb250YWluZXJfb2YocGxhbmUs IHN0cnVjdCBkcm1fc2ltcGxlX2Rpc3BsYXlfcGlwZSwgcGxhbmUpOwo+ID4gPiAgIAljcnRjX3N0 YXRlID0gZHJtX2F0b21pY19nZXRfbmV3X2NydGNfc3RhdGUocGxhbmVfc3RhdGUtPnN0YXRlLAo+ ID4gPiAgIAkJCQkJCSAgICZwaXBlLT5jcnRjKTsKPiA+ID4gLQlpZiAoIWNydGNfc3RhdGUtPmVu YWJsZSkKPiA+ID4gLQkJcmV0dXJuIDA7IC8qIG5vdGhpbmcgdG8gY2hlY2sgd2hlbiBkaXNhYmxp bmcgb3IgZGlzYWJsZWQgKi8KPiA+ID4gKwo+ID4gPiArCWlmICghY3J0Y19zdGF0ZSB8fCAhY3J0 Y19zdGF0ZS0+ZW5hYmxlKQo+ID4gPiArCQkvKiBub3RoaW5nIHRvIGNoZWNrIHdoZW4gZGlzYWJs aW5nIG9yIGRpc2FibGVkIG9yIG5vIENSVEMgc2V0ICovCj4gPiA+ICsJCXJldHVybiAwOwo+ID4g PiAgIAlpZiAoY3J0Y19zdGF0ZS0+ZW5hYmxlKQo+ID4gPiAgIAkJZHJtX21vZGVfZ2V0X2h2X3Rp bWluZygmY3J0Y19zdGF0ZS0+bW9kZSwKPiA+IEhtLCB0aGlzIGlzIGEgYml0IGFubm95aW5nLCBz aW5jZSB0aGUgY2FuX3Bvc2l0aW9uID0gZmFsc2UgcGFyYW1ldGVyIHRvCj4gPiBkcm1fYXRvbWlj X2hlbHBlcl9jaGVja19wbGFuZV9zdGF0ZSBpcyBzdXBwb3NlZCB0byBjYXRjaCBhbGwgdGhpcy4g V291bGQKPiA+IG1vdmluZyBhbGwgdGhlIGNoZWNrcyBhZnRlciB0aGUgY2FsbCB0byB0aGF0IGhl bHBlciwgYW5kIGdhdGluZyB0aGVtIG9uCj4gPiBwbGFuZV9zdGF0ZS0+dmlzaWJsZSBhbHNvIHdv cms/Cj4gWWVzLCBpdCBkb2VzIHdvcmsgaWYgdGhpcyBpcyB3aGF0IHlvdSBtZWFuOgoKSSB3YXNu J3Qgc3VyZSwgdGhhbmtzIGZvciBmaWd1cmluZyB0aGlzIG91dCEKCj4gZGlmZiAtLWdpdCBhL2Ry aXZlcnMvZ3B1L2RybS9kcm1fc2ltcGxlX2ttc19oZWxwZXIuYwo+IGIvZHJpdmVycy9ncHUvZHJt L2RybV9zaW1wbGVfa21zX2hlbHBlci5jCj4gaW5kZXggYTA1ZWNhOWNlYzhiLi5jNDg4NThiYjI4 MjMgMTAwNjQ0Cj4gLS0tIGEvZHJpdmVycy9ncHUvZHJtL2RybV9zaW1wbGVfa21zX2hlbHBlci5j Cj4gKysrIGIvZHJpdmVycy9ncHUvZHJtL2RybV9zaW1wbGVfa21zX2hlbHBlci5jCj4gQEAgLTEy MiwxNCArMTIyLDYgQEAgc3RhdGljIGludCBkcm1fc2ltcGxlX2ttc19wbGFuZV9hdG9taWNfY2hl Y2soc3RydWN0Cj4gZHJtX3BsYW5lICpwbGFuZSwKPiDCoMKgwqDCoMKgwqDCoCBjcnRjX3N0YXRl ID0gZHJtX2F0b21pY19nZXRfbmV3X2NydGNfc3RhdGUocGxhbmVfc3RhdGUtPnN0YXRlLAo+ICZw aXBlLT5jcnRjKTsKPiAKPiAtwqDCoMKgwqDCoMKgIGlmICghY3J0Y19zdGF0ZSB8fCAhY3J0Y19z dGF0ZS0+ZW5hYmxlKQo+IC3CoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIC8qIG5vdGhpbmcg dG8gY2hlY2sgd2hlbiBkaXNhYmxpbmcgb3IgZGlzYWJsZWQgb3Igbm8gQ1JUQwo+IHNldCAqLwo+ IC3CoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIHJldHVybiAwOwo+IC0KPiAtwqDCoMKgwqDC oMKgIGlmIChjcnRjX3N0YXRlLT5lbmFibGUpCj4gLcKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqAgZHJtX21vZGVfZ2V0X2h2X3RpbWluZygmY3J0Y19zdGF0ZS0+bW9kZSwKPiAtwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqAgJmNsaXAueDIsICZjbGlwLnkyKTsKPiAtCj4gwqDCoMKgwqDCoMKgwqAgcmV0ID0g ZHJtX2F0b21pY19oZWxwZXJfY2hlY2tfcGxhbmVfc3RhdGUocGxhbmVfc3RhdGUsIGNydGNfc3Rh dGUsCj4gwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgJmNsaXAsCj4g RFJNX1BMQU5FX0hFTFBFUl9OT19TQ0FMSU5HLAo+IEBAIC0xMzgsNiArMTMwLDEzIEBAIHN0YXRp YyBpbnQgZHJtX3NpbXBsZV9rbXNfcGxhbmVfYXRvbWljX2NoZWNrKHN0cnVjdAo+IGRybV9wbGFu ZSAqcGxhbmUsCj4gwqDCoMKgwqDCoMKgwqAgaWYgKHJldCkKPiDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqAgcmV0dXJuIHJldDsKPiAKPiArwqDCoMKgwqDCoMKgIGlmICghcGxhbmVfc3Rh dGUtPnZpc2libGUgfHwgIWNydGNfc3RhdGUtPmVuYWJsZSkKPiArwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoCByZXR1cm4gMDsgLyogbm90aGluZyB0byBjaGVjayB3aGVuIGRpc2FibGluZyBv ciBkaXNhYmxlZCAqLwoKaWYgKCFwbGFuZV9zdGF0ZS0+dmlzaWJsZSkgewoJV0FSTl9PTihjcnRj X3N0YXRlLT5lbmFibGVkKTsKCXJldHVybiAwOwp9CgpUaGUgaGVscGVyIGNhbGwgYWJvdmUgc2hv dWxkIGd1YXJhbnRlZSB0aGlzLgo+ICsKPiArwqDCoMKgwqDCoMKgIGlmIChwbGFuZV9zdGF0ZS0+ dmlzaWJsZSAmJiBjcnRjX3N0YXRlLT5lbmFibGUpCgpTaW1pbGFyIGhlcmUuCgo+ICvCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgIGRybV9tb2RlX2dldF9odl90aW1pbmcoJmNydGNfc3RhdGUt Pm1vZGUsCj4gK8KgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgICZjbGlwLngyLCAmY2xpcC55Mik7Cj4gKwo+IMKg wqDCoMKgwqDCoMKgIGlmICghcGxhbmVfc3RhdGUtPnZpc2libGUpCj4gwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgIHJldHVybiAtRUlOVkFMOwoKVGhpcyBjYW4gbm93IGJlIHJlbW92ZWQs IHRoZSBwbGFuZSBoZWxwZXIgdGFrZXMgY2FyZSBvZiBjaGVja2luZyBmb3IKcGxhbmVfc3RhdGUt PnZpc2libGUgIT0gY3J0Y19zdGF0ZS0+ZW5hYmxlLiBQbGVhc2UgYWxzbyByZW1vdmUuCgo+ID4g V2UnZCBuZWVkIHRvIGFkZCBhIGd1YXJhbnRlZSB0byBkcm1fYXRvbWljX2hlbHBlcl9jaGVja19w bGFuZV9zdGF0ZSB0aGF0Cj4gPiBpdCBjYW4gY29wZSB3aXRoIGNydGNfc3RhdGUgPT0gTlVMTCwg YnV0IEkgdGhpbmsgdGhhdCdzIGEgZ29vZCBpZGVhCj4gPiBhbnl3YXkuIEF0bSBpdCBzaG91bGRu J3QgZW5kIHVwIGxvb2tpbmcgYXQgdGhlIGNydGNfc3RhdGUgcG9pbnRlciBpbiB0aGF0Cj4gPiBj YXNlLgo+IEl0IGRvZXNuJ3QgbG9vayBhdCBpdCBhdCB0aGUgbW9tZW50Cj4gPiBPdGhlcndpc2Ug d2UnbGwganVzdCBnbyB3aXRoIHlvdXIgZml4LCBidXQgaXQgZmVlbHMgYWxsIGEgYml0IHRvbyBm cmFnaWxlLAo+ID4gaGVuY2Ugd2h5IEkgd2FudCB0byBleHBsb3JlIG1vcmUgcm9idXN0IG9wdGlv bnMgYSBiaXQuCj4gQXQgbGlzdCB3aXRoIHRoZSBjaGFuZ2UgYWJvdmUgaXQgcGFzc2VzIG15IHRl c3Qgd2hpY2ggZmFpbGVkCj4gYmVmb3JlLiBBbHRob3VnaCBJIGNhbm5vdCBjb25maXJtIGl0IHdv cmtzIGZvciBvdGhlcnMsIGJ1dCBpdAo+IGNlcnRhaW5seSBkb2VzIGZvciBtZS4KPiA+IC1EYW5p ZWwKPiBEbyB5b3Ugd2FudCBtZSB0byBzZW5kIHYxIHdpdGggdGhlIGNvZGUgYWJvdmU/CgpZZXMg cGxlYXNlLCB3aXRoIG15IGFib3ZlIGNsZWFudXAgc3VnZ2VzdGlvbnMuCgpUaGFua3MsIERhbmll bAotLSAKRGFuaWVsIFZldHRlcgpTb2Z0d2FyZSBFbmdpbmVlciwgSW50ZWwgQ29ycG9yYXRpb24K aHR0cDovL2Jsb2cuZmZ3bGwuY2gKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRl c2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8v ZHJpLWRldmVsCg==