[v2,i-g-t,1/4] igt_kms: Avoid NULL ptr deref when commiting disabled planes
diff mbox

Message ID 1430819603-492-1-git-send-email-tvrtko.ursulin@linux.intel.com
State New
Headers show

Commit Message

Tvrtko Ursulin May 5, 2015, 9:53 a.m. UTC
From: Tvrtko Ursulin <tvrtko.ursulin@intel.com>

I think;

   commit a26f9f9ad0e679c7ce413a25d34f6914e1174151
   Author: chandra konduru <chandra.konduru@intel.com>
   Date:   Mon Mar 30 13:52:04 2015 -0700

       i-g-t: Adding plane scaling test case

introduced a condition where it attempts to update a disabled plane because
of the newly introduced size_changed flag which is set for disabled frame
buffers. Result is a NULL ptr deref in igt_drm_plane_commit (plane->fb->src_x).

Start recognising this case as disabled plane and act accordingly.

v2: Split out igt_plane_set_fb cleanup. (Thomas Wood)

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: chandra konduru <chandra.konduru@intel.com>
Cc: Thomas Wood <thomas.wood@intel.com>
---
There might be a better fix, but this works for me.
---
 lib/igt_kms.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Chandra Konduru May 6, 2015, 8:47 p.m. UTC | #1
> -----Original Message-----
> From: Tvrtko Ursulin [mailto:tvrtko.ursulin@linux.intel.com]
> Sent: Tuesday, May 05, 2015 2:53 AM
> To: Intel-gfx@lists.freedesktop.org
> Cc: Ursulin, Tvrtko; Konduru, Chandra; Wood, Thomas
> Subject: [PATCH v2 i-g-t 1/4] igt_kms: Avoid NULL ptr deref when commiting
> disabled planes
> 
> From: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
> 
> I think;
> 
>    commit a26f9f9ad0e679c7ce413a25d34f6914e1174151
>    Author: chandra konduru <chandra.konduru@intel.com>
>    Date:   Mon Mar 30 13:52:04 2015 -0700
> 
>        i-g-t: Adding plane scaling test case
> 
> introduced a condition where it attempts to update a disabled plane because of
> the newly introduced size_changed flag which is set for disabled frame buffers.
> Result is a NULL ptr deref in igt_drm_plane_commit (plane->fb->src_x).
> 
> Start recognising this case as disabled plane and act accordingly.
> 
> v2: Split out igt_plane_set_fb cleanup. (Thomas Wood)
> 
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
> Cc: chandra konduru <chandra.konduru@intel.com>
> Cc: Thomas Wood <thomas.wood@intel.com>
> ---
> There might be a better fix, but this works for me.
> ---
>  lib/igt_kms.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/igt_kms.c b/lib/igt_kms.c index b7d1e90..33d437d 100644
> --- a/lib/igt_kms.c
> +++ b/lib/igt_kms.c
> @@ -1331,7 +1331,7 @@ static int igt_drm_plane_commit(igt_plane_t *plane,
>  	fb_id = igt_plane_get_fb_id(plane);
>  	crtc_id = output->config.crtc->crtc_id;
> 
> -	if (plane->fb_changed && fb_id == 0) {
> +	if ((plane->fb_changed || plane->size_changed) && fb_id == 0) {

Shouldn't this include plane->position_changed too? Like:
	if ((plane->fb_changed || plane->size_changed || plane->position_changed) && fb_id == 0) {

>  		LOG(display,
>  		    "%s: SetPlane pipe %s, plane %d, disabling\n",
>  		    igt_output_name(output),
> --
> 2.3.5
Tvrtko Ursulin May 7, 2015, 9 a.m. UTC | #2
On 05/06/2015 09:47 PM, Konduru, Chandra wrote:
>> -----Original Message-----
>> From: Tvrtko Ursulin [mailto:tvrtko.ursulin@linux.intel.com]
>> Sent: Tuesday, May 05, 2015 2:53 AM
>> To: Intel-gfx@lists.freedesktop.org
>> Cc: Ursulin, Tvrtko; Konduru, Chandra; Wood, Thomas
>> Subject: [PATCH v2 i-g-t 1/4] igt_kms: Avoid NULL ptr deref when commiting
>> disabled planes
>>
>> From: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
>>
>> I think;
>>
>>     commit a26f9f9ad0e679c7ce413a25d34f6914e1174151
>>     Author: chandra konduru <chandra.konduru@intel.com>
>>     Date:   Mon Mar 30 13:52:04 2015 -0700
>>
>>         i-g-t: Adding plane scaling test case
>>
>> introduced a condition where it attempts to update a disabled plane because of
>> the newly introduced size_changed flag which is set for disabled frame buffers.
>> Result is a NULL ptr deref in igt_drm_plane_commit (plane->fb->src_x).
>>
>> Start recognising this case as disabled plane and act accordingly.
>>
>> v2: Split out igt_plane_set_fb cleanup. (Thomas Wood)
>>
>> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
>> Cc: chandra konduru <chandra.konduru@intel.com>
>> Cc: Thomas Wood <thomas.wood@intel.com>
>> ---
>> There might be a better fix, but this works for me.
>> ---
>>   lib/igt_kms.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/lib/igt_kms.c b/lib/igt_kms.c index b7d1e90..33d437d 100644
>> --- a/lib/igt_kms.c
>> +++ b/lib/igt_kms.c
>> @@ -1331,7 +1331,7 @@ static int igt_drm_plane_commit(igt_plane_t *plane,
>>   	fb_id = igt_plane_get_fb_id(plane);
>>   	crtc_id = output->config.crtc->crtc_id;
>>
>> -	if (plane->fb_changed && fb_id == 0) {
>> +	if ((plane->fb_changed || plane->size_changed) && fb_id == 0) {
>
> Shouldn't this include plane->position_changed too? Like:
> 	if ((plane->fb_changed || plane->size_changed || plane->position_changed) && fb_id == 0) {

When you added size_changed, state for position_changed and fb == NULL 
remained the same, while size_changed added new state for size_changed 
== true and fb == NULL. So I added handling for that and did not think 
much beyond it. It fixes a segfault so I moved on. Or in other words, I 
don't see how it would harm to merge this, it doesn't make anything worse.

Regards,

Tvrtko
Chandra Konduru May 7, 2015, 11:45 p.m. UTC | #3
> >> diff --git a/lib/igt_kms.c b/lib/igt_kms.c index b7d1e90..33d437d
> >> 100644
> >> --- a/lib/igt_kms.c
> >> +++ b/lib/igt_kms.c
> >> @@ -1331,7 +1331,7 @@ static int igt_drm_plane_commit(igt_plane_t
> *plane,
> >>   	fb_id = igt_plane_get_fb_id(plane);
> >>   	crtc_id = output->config.crtc->crtc_id;
> >>
> >> -	if (plane->fb_changed && fb_id == 0) {
> >> +	if ((plane->fb_changed || plane->size_changed) && fb_id == 0) {
> >
> > Shouldn't this include plane->position_changed too? Like:
> > 	if ((plane->fb_changed || plane->size_changed ||
> > plane->position_changed) && fb_id == 0) {
> 
> When you added size_changed, state for position_changed and fb == NULL
> remained the same, while size_changed added new state for size_changed ==
> true and fb == NULL. So I added handling for that and did not think much beyond
> it. It fixes a segfault so I moved on. Or in other words, I don't see how it would
> harm to merge this, it doesn't make anything worse.
Agree it doesn't harm to merge. 
> 
> Regards,
> 
> Tvrtko

Patch
diff mbox

diff --git a/lib/igt_kms.c b/lib/igt_kms.c
index b7d1e90..33d437d 100644
--- a/lib/igt_kms.c
+++ b/lib/igt_kms.c
@@ -1331,7 +1331,7 @@  static int igt_drm_plane_commit(igt_plane_t *plane,
 	fb_id = igt_plane_get_fb_id(plane);
 	crtc_id = output->config.crtc->crtc_id;
 
-	if (plane->fb_changed && fb_id == 0) {
+	if ((plane->fb_changed || plane->size_changed) && fb_id == 0) {
 		LOG(display,
 		    "%s: SetPlane pipe %s, plane %d, disabling\n",
 		    igt_output_name(output),