[PATCH] drm/i915: Rip out GET_SPRITE_COLORKEY ioctl

Tommi Rantala tt.rantala at gmail.com
Fri Mar 27 10:40:43 PDT 2015 

2015-03-27 18:42 GMT+02:00 Jani Nikula <jani.nikula at linux.intel.com>:
> On Fri, 27 Mar 2015, Daniel Vetter <daniel at ffwll.ch> wrote:
>> On Fri, Mar 27, 2015 at 09:10:02AM +0100, Daniel Vetter wrote:
>>> It's completely unused and Tommi noticed that the #define is borked
>>> since forever. I've done a git search in userspace and only found
>>> broken definitions and no users anywhere.
>>>
>>> Cc: Tommi Rantala <tt.rantala at gmail.com>
>>> Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>
>>
>> Hm Tommi discovered oopses in there, so I guess this should be
>> cherry-picked to -fixes+cc: stable too? Jani?
>
> My OCD really wants to know why this blows up. The get/set functions
> look so similar that it feels like the set should fail just the same...
> Tommi, did you try just the set part of your test program [1]?

Yes, both the set and get ioctls crash:

[   20.868660] BUG: unable to handle kernel NULL pointer dereference
at           (null)
[   20.876527] IP: [<          (null)>]           (null)
[   20.881573] PGD c4f7d067 PUD c2a6b067 PMD 0
[   20.885866] Oops: 0010 [#1] SMP KASAN
[   20.889549] CPU: 1 PID: 2207 Comm: main Not tainted 4.0.0-rc5+ #89
[   20.902805] task: ffff8800c4fad380 ti: ffff8800c2b98000 task.ti:
ffff8800c2b98000
[   20.910257] RIP: 0010:[<0000000000000000>]  [<          (null)>]
       (null)
[   20.917722] RSP: 0018:ffff8800c2b9fd30  EFLAGS: 00010246
[   20.923012] RAX: ffffed002e87c961 RBX: ffff88017463d000 RCX: 0000000000000006
[   20.930116] RDX: dffffc0000000000 RSI: ffff8800c2b9fdd8 RDI: ffff8801743e4800
[   20.937214] RBP: ffff8800c2b9fd68 R08: 0000000000000000 R09: 0000000000000000
[   20.944318] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800c2b9fdd8
[   20.951416] R13: ffff8801743e48d8 R14: 00000000fffffffe R15: ffff8801743e4800
[   20.958524] FS:  00007f7139b3a700(0000) GS:ffff880175e00000(0000)
knlGS:0000000000000000
[   20.966575] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   20.972300] CR2: 0000000000000000 CR3: 00000000c2a67000 CR4: 00000000000406e0
[   20.979407] Stack:
[   20.981414]  ffffffff81b4a11d ffff8800c2b9fd68 ffff88017463d000
ffff8800c4c50c00
[   20.988838]  0000000000000014 fffffffffffffff2 ffffffff8271c3e0
ffff8800c2b9fe88
[   20.996238]  ffffffff818acbbc ffff8800c2b9fe18 ffffffff8165d7c2
ffffffff8165d660
[   21.003658] Call Trace:
[   21.006110]  [<ffffffff81b4a11d>] ? intel_sprite_set_colorkey+0xad/0xf0
[   21.012695]  [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890
[   21.017904]  [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320
[   21.023544]  [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320
[   21.029098]  [<ffffffff81b4a070>] ? intel_pre_disable_primary+0x90/0x90
[   21.035690]  [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0
[   21.042023]  [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720
[   21.047488]  [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130
[   21.053558]  [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0
[   21.058595]  [<ffffffff825e08b2>] system_call_fastpath+0x12/0x17
[   21.064580] Code:  Bad RIP value.
[   21.067916] RIP  [<          (null)>]           (null)
[   21.073048]  RSP <ffff8800c2b9fd30>
[   21.076524] CR2: 0000000000000000
[   21.079863] ---[ end trace 161ba639126f6a45 ]---


[  274.286068] BUG: unable to handle kernel NULL pointer dereference
at           (null)
[  274.295149] IP: [<          (null)>]           (null)
[  274.300242] PGD 171999067 PUD 171b93067 PMD 0
[  274.304744] Oops: 0010 [#1] SMP KASAN
[  274.308460] CPU: 0 PID: 2202 Comm: main Not tainted 4.0.0-rc5+ #89
[  274.321856] task: ffff8801726914e0 ti: ffff880172928000 task.ti:
ffff880172928000
[  274.329383] RIP: 0010:[<0000000000000000>]  [<          (null)>]
       (null)
[  274.336924] RSP: 0018:ffff88017292fd30  EFLAGS: 00010246
[  274.342267] RAX: ffffed002e7bc362 RBX: ffff88017442f000 RCX: 0000000000000007
[  274.349446] RDX: 0000000000000000 RSI: ffff88017292fdd8 RDI: ffff880173de1800
[  274.356624] RBP: ffff88017292fd68 R08: 0000000000000000 R09: 0000000000000000
[  274.363803] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  274.370979] R13: ffff880173de18d8 R14: ffff88017292fdd8 R15: ffff880173de1800
[  274.378157] FS:  00007f48d6b16700(0000) GS:ffff880175c00000(0000)
knlGS:0000000000000000
[  274.386297] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  274.392078] CR2: 0000000000000000 CR3: 000000017188d000 CR4: 00000000000406f0
[  274.399257] Stack:
[  274.401280]  ffffffff81b4a1f7 ffff88017292fd68 ffff88017442f000
ffff880172cc7c00
[  274.408761]  0000000000000014 fffffffffffffff2 ffffffff8271c3c0
ffff88017292fe88
[  274.416244]  ffffffff818acbbc ffff88017292fe18 ffffffff8165d7c2
ffffffff8165d660
[  274.423727] Call Trace:
[  274.426192]  [<ffffffff81b4a1f7>] ? intel_sprite_get_colorkey+0x97/0xc0
[  274.432849]  [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890
[  274.438107]  [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320
[  274.443800]  [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320
[  274.449407]  [<ffffffff81b4a160>] ? intel_sprite_set_colorkey+0xf0/0xf0
[  274.456065]  [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0
[  274.462462]  [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720
[  274.467984]  [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130
[  274.474115]  [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0
[  274.479199]  [<ffffffff825e08b2>] system_call_fastpath+0x12/0x17
[  274.485240] Code:  Bad RIP value.
[  274.488597] RIP  [<          (null)>]           (null)
[  274.493776]  RSP <ffff88017292fd30>
[  274.497283] CR2: 0000000000000000


I debugged this a bit, and found that in intel_sprite_set_colorkey(),
the "intel_plane->update_colorkey" function pointer is NULL, and in
intel_sprite_get_colorkey(), the "intel_plane->get_colorkey" pointer
is NULL. Hence the crash.

If I got it right, the pointers are not set for the "primary" and
"cursor" planes, as initialized in intel_primary_plane_create() and
intel_cursor_plane_create().

Tommi

More information about the dri-devel mailing list