[PATCH, RESEND] drm/vmwgfx: Don't double-free the mode stored in par->set_mode

Thomas Zimmermann tzimmermann at suse.de
Tue Mar 19 17:56:26 UTC 2019 

Hi Deepak

Am 18.03.19 um 17:59 schrieb Deepak Singh Rawat:
> Hi Thomas,
> 
> Thanks for doing this and somehow I missed the last patch, sorry about
> that. Have some questions below otherwise the patch looks good to me.
> 
> Reviewed-by: Deepak Rawat <drawat at vmware.com>
> 
> I will include your changes in vmwgfx-next and run tests.

Thank you.

> 
> On Mon, 2019-03-18 at 15:47 +0100, Thomas Zimmermann wrote:
>> When calling vmw_fb_set_par(), the mode stored in par->set_mode gets
>> free'd
>> twice. The first free is in vmw_fb_kms_detach(), the second is near
>> the
>> end of vmw_fb_set_par() under the name of 'old_mode'. The mode-
>> setting code
>> only works correctly if the mode doesn't actually change.
> 
> You mean to say that without your patch vmwgfx fb driver fail to change
> the mode?

Yes. It's hard to trigger as the usual resolution always appears to be
800x600. We (SUSE) have a customer with a custom X11 modeline setting,
which sets the resolution to something different. In this case, the
double-free bug happens.

> 
>>  Removing 'old_mode'
>> in favor of using par->set_mode directly fixes the problem.
>>
>> Signed-off-by: Thomas Zimmermann <tzimmermann at suse.de>
>> ---
>>  drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 12 +++---------
>>  1 file changed, 3 insertions(+), 9 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
>> b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
>> index b913a56f3426..2a9112515f46 100644
>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
>> @@ -564,11 +564,9 @@ static int vmw_fb_set_par(struct fb_info *info)
>>  		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
>>  		DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC)
>>  	};
>> -	struct drm_display_mode *old_mode;
>>  	struct drm_display_mode *mode;
>>  	int ret;
>>
>> -	old_mode = par->set_mode;
>>  	mode = drm_mode_duplicate(vmw_priv->dev, &new_mode);
>>  	if (!mode) {
>>  		DRM_ERROR("Could not create new fb mode.\n");
>> @@ -579,11 +577,7 @@ static int vmw_fb_set_par(struct fb_info *info)
>>  	mode->vdisplay = var->yres;
>>  	vmw_guess_mode_timing(mode);
>>
>> -	if (old_mode && drm_mode_equal(old_mode, mode)) {
>> -		drm_mode_destroy(vmw_priv->dev, mode);
>> -		mode = old_mode;
>> -		old_mode = NULL;
> 
> I am having hard time understanding original intention for this piece
> of code. Was there a restriction to send pointer to old mode if mode
> were same and that restriction don't hold anymore. Sorry I am not
> familiar with this code area.

Hmm, I can only guess about motivation: it looks like the author wanted
to keep the original value of 'par->set_mode' unless the mode really
changes. But it doesn't make a difference whether the pointer's value
changes or not.

Best regards
Thomas

> 
>> -	} else if (!vmw_kms_validate_mode_vram(vmw_priv,
>> +	if (!vmw_kms_validate_mode_vram(vmw_priv,
>>  					mode->hdisplay *
>>  					DIV_ROUND_UP(var-
>>> bits_per_pixel, 8),
>>  					mode->vdisplay)) {
>> @@ -620,8 +614,8 @@ static int vmw_fb_set_par(struct fb_info *info)
>>  	schedule_delayed_work(&par->local_work, 0);
>>
>>  out_unlock:
>> -	if (old_mode)
>> -		drm_mode_destroy(vmw_priv->dev, old_mode);
>> +	if (par->set_mode)
>> +		drm_mode_destroy(vmw_priv->dev, par->set_mode);
>>  	par->set_mode = mode;
>>
>>  	mutex_unlock(&par->bo_mutex);
>> --
>> 2.20.1
>>
>> _______________________________________________
>> dri-devel mailing list
>> dri-devel at lists.freedesktop.org
>>
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.freedesktop.org%2Fmailman%2Flistinfo%2Fdri-devel&data=02%7C01%7Cdrawat%40vmware.com%7Cb1508247a3954fb0b08b08d6abb0bcd0%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636885172908359973&sdata=AN6UTrMzxcVK7MC6bX3OxNbcyq0j4HdKt0dk1yyHOHc%3D&reserved=0
> 

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nürnberg
Tel: +49-911-74053-0; Fax: +49-911-7417755;  https://www.suse.com/
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard,
Graham Norton, HRB 21284 (AG Nürnberg)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20190319/92b29d0d/attachment.sig>

More information about the dri-devel mailing list