[igt-dev] [PATCH i-g-t] kms_dp_tiled_display: Fix the double free of drmConnector
Manasi Navare
manasi.d.navare at intel.com
Wed Sep 18 16:38:51 UTC 2019
On Wed, Sep 18, 2019 at 04:16:28PM +0100, Chris Wilson wrote:
> drmConnectorFree is called inside the loop and after. Not unsurprisingly
> this leads to a use-after-free and memcorruption.
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111710
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Manasi Navare <manasi.d.navare at intel.com>
Thanks for the fix
Reviewed-by: Manasi Navare <manasi.d.navare at intel.com>
Manasi
> ---
> tests/kms_dp_tiled_display.c | 28 ++++++++++------------------
> 1 file changed, 10 insertions(+), 18 deletions(-)
>
> diff --git a/tests/kms_dp_tiled_display.c b/tests/kms_dp_tiled_display.c
> index c4643c358..dc4866d2f 100644
> --- a/tests/kms_dp_tiled_display.c
> +++ b/tests/kms_dp_tiled_display.c
> @@ -100,37 +100,29 @@ cleanup:
>
> static void get_number_of_h_tiles(data_t *data)
> {
> - int i;
> + igt_tile_info_t tile = {};
> drmModeResPtr res;
> - drmModeConnectorPtr connector;
> - igt_tile_info_t tile = {.num_h_tile = 0};
>
> igt_assert(res = drmModeGetResources(data->drm_fd));
>
> - for (i = 0; i < res->count_connectors; i++) {
> + for (int i = 0; !data->num_h_tiles && i < res->count_connectors; i++) {
> + drmModeConnectorPtr connector;
> +
> connector = drmModeGetConnectorCurrent(data->drm_fd,
> res->connectors[i]);
> -
> igt_assert(connector);
>
> - if (connector->connection != DRM_MODE_CONNECTED ||
> - connector->connector_type != DRM_MODE_CONNECTOR_DisplayPort) {
> - drmModeFreeConnector(connector);
> - continue;
> - }
> -
> - get_connector_tile_props(data, connector, &tile);
> + if (connector->connection == DRM_MODE_CONNECTED &&
> + connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort) {
> + get_connector_tile_props(data, connector, &tile);
>
> - if (tile.num_h_tile == 0) {
> - drmModeFreeConnector(connector);
> - continue;
> + data->num_h_tiles = tile.num_h_tile;
> }
> - data->num_h_tiles = tile.num_h_tile;
> - break;
> +
> + drmModeFreeConnector(connector);
> }
>
> drmModeFreeResources(res);
> - drmModeFreeConnector(connector);
> }
>
> static void get_connectors(data_t *data)
> --
> 2.23.0
>
More information about the igt-dev
mailing list