[Intel-gfx] [PATCH i-g-t] igt_kms: Avoid NULL ptr deref when commiting disabled planes

Tvrtko Ursulin tvrtko.ursulin at linux.intel.com
Tue Apr 28 03:57:47 PDT 2015 

From: Tvrtko Ursulin <tvrtko.ursulin at intel.com>

I think;

   commit a26f9f9ad0e679c7ce413a25d34f6914e1174151
   Author: chandra konduru <chandra.konduru at intel.com>
   Date:   Mon Mar 30 13:52:04 2015 -0700

       i-g-t: Adding plane scaling test case

introduced a condition where it attempts to update a disabled plane because
of the newly introduced size_changed flag which is set for disabled frame
buffers. Result is a NULL ptr deref in igt_drm_plane_commit (plane->fb->src_x).

Start recognising this case as disabled plane and act accordingly.

Also cleanup the code in igt_plane_set_fb a bit.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin at intel.com>
Cc: chandra konduru <chandra.konduru at intel.com>
---
There might be a better fix, but this works for me.
---
 lib/igt_kms.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/lib/igt_kms.c b/lib/igt_kms.c
index b7d1e90..b5ba273 100644
--- a/lib/igt_kms.c
+++ b/lib/igt_kms.c
@@ -1331,7 +1331,7 @@ static int igt_drm_plane_commit(igt_plane_t *plane,
 	fb_id = igt_plane_get_fb_id(plane);
 	crtc_id = output->config.crtc->crtc_id;
 
-	if (plane->fb_changed && fb_id == 0) {
+	if ((plane->fb_changed || plane->size_changed) && fb_id == 0) {
 		LOG(display,
 		    "%s: SetPlane pipe %s, plane %d, disabling\n",
 		    igt_output_name(output),
@@ -1765,14 +1765,6 @@ void igt_plane_set_fb(igt_plane_t *plane, struct igt_fb *fb)
 	plane->fb = fb;
 	/* hack to keep tests working that don't call igt_plane_set_size() */
 	if (fb) {
-		plane->crtc_w = fb->width;
-		plane->crtc_h = fb->height;
-	} else {
-		plane->crtc_w = 0;
-		plane->crtc_h = 0;
-	}
-
-	if (fb) {
 		/* set default plane pos/size as fb size */
 		plane->crtc_x = 0;
 		plane->crtc_y = 0;
@@ -1784,6 +1776,9 @@ void igt_plane_set_fb(igt_plane_t *plane, struct igt_fb *fb)
 		fb->src_y = 0;
 		fb->src_w = fb->width;
 		fb->src_h = fb->height;
+	} else {
+		plane->crtc_w = 0;
+		plane->crtc_h = 0;
 	}
 
 	plane->fb_changed = true;
-- 
2.3.5

More information about the Intel-gfx mailing list