[Intel-gfx] [PATCH v2 i-g-t 1/4] igt_kms: Avoid NULL ptr deref when commiting disabled planes

Tvrtko Ursulin tvrtko.ursulin at linux.intel.com
Thu May 7 02:00:40 PDT 2015 

On 05/06/2015 09:47 PM, Konduru, Chandra wrote:
>> -----Original Message-----
>> From: Tvrtko Ursulin [mailto:tvrtko.ursulin at linux.intel.com]
>> Sent: Tuesday, May 05, 2015 2:53 AM
>> To: Intel-gfx at lists.freedesktop.org
>> Cc: Ursulin, Tvrtko; Konduru, Chandra; Wood, Thomas
>> Subject: [PATCH v2 i-g-t 1/4] igt_kms: Avoid NULL ptr deref when commiting
>> disabled planes
>>
>> From: Tvrtko Ursulin <tvrtko.ursulin at intel.com>
>>
>> I think;
>>
>>     commit a26f9f9ad0e679c7ce413a25d34f6914e1174151
>>     Author: chandra konduru <chandra.konduru at intel.com>
>>     Date:   Mon Mar 30 13:52:04 2015 -0700
>>
>>         i-g-t: Adding plane scaling test case
>>
>> introduced a condition where it attempts to update a disabled plane because of
>> the newly introduced size_changed flag which is set for disabled frame buffers.
>> Result is a NULL ptr deref in igt_drm_plane_commit (plane->fb->src_x).
>>
>> Start recognising this case as disabled plane and act accordingly.
>>
>> v2: Split out igt_plane_set_fb cleanup. (Thomas Wood)
>>
>> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin at intel.com>
>> Cc: chandra konduru <chandra.konduru at intel.com>
>> Cc: Thomas Wood <thomas.wood at intel.com>
>> ---
>> There might be a better fix, but this works for me.
>> ---
>>   lib/igt_kms.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/lib/igt_kms.c b/lib/igt_kms.c index b7d1e90..33d437d 100644
>> --- a/lib/igt_kms.c
>> +++ b/lib/igt_kms.c
>> @@ -1331,7 +1331,7 @@ static int igt_drm_plane_commit(igt_plane_t *plane,
>>   	fb_id = igt_plane_get_fb_id(plane);
>>   	crtc_id = output->config.crtc->crtc_id;
>>
>> -	if (plane->fb_changed && fb_id == 0) {
>> +	if ((plane->fb_changed || plane->size_changed) && fb_id == 0) {
>
> Shouldn't this include plane->position_changed too? Like:
> 	if ((plane->fb_changed || plane->size_changed || plane->position_changed) && fb_id == 0) {

When you added size_changed, state for position_changed and fb == NULL 
remained the same, while size_changed added new state for size_changed 
== true and fb == NULL. So I added handling for that and did not think 
much beyond it. It fixes a segfault so I moved on. Or in other words, I 
don't see how it would harm to merge this, it doesn't make anything worse.

Regards,

Tvrtko

More information about the Intel-gfx mailing list