[PATCH] Wrong bo handles can be referenced in func call, drmModeAddFB2 due to uninitialized array elements in handles[4]

Matt Roper matthew.d.roper at intel.com
Tue Apr 29 13:59:33 PDT 2014 

On Tue, Apr 29, 2014 at 01:24:31PM -0700, Kristian Høgsberg wrote:
> On Mon, Apr 28, 2014 at 03:26:18PM -0700, Dongwon Kim wrote:
> > Need all bo handles in the array, handles[4] to be initialized with integer value that
> > indicates "NOT VALID handle" to prevent any of those uninitialized from being processed as
> > "VALID" handles.
> 
> The format code determines which bo handles are used.  For non-planar formats
> only the first handle is used and the rest can be uninitialized.
> 
> Kristian

Some hardware allows/expects stereo 3D to be supported by programming
the hardware with separate buffers for the left eye and right eye
content.  Drivers for such hardware need both handles[0] and handles[1]
to pass the left and right content buffers that get wrapped into a
single DRM fb, even though the pixel format is just RGB.  At the time
AddFB2 gets called, you don't know yet whether it's going to get
displayed on a stereo mode or a mono mode, so if there's something
sitting in handles[1], the driver will try to look it up.

I'm not sure if there are actually any upstream drivers yet that allow
this, but I think there are people working on some patches to add this
(as well as some out-of-tree drivers that already rely on it).


Matt

> 
> > If any of these incorrect handles are passed to the Kernel, it either returns error saying
> > "invalid bo from userspace" if the handle doesn't exist or returns wrong resource if it
> > exists but is not for the current task.
> > 
> > Signed-off-by: Dongwon Kim <dongwon.kim at intel.com>
> > ---
> >  src/compositor-drm.c |    3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/compositor-drm.c b/src/compositor-drm.c
> > index 9d293bc..6aa405d 100644
> > --- a/src/compositor-drm.c
> > +++ b/src/compositor-drm.c
> > @@ -328,7 +328,8 @@ drm_fb_get_from_bo(struct gbm_bo *bo,
> >  {
> >  	struct drm_fb *fb = gbm_bo_get_user_data(bo);
> >  	uint32_t width, height;
> > -	uint32_t handles[4], pitches[4], offsets[4];
> > +	uint32_t handles[4] = {0};
> > +	uint32_t pitches[4], offsets[4];
> >  	int ret;
> >  
> >  	if (fb)
> > -- 
> > 1.7.9.5
> > 
> > _______________________________________________
> > wayland-devel mailing list
> > wayland-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/wayland-devel
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel

-- 
Matt Roper
Graphics Software Engineer
IoTG Platform Enabling & Development
Intel Corporation
(916) 356-2795

More information about the wayland-devel mailing list