Received: by 10.223.185.116 with SMTP id b49csp512718wrg; Tue, 20 Feb 2018 03:18:56 -0800 (PST) X-Google-Smtp-Source: AH8x2252P/QOtLj+OD5ZQnHLAPsrrSMN/H5Le5flo7BZFZA99PSA9rmXjz9oW4+H9OduXZCUb6ba X-Received: by 2002:a17:902:22cc:: with SMTP id o12-v6mr17376192plg.280.1519125536518; Tue, 20 Feb 2018 03:18:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519125536; cv=none; d=google.com; s=arc-20160816; b=JkBdFduHEz2x14K31rIoTgsZy8pTZza4veCXv8z+F4m7LzX/bE8iz1Y7OUPsYpFSSw eskhPqQe26xhyXHXwLfzUt/420zptj7arDIsAAPL8mwXqxgFtODgEdJbGMJ4VpG2jVE7 CpEYXs5s1XaBU4sFtXSPygXsHD1w/vPpxCa8GrbNweXwcus3G/Jfuyt15cG8Z6spopgt bylqZbwXg3ZDbzv/RSaeG/I3cRfdb8rmUgdF21SfPyTW+QJdTZoiOzfQ//0jX3VCrsrF eNKfbb6uoAxiv7rSElsKu7Y6JFML3wKr0drW4HvDfKGY3sgHA6DKX4foQ7dwWmgCW+hS XRsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:mail-followup-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=vzcvXYhCM6AVuljE7CnILtlwX+H7U9dObFraJE4ZX4c=; b=QpSTXknKSY7LxdsfM/zyKwpUe8F4x/3KHxEmca1t7QsNw6aNvnzrb64k1sXIO1y3+4 PAJApj2yYCXQCiYQJIZkLA/E6U7W3cbgV8CixBQkexcmwPgM7L5qOLp1kBgLsW9Gpa1l XkWH8kKHSaoW0/T35tlDjx6x6Eh4D9wwnBO/EeXNEI4UwmwG6Fjb9XNpA5+EZwGWimoE NHpKYVzjAvfgCJiAV9W+YzrW8hsjEkxYhLPM3szmoLWcs7wxfOjsVTM932G0TGAZtZox OxzoTlq3pYN5Du8l0Bq3CJmbVXVwnTd0uacUxbGfkvf1Ds7V5iav9EP5FZXVOpf8Xssq d0Cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b=VbNpsIqu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d7si1493975pgf.766.2018.02.20.03.18.41; Tue, 20 Feb 2018 03:18:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b=VbNpsIqu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751825AbeBTLRx (ORCPT + 99 others); Tue, 20 Feb 2018 06:17:53 -0500 Received: from mail-wr0-f195.google.com ([209.85.128.195]:38644 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751649AbeBTLRw (ORCPT ); Tue, 20 Feb 2018 06:17:52 -0500 Received: by mail-wr0-f195.google.com with SMTP id n7so13262492wrn.5 for ; Tue, 20 Feb 2018 03:17:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=vzcvXYhCM6AVuljE7CnILtlwX+H7U9dObFraJE4ZX4c=; b=VbNpsIqudv0byxMsIfZIdbMgMOKx1eP06eipDsmQGNCs4weFLlbJZ8lrMs0v4zokOy WPxaA/KIA6SOEQf4Xoyl+vIuAaNxT8C7CZ665Lnz35tSxiNtGTl9zmYfLguTMA6Un8cr hc6mhRkVyaSPmCqMmXaRAXzH81Xu8xVbtZGH4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=vzcvXYhCM6AVuljE7CnILtlwX+H7U9dObFraJE4ZX4c=; b=ufgHWiaRepC/jmacubaKqMHSnH2P+aHXuSKEipW8yQlFtJp42jvOiVJjNdxlQ0FJyB tKFyUoBCiTp/6JGYVYMnGrbL2AuTq/Zi4uoU3P1DSvixVS49E5KiIhKViKyEwA+3A3/P VO0x/eaaafLcgM3tneVq7b99dACUqKyfgTc8Wcd5waxwTq6aEPwB4Jf0gp5n5fcycjZk 2baqhFS5cbHJhIgkR8v4dOtHPKZn5ZlJHE6r+YovIyHOFPl6TWKL20qRHjAxsqSwNKkM Y47pV96V7rwejy5XtGzg1ENhSzGgOfcv97eTbkFiOhByYZXUJ8SpL5LgS+a1qLCQ9OyU t/pg== X-Gm-Message-State: APf1xPAvhIOd0WdCkELWBRGQd4m1d2Lt4ypFnmvpQJvYozfyn+8DLCDt 7ldpymwV9iN5vDQN+yJXSDsgsg== X-Received: by 10.80.170.24 with SMTP id o24mr23812215edc.258.1519125470887; Tue, 20 Feb 2018 03:17:50 -0800 (PST) Received: from phenom.ffwll.local (212-51-149-109.fiber7.init7.net. [212.51.149.109]) by smtp.gmail.com with ESMTPSA id x7sm18685503edi.27.2018.02.20.03.17.49 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Feb 2018 03:17:49 -0800 (PST) Date: Tue, 20 Feb 2018 12:17:48 +0100 From: Daniel Vetter To: Oleksandr Andrushchenko Cc: Oleksandr Andrushchenko , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, airlied@linux.ie, daniel.vetter@intel.com Subject: Re: [PATCH] drm/simple_kms_helper: Fix NULL pointer dereference with no active CRTC Message-ID: <20180220111748.GJ22199@phenom.ffwll.local> Mail-Followup-To: Oleksandr Andrushchenko , Oleksandr Andrushchenko , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, airlied@linux.ie, daniel.vetter@intel.com References: <1518511456-28257-1-git-send-email-andr2000@gmail.com> <20180219143002.GC22199@phenom.ffwll.local> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: Linux phenom 4.14.0-3-amd64 User-Agent: Mutt/1.9.3 (2018-01-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 19, 2018 at 04:58:43PM +0200, Oleksandr Andrushchenko wrote: > On 02/19/2018 04:30 PM, Daniel Vetter wrote: > > On Tue, Feb 13, 2018 at 10:44:16AM +0200, Oleksandr Andrushchenko wrote: > > > From: Oleksandr Andrushchenko > > > > > > It is possible that drm_simple_kms_plane_atomic_check called > > > with no CRTC set, e.g. when user-space application sets CRTC_ID/FB_ID > > > to 0 before doing any actual drawing. This leads to NULL pointer > > > dereference because in this case new CRTC state is NULL and must be > > > checked before accessing. > > > > > > Signed-off-by: Oleksandr Andrushchenko > > > --- > > > drivers/gpu/drm/drm_simple_kms_helper.c | 6 ++++-- > > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/drm_simple_kms_helper.c b/drivers/gpu/drm/drm_simple_kms_helper.c > > > index 9ca8a4a59b74..a05eca9cec8b 100644 > > > --- a/drivers/gpu/drm/drm_simple_kms_helper.c > > > +++ b/drivers/gpu/drm/drm_simple_kms_helper.c > > > @@ -121,8 +121,10 @@ static int drm_simple_kms_plane_atomic_check(struct drm_plane *plane, > > > pipe = container_of(plane, struct drm_simple_display_pipe, plane); > > > crtc_state = drm_atomic_get_new_crtc_state(plane_state->state, > > > &pipe->crtc); > > > - if (!crtc_state->enable) > > > - return 0; /* nothing to check when disabling or disabled */ > > > + > > > + if (!crtc_state || !crtc_state->enable) > > > + /* nothing to check when disabling or disabled or no CRTC set */ > > > + return 0; > > > if (crtc_state->enable) > > > drm_mode_get_hv_timing(&crtc_state->mode, > > Hm, this is a bit annoying, since the can_position = false parameter to > > drm_atomic_helper_check_plane_state is supposed to catch all this. Would > > moving all the checks after the call to that helper, and gating them on > > plane_state->visible also work? > Yes, it does work if this is what you mean: I wasn't sure, thanks for figuring this out! > diff --git a/drivers/gpu/drm/drm_simple_kms_helper.c > b/drivers/gpu/drm/drm_simple_kms_helper.c > index a05eca9cec8b..c48858bb2823 100644 > --- a/drivers/gpu/drm/drm_simple_kms_helper.c > +++ b/drivers/gpu/drm/drm_simple_kms_helper.c > @@ -122,14 +122,6 @@ static int drm_simple_kms_plane_atomic_check(struct > drm_plane *plane, > ??????? crtc_state = drm_atomic_get_new_crtc_state(plane_state->state, > &pipe->crtc); > > -?????? if (!crtc_state || !crtc_state->enable) > -?????????????? /* nothing to check when disabling or disabled or no CRTC > set */ > -?????????????? return 0; > - > -?????? if (crtc_state->enable) > -?????????????? drm_mode_get_hv_timing(&crtc_state->mode, > -????????????????????????????????????? &clip.x2, &clip.y2); > - > ??????? ret = drm_atomic_helper_check_plane_state(plane_state, crtc_state, > ????????????????????????????????????????????????? &clip, > DRM_PLANE_HELPER_NO_SCALING, > @@ -138,6 +130,13 @@ static int drm_simple_kms_plane_atomic_check(struct > drm_plane *plane, > ??????? if (ret) > ??????????????? return ret; > > +?????? if (!plane_state->visible || !crtc_state->enable) > +?????????????? return 0; /* nothing to check when disabling or disabled */ if (!plane_state->visible) { WARN_ON(crtc_state->enabled); return 0; } The helper call above should guarantee this. > + > +?????? if (plane_state->visible && crtc_state->enable) Similar here. > +?????????????? drm_mode_get_hv_timing(&crtc_state->mode, > +????????????????????????????????????? &clip.x2, &clip.y2); > + > ??????? if (!plane_state->visible) > ??????????????? return -EINVAL; This can now be removed, the plane helper takes care of checking for plane_state->visible != crtc_state->enable. Please also remove. > > We'd need to add a guarantee to drm_atomic_helper_check_plane_state that > > it can cope with crtc_state == NULL, but I think that's a good idea > > anyway. Atm it shouldn't end up looking at the crtc_state pointer in that > > case. > It doesn't look at it at the moment > > Otherwise we'll just go with your fix, but it feels all a bit too fragile, > > hence why I want to explore more robust options a bit. > At list with the change above it passes my test which failed > before. Although I cannot confirm it works for others, but it > certainly does for me. > > -Daniel > Do you want me to send v1 with the code above? Yes please, with my above cleanup suggestions. Thanks, Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch