From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Anholt Subject: Re: [PATCH 1/2] drm/vc4: Fix NULL pointer dereference in the async update path Date: Tue, 13 Nov 2018 13:24:07 -0800 Message-ID: <87r2follhk.fsf@anholt.net> References: <20181113094914.22353-1-boris.brezillon@bootlin.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0742543447==" Return-path: Received: from anholt.net (anholt.net [50.246.234.109]) by gabe.freedesktop.org (Postfix) with ESMTP id 2AB5A6E3C7 for ; Tue, 13 Nov 2018 21:24:10 +0000 (UTC) In-Reply-To: <20181113094914.22353-1-boris.brezillon@bootlin.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" Cc: Boris Brezillon , dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org --===============0742543447== Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" --=-=-= Content-Type: text/plain Boris Brezillon writes: > vc4_plane_atomic_async_update() calls vc4_plane_atomic_check() > which in turn calls vc4_plane_setup_clipping_and_scaling(), and since > commit 58a6a36fe8e0 ("drm/vc4: Use > drm_atomic_helper_check_plane_state() to simplify the logic"), this > function accesses plane_state->state which will be NULL when called > from the async update path since we're passing previous plane state, > and plane_state->state has been assigned to NULL in > drm_atomic_helper_swap_state(). > > Assign plane->state->state to new_plane_state->state before calling > vc4_plane_atomic_check() and reset it to NULL after > vc4_plane_atomic_check() as returned. > > Fixes: 58a6a36fe8e0 ("drm/vc4: Use drm_atomic_helper_check_plane_state() to simplify the logic") > Signed-off-by: Boris Brezillon Hmm. Could we pass in the new state instead, and then pick the dlist items out of the new state's dlist to write into both our dlist copy and the hw dlist? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/JuuFDWp9/ZkuCBXtdYpNtH8nugFAlvrQPcACgkQtdYpNtH8 nuiPfg//a7HTUzgTXnyuvI8l+SJfENIVLgNckgqnJVRb+RBcr234Z6MsW+bJI3IT P/bgIDZ3WiwnsL3oPjtuleA0cAPDhT4/X9GDpky68NoiZjOYkuqy9r3GUuI7vF9i 4UwjB37SaBEGRwWWOUmvAV7SJwHAp22BS+my4RWITFZ+yP3Kvp6+PyJR9FRMMkEg m7QjP3VEFl6qgqZVxoRNo+Ghds8KLYBCZVUuKBRFlrakWxJ2UZfT0wBSeBzd+G5W kBex/FZuYYCiuty52o1codXb+N8L4hSIDWPPpHwdjmvj+s2jtifI6LfH7HttGPKO 0ucXM4V4RN5ZxLWHHPZjvgnzTBHSmY7pY4m25wZ5yCehHfEnkpRaf/ujLpQY1t9I G0154hRzqmpw6eIYSxCdm+JIfNXBYvrrTYggFnNrs0jyCXsGP6A/ZEydfIjll4AK xy1cPzoV1YkIQHMIoO6PqrKbULeYC1PJapjM9OX3xOVJOCqnpUN9bpxS3u+EoYlG Dgl8hiS+BV/knOhwtGRZRSh0reKd+oG38K4RD1/3RFKVcvBdxON26jDh287NjCc7 Qg4yVEA522bv7+DE4naXnaT8i6CW1Ww7soSCOsif8oH5kvbIqAUxtNHSXAijlWwK a/+0fggKVeHlv8iraFY0VbIRbvG/IG8SlK3nOoeqApBYGh2KX/w= =3XvI -----END PGP SIGNATURE----- --=-=-=-- --===============0742543447== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== --===============0742543447==--