From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Anholt <eric@anholt.net>
Subject: Re: [PATCH v3 1/2] drm/vc4: Fix NULL pointer dereference in the async
 update path
Date: Thu, 15 Nov 2018 08:25:48 -0800
Message-ID: <87wopez4s3.fsf@anholt.net>
References: <20181115105852.9844-1-boris.brezillon@bootlin.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2123535260=="
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from anholt.net (anholt.net [50.246.234.109])
 by gabe.freedesktop.org (Postfix) with ESMTP id 92BEF6E658
 for <dri-devel@lists.freedesktop.org>; Thu, 15 Nov 2018 16:25:50 +0000 (UTC)
In-Reply-To: <20181115105852.9844-1-boris.brezillon@bootlin.com>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Cc: Boris Brezillon <boris.brezillon@bootlin.com>, dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org

--===============2123535260==
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"

--=-=-=
Content-Type: text/plain

Boris Brezillon <boris.brezillon@bootlin.com> writes:

> vc4_plane_atomic_async_update() calls vc4_plane_atomic_check()
> which in turn calls vc4_plane_setup_clipping_and_scaling(), and since
> commit 58a6a36fe8e0 ("drm/vc4: Use
> drm_atomic_helper_check_plane_state() to simplify the logic"), this
> function accesses plane_state->state which will be NULL when called
> from the async update path because we're passing the current plane
> state, and plane_state->state has been assigned to NULL in
> drm_atomic_helper_swap_state().
>
> Pass the new state instead of the current one (the new state has
> ->state set to a non-NULL value).
>
> Fixes: 58a6a36fe8e0 ("drm/vc4: Use drm_atomic_helper_check_plane_state() to simplify the logic")
> Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>

I'm glad this worked!

Reviewed-by: Eric Anholt <eric@anholt.net>

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/JuuFDWp9/ZkuCBXtdYpNtH8nugFAlvtngwACgkQtdYpNtH8
nuifjxAArILjRDLf7QtAPWGZwzODk+kIF2AScdsPYnzb3YdvuuX044O6ARmUZyjS
ZxqlTG5C5poRyINHsz7XtBAAGZGzLukL4xcf6gphm2GH7tvJPz6M3KFnuClpS/wG
UjONoLZII7ib8Dn/2spzCazQaNxQsEmPLNRi5dFIqSCNrBFVcTqFqQHftZYGFKIP
YUODV9+ZQX7rUkd4mOpmML901aD+Ef+WHpdHiHtwzGupkbXnmGAal8a1Bs6Ijpn3
ByKJ6mDNy2peJSgCBv8YanO7Xzr6zhSiyldDCg813w8mR9sMkvBwNsFIL4TqqhmR
KWcv9SBP4axQ9SELnJOJ1GJRZqO8zieULhRIg63Ont/JXCE7BT8kal0cvdSMEVCh
BdgbVMWYgBZwMCywbMRL5/jMA42hKq4h3i4wJhdNLokbIPueVG2Wo7xWdAgjUVVZ
Qs300o/dsYuwSD/TjHKEWUXJfmeAMTN0081i9QMo92Dcq8G0X7eABugCw95jG3J/
SECTsp5AcnD4SzhlYBPfAUrvdYfoPCia6sEvq+tE6T5wLANyAcZYVo8TnaBgRBnS
AtwoSkScV9T4npnOSNc+1NAO5pZuWjVqWe91RmAuyw1SNKCrYBmO35+wAaWPVymh
07pRySPWFtRJtxBPbZMwN0Bw/e8xCMuMKTAtC0oEbrJjfyaxLbY=
=b+XY
-----END PGP SIGNATURE-----
--=-=-=--

--===============2123535260==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs
IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz
dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg==

--===============2123535260==--