[PATCH] drm/sysfb: Do not deref unexisting CRTC state in atomic_disable

[PATCH] drm/sysfb: Do not deref unexisting CRTC state in atomic_disable

[Thomas Zimmermann]

Do not access CRTC state in drm_sysfb_plane_helper_atomic_disable().
Use format from sysfb device for clearing scanout buffer. This is
the behavior from before commit 061963cd9e5b ("drm/sysfb: Blit to
CRTC destination format").

When being disabled, the plane has no associated CRTC. Trying to deref
the format pointer results in a segmentation fault. An example stack
track is shown below.

[   58.948915] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000023: 0000 [#1] SMP KASAN PTI
[   58.959971] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
[...]
[   58.979308] RIP: 0010:drm_sysfb_plane_helper_atomic_disable+0x1af/0x520
[...]
[   59.084227] Call Trace:
[   59.086682]  <TASK>
[   59.088793]  ? __pfx_drm_sysfb_plane_helper_atomic_disable+0x10/0x10
[   59.095155]  ? crtc_disable+0xf2/0x5a0
[   59.098920]  drm_atomic_helper_commit_planes+0x848/0x1030
[   59.104336]  drm_atomic_helper_commit_tail+0x41/0xb0
[   59.109316]  commit_tail+0x204/0x330
[   59.112903]  drm_atomic_helper_commit+0x242/0x2e0
[   59.117618]  ? __pfx_drm_atomic_helper_commit+0x10/0x10
[   59.122851]  drm_atomic_commit+0x1e1/0x290
[   59.126957]  ? drm_atomic_add_affected_connectors+0x266/0x330
[   59.132714]  ? __pfx_drm_atomic_commit+0x10/0x10
[   59.137343]  ? __pfx___drm_printfn_info+0x10/0x10
[   59.142058]  ? drm_atomic_set_crtc_for_connector+0x436/0x630
[   59.147729]  atomic_remove_fb+0x631/0x920
[   59.151751]  ? save_trace+0xcf/0x180
[   59.155343]  ? __pfx_atomic_remove_fb+0x10/0x10
[   59.159890]  ? __pfx___drm_dev_dbg+0x10/0x10
[   59.164173]  drm_framebuffer_remove+0x19a/0x710

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 061963cd9e5b ("drm/sysfb: Blit to CRTC destination format")
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: dri-devel@lists.freedesktop.org
---
 drivers/gpu/drm/sysfb/drm_sysfb_modeset.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c b/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
index 0e05345cdeee..963c380fea64 100644
--- a/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
+++ b/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
@@ -281,10 +281,7 @@ void drm_sysfb_plane_helper_atomic_disable(struct drm_plane *plane,
 	struct drm_plane_state *plane_state = drm_atomic_get_new_plane_state(state, plane);
 	void __iomem *dst_vmap = dst.vaddr_iomem; /* TODO: Use mapping abstraction */
 	unsigned int dst_pitch = sysfb->fb_pitch;
-	struct drm_crtc_state *crtc_state = crtc_state =
-		drm_atomic_get_new_crtc_state(state, plane_state->crtc);
-	struct drm_sysfb_crtc_state *sysfb_crtc_state = to_drm_sysfb_crtc_state(crtc_state);
-	const struct drm_format_info *dst_format = sysfb_crtc_state->format;
+	const struct drm_format_info *dst_format = sysfb->fb_format;
 	struct drm_rect dst_clip;
 	unsigned long lines, linepixels, i;
 	int idx;
-- 
2.50.1

Re: [PATCH] drm/sysfb: Do not deref unexisting CRTC state in atomic_disable

[Thomas Zimmermann]

Am 26.08.25 um 16:50 schrieb Thomas Zimmermann:
> Do not access CRTC state in drm_sysfb_plane_helper_atomic_disable().
> Use format from sysfb device for clearing scanout buffer. This is
> the behavior from before commit 061963cd9e5b ("drm/sysfb: Blit to
> CRTC destination format").
>
> When being disabled, the plane has no associated CRTC. Trying to deref
> the format pointer results in a segmentation fault. An example stack
> track is shown below.
>
> [   58.948915] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000023: 0000 [#1] SMP KASAN PTI
> [   58.959971] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
> [...]
> [   58.979308] RIP: 0010:drm_sysfb_plane_helper_atomic_disable+0x1af/0x520
> [...]
> [   59.084227] Call Trace:
> [   59.086682]  <TASK>
> [   59.088793]  ? __pfx_drm_sysfb_plane_helper_atomic_disable+0x10/0x10
> [   59.095155]  ? crtc_disable+0xf2/0x5a0
> [   59.098920]  drm_atomic_helper_commit_planes+0x848/0x1030
> [   59.104336]  drm_atomic_helper_commit_tail+0x41/0xb0
> [   59.109316]  commit_tail+0x204/0x330
> [   59.112903]  drm_atomic_helper_commit+0x242/0x2e0
> [   59.117618]  ? __pfx_drm_atomic_helper_commit+0x10/0x10
> [   59.122851]  drm_atomic_commit+0x1e1/0x290
> [   59.126957]  ? drm_atomic_add_affected_connectors+0x266/0x330
> [   59.132714]  ? __pfx_drm_atomic_commit+0x10/0x10
> [   59.137343]  ? __pfx___drm_printfn_info+0x10/0x10
> [   59.142058]  ? drm_atomic_set_crtc_for_connector+0x436/0x630
> [   59.147729]  atomic_remove_fb+0x631/0x920
> [   59.151751]  ? save_trace+0xcf/0x180
> [   59.155343]  ? __pfx_atomic_remove_fb+0x10/0x10
> [   59.159890]  ? __pfx___drm_dev_dbg+0x10/0x10
> [   59.164173]  drm_framebuffer_remove+0x19a/0x710
>
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> Fixes: 061963cd9e5b ("drm/sysfb: Blit to CRTC destination format")
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Javier Martinez Canillas <javierm@redhat.com>
> Cc: dri-devel@lists.freedesktop.org

Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>

via IRC: 
https://people.freedesktop.org/~cbrill/dri-log/?channel=dri-devel&highlight_names=&date=2025-08-27

> ---
>   drivers/gpu/drm/sysfb/drm_sysfb_modeset.c | 5 +----
>   1 file changed, 1 insertion(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c b/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
> index 0e05345cdeee..963c380fea64 100644
> --- a/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
> +++ b/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
> @@ -281,10 +281,7 @@ void drm_sysfb_plane_helper_atomic_disable(struct drm_plane *plane,
>   	struct drm_plane_state *plane_state = drm_atomic_get_new_plane_state(state, plane);
>   	void __iomem *dst_vmap = dst.vaddr_iomem; /* TODO: Use mapping abstraction */
>   	unsigned int dst_pitch = sysfb->fb_pitch;
> -	struct drm_crtc_state *crtc_state = crtc_state =
> -		drm_atomic_get_new_crtc_state(state, plane_state->crtc);
> -	struct drm_sysfb_crtc_state *sysfb_crtc_state = to_drm_sysfb_crtc_state(crtc_state);
> -	const struct drm_format_info *dst_format = sysfb_crtc_state->format;
> +	const struct drm_format_info *dst_format = sysfb->fb_format;
>   	struct drm_rect dst_clip;
>   	unsigned long lines, linepixels, i;
>   	int idx;

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)

Re: [PATCH] drm/sysfb: Do not deref unexisting CRTC state in atomic_disable

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

On Tue, Aug 26, 2025 at 04:50:25PM +0200, Thomas Zimmermann wrote:
> Do not access CRTC state in drm_sysfb_plane_helper_atomic_disable().
> Use format from sysfb device for clearing scanout buffer. This is
> the behavior from before commit 061963cd9e5b ("drm/sysfb: Blit to
> CRTC destination format").

Tested-by: Mark Brown <broonie@kernel.org>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]