* [PATCH 1/2] drm/i915: Prevent use-after-free of inherited framebuffer
@ 2014-03-10 8:07 Chris Wilson
2014-03-10 8:07 ` [PATCH 2/2] drm/i915: Avoid requesting a zero-sized stolen object Chris Wilson
0 siblings, 1 reply; 3+ messages in thread
From: Chris Wilson @ 2014-03-10 8:07 UTC (permalink / raw)
To: intel-gfx
During KMS takeover, we try to capture the current configuration and
preserve it across our initialisation. For a variety of reasons, we may
fail this, for example if the current mode was using the legacy VGA
plane. Under such circumstances, we discard the fb in the plane config
and tried to find a matching fb on another CRTC. This obviously also
failed, leaving the plane config fb dangling, pointing to the freed block.
Regression from
commit 484b41dd70a9fbea894632d8926bbb93f05021c7
Author: Jesse Barnes <jbarnes@virtuousgeek.org>
Date: Fri Mar 7 08:57:55 2014 -0800
drm/i915: remove early fb allocation dependency on CONFIG_FB v2
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=75963
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
drivers/gpu/drm/i915/intel_display.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 6e9f189765f6..c3864d1bc62f 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2125,6 +2125,7 @@ static void intel_find_plane_obj(struct intel_crtc *intel_crtc,
return;
kfree(intel_crtc->base.fb);
+ intel_crtc->base.fb = NULL;
/*
* Failed to alloc the obj, check to see if we should share
--
1.9.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH 2/2] drm/i915: Avoid requesting a zero-sized stolen object
2014-03-10 8:07 [PATCH 1/2] drm/i915: Prevent use-after-free of inherited framebuffer Chris Wilson
@ 2014-03-10 8:07 ` Chris Wilson
2014-03-10 8:18 ` Daniel Vetter
0 siblings, 1 reply; 3+ messages in thread
From: Chris Wilson @ 2014-03-10 8:07 UTC (permalink / raw)
To: intel-gfx
The stolen allocator objects loudly if the caller requests a zero-sized
object. This is a useful verbose check as in most cases the request
should have been pruned much early. Here we just want to silently return
before attempting the allocation.
Regression from
commit 484b41dd70a9fbea894632d8926bbb93f05021c7
Author: Jesse Barnes <jbarnes@virtuousgeek.org>
Date: Fri Mar 7 08:57:55 2014 -0800
drm/i915: remove early fb allocation dependency on CONFIG_FB v2
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=75963
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
drivers/gpu/drm/i915/intel_display.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index c3864d1bc62f..961fc06b9ed1 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2076,6 +2076,9 @@ static bool intel_alloc_plane_obj(struct intel_crtc *crtc,
struct drm_mode_fb_cmd2 mode_cmd = { 0 };
u32 base = plane_config->base;
+ if (plane_config->size == 0)
+ return false;
+
obj = i915_gem_object_create_stolen_for_preallocated(dev, base, base,
plane_config->size);
if (!obj)
--
1.9.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH 2/2] drm/i915: Avoid requesting a zero-sized stolen object
2014-03-10 8:07 ` [PATCH 2/2] drm/i915: Avoid requesting a zero-sized stolen object Chris Wilson
@ 2014-03-10 8:18 ` Daniel Vetter
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Vetter @ 2014-03-10 8:18 UTC (permalink / raw)
To: Chris Wilson; +Cc: intel-gfx
On Mon, Mar 10, 2014 at 08:07:02AM +0000, Chris Wilson wrote:
> The stolen allocator objects loudly if the caller requests a zero-sized
> object. This is a useful verbose check as in most cases the request
> should have been pruned much early. Here we just want to silently return
> before attempting the allocation.
>
> Regression from
> commit 484b41dd70a9fbea894632d8926bbb93f05021c7
> Author: Jesse Barnes <jbarnes@virtuousgeek.org>
> Date: Fri Mar 7 08:57:55 2014 -0800
>
> drm/i915: remove early fb allocation dependency on CONFIG_FB v2
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=75963
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Both patches merged, thanks for the quick fixup.
-Daniel
> ---
> drivers/gpu/drm/i915/intel_display.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
> index c3864d1bc62f..961fc06b9ed1 100644
> --- a/drivers/gpu/drm/i915/intel_display.c
> +++ b/drivers/gpu/drm/i915/intel_display.c
> @@ -2076,6 +2076,9 @@ static bool intel_alloc_plane_obj(struct intel_crtc *crtc,
> struct drm_mode_fb_cmd2 mode_cmd = { 0 };
> u32 base = plane_config->base;
>
> + if (plane_config->size == 0)
> + return false;
> +
> obj = i915_gem_object_create_stolen_for_preallocated(dev, base, base,
> plane_config->size);
> if (!obj)
> --
> 1.9.0
>
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/intel-gfx
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-03-10 8:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-10 8:07 [PATCH 1/2] drm/i915: Prevent use-after-free of inherited framebuffer Chris Wilson
2014-03-10 8:07 ` [PATCH 2/2] drm/i915: Avoid requesting a zero-sized stolen object Chris Wilson
2014-03-10 8:18 ` Daniel Vetter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox