* [PATCH i-g-t] kms_dp_tiled_display: Fix the double free of drmConnector
@ 2019-09-18 15:16 Chris Wilson
2019-09-18 16:38 ` Manasi Navare
0 siblings, 1 reply; 2+ messages in thread
From: Chris Wilson @ 2019-09-18 15:16 UTC (permalink / raw)
To: intel-gfx; +Cc: igt-dev
drmConnectorFree is called inside the loop and after. Not unsurprisingly
this leads to a use-after-free and memcorruption.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111710
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Manasi Navare <manasi.d.navare@intel.com>
---
tests/kms_dp_tiled_display.c | 28 ++++++++++------------------
1 file changed, 10 insertions(+), 18 deletions(-)
diff --git a/tests/kms_dp_tiled_display.c b/tests/kms_dp_tiled_display.c
index c4643c358..dc4866d2f 100644
--- a/tests/kms_dp_tiled_display.c
+++ b/tests/kms_dp_tiled_display.c
@@ -100,37 +100,29 @@ cleanup:
static void get_number_of_h_tiles(data_t *data)
{
- int i;
+ igt_tile_info_t tile = {};
drmModeResPtr res;
- drmModeConnectorPtr connector;
- igt_tile_info_t tile = {.num_h_tile = 0};
igt_assert(res = drmModeGetResources(data->drm_fd));
- for (i = 0; i < res->count_connectors; i++) {
+ for (int i = 0; !data->num_h_tiles && i < res->count_connectors; i++) {
+ drmModeConnectorPtr connector;
+
connector = drmModeGetConnectorCurrent(data->drm_fd,
res->connectors[i]);
-
igt_assert(connector);
- if (connector->connection != DRM_MODE_CONNECTED ||
- connector->connector_type != DRM_MODE_CONNECTOR_DisplayPort) {
- drmModeFreeConnector(connector);
- continue;
- }
-
- get_connector_tile_props(data, connector, &tile);
+ if (connector->connection == DRM_MODE_CONNECTED &&
+ connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort) {
+ get_connector_tile_props(data, connector, &tile);
- if (tile.num_h_tile == 0) {
- drmModeFreeConnector(connector);
- continue;
+ data->num_h_tiles = tile.num_h_tile;
}
- data->num_h_tiles = tile.num_h_tile;
- break;
+
+ drmModeFreeConnector(connector);
}
drmModeFreeResources(res);
- drmModeFreeConnector(connector);
}
static void get_connectors(data_t *data)
--
2.23.0
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH i-g-t] kms_dp_tiled_display: Fix the double free of drmConnector
2019-09-18 15:16 [PATCH i-g-t] kms_dp_tiled_display: Fix the double free of drmConnector Chris Wilson
@ 2019-09-18 16:38 ` Manasi Navare
0 siblings, 0 replies; 2+ messages in thread
From: Manasi Navare @ 2019-09-18 16:38 UTC (permalink / raw)
To: Chris Wilson; +Cc: igt-dev, intel-gfx
On Wed, Sep 18, 2019 at 04:16:28PM +0100, Chris Wilson wrote:
> drmConnectorFree is called inside the loop and after. Not unsurprisingly
> this leads to a use-after-free and memcorruption.
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111710
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Manasi Navare <manasi.d.navare@intel.com>
Thanks for the fix
Reviewed-by: Manasi Navare <manasi.d.navare@intel.com>
Manasi
> ---
> tests/kms_dp_tiled_display.c | 28 ++++++++++------------------
> 1 file changed, 10 insertions(+), 18 deletions(-)
>
> diff --git a/tests/kms_dp_tiled_display.c b/tests/kms_dp_tiled_display.c
> index c4643c358..dc4866d2f 100644
> --- a/tests/kms_dp_tiled_display.c
> +++ b/tests/kms_dp_tiled_display.c
> @@ -100,37 +100,29 @@ cleanup:
>
> static void get_number_of_h_tiles(data_t *data)
> {
> - int i;
> + igt_tile_info_t tile = {};
> drmModeResPtr res;
> - drmModeConnectorPtr connector;
> - igt_tile_info_t tile = {.num_h_tile = 0};
>
> igt_assert(res = drmModeGetResources(data->drm_fd));
>
> - for (i = 0; i < res->count_connectors; i++) {
> + for (int i = 0; !data->num_h_tiles && i < res->count_connectors; i++) {
> + drmModeConnectorPtr connector;
> +
> connector = drmModeGetConnectorCurrent(data->drm_fd,
> res->connectors[i]);
> -
> igt_assert(connector);
>
> - if (connector->connection != DRM_MODE_CONNECTED ||
> - connector->connector_type != DRM_MODE_CONNECTOR_DisplayPort) {
> - drmModeFreeConnector(connector);
> - continue;
> - }
> -
> - get_connector_tile_props(data, connector, &tile);
> + if (connector->connection == DRM_MODE_CONNECTED &&
> + connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort) {
> + get_connector_tile_props(data, connector, &tile);
>
> - if (tile.num_h_tile == 0) {
> - drmModeFreeConnector(connector);
> - continue;
> + data->num_h_tiles = tile.num_h_tile;
> }
> - data->num_h_tiles = tile.num_h_tile;
> - break;
> +
> + drmModeFreeConnector(connector);
> }
>
> drmModeFreeResources(res);
> - drmModeFreeConnector(connector);
> }
>
> static void get_connectors(data_t *data)
> --
> 2.23.0
>
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-09-18 16:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-18 15:16 [PATCH i-g-t] kms_dp_tiled_display: Fix the double free of drmConnector Chris Wilson
2019-09-18 16:38 ` Manasi Navare
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox