diff options
| author | Thomas Zimmermann <tzimmermann@suse.de> | 2025-08-26 16:50:25 +0200 | 
|---|---|---|
| committer | Thomas Zimmermann <tzimmermann@suse.de> | 2025-08-27 14:09:58 +0200 | 
| commit | 27a7e8b6c58144c8c8bd49765364c93f756abc33 (patch) | |
| tree | 9f925c1febe68cd2b822c5612a7ec43e606989e3 /scripts/gdb/linux/kasan.py | |
| parent | 6380b1ceba7783ccd2c7fb2e003412c1b8bb4235 (diff) | |
drm/sysfb: Do not deref unexisting CRTC state in atomic_disable
Do not access CRTC state in drm_sysfb_plane_helper_atomic_disable().
Use format from sysfb device for clearing scanout buffer. This is
the behavior from before commit 061963cd9e5b ("drm/sysfb: Blit to
CRTC destination format").
When being disabled, the plane has no associated CRTC. Trying to deref
the format pointer results in a segmentation fault. An example stack
track is shown below.
[   58.948915] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000023: 0000 [#1] SMP KASAN PTI
[   58.959971] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
[...]
[   58.979308] RIP: 0010:drm_sysfb_plane_helper_atomic_disable+0x1af/0x520
[...]
[   59.084227] Call Trace:
[   59.086682]  <TASK>
[   59.088793]  ? __pfx_drm_sysfb_plane_helper_atomic_disable+0x10/0x10
[   59.095155]  ? crtc_disable+0xf2/0x5a0
[   59.098920]  drm_atomic_helper_commit_planes+0x848/0x1030
[   59.104336]  drm_atomic_helper_commit_tail+0x41/0xb0
[   59.109316]  commit_tail+0x204/0x330
[   59.112903]  drm_atomic_helper_commit+0x242/0x2e0
[   59.117618]  ? __pfx_drm_atomic_helper_commit+0x10/0x10
[   59.122851]  drm_atomic_commit+0x1e1/0x290
[   59.126957]  ? drm_atomic_add_affected_connectors+0x266/0x330
[   59.132714]  ? __pfx_drm_atomic_commit+0x10/0x10
[   59.137343]  ? __pfx___drm_printfn_info+0x10/0x10
[   59.142058]  ? drm_atomic_set_crtc_for_connector+0x436/0x630
[   59.147729]  atomic_remove_fb+0x631/0x920
[   59.151751]  ? save_trace+0xcf/0x180
[   59.155343]  ? __pfx_atomic_remove_fb+0x10/0x10
[   59.159890]  ? __pfx___drm_dev_dbg+0x10/0x10
[   59.164173]  drm_framebuffer_remove+0x19a/0x710
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 061963cd9e5b ("drm/sysfb: Blit to CRTC destination format")
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14874
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://lore.kernel.org/r/20250826145044.954396-1-tzimmermann@suse.de
Diffstat (limited to 'scripts/gdb/linux/kasan.py')
0 files changed, 0 insertions, 0 deletions
