Thomas Zimmermann
f0adbc382b
drm/ast: Allocate initial CRTC state of the correct size
The ast driver inherits from DRM's CRTC state, but still uses the atomic
helper for struct drm_crtc_funcs.reset, drm_atomic_helper_crtc_reset().
The helper only allocates enough memory for the core CRTC state. That
results in an out-ouf-bounds access when duplicating the initial CRTC
state. Simplified backtrace shown below:
[ 21.469321] ==================================================================
[ 21.469434] BUG: KASAN: slab-out-of-bounds in ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
[ 21.469445] Read of size 8 at addr ffff888036c1c5f8 by task systemd-udevd/382
[ 21.469451]
[ 21.469464] CPU: 2 PID: 382 Comm: systemd-udevd Tainted: G E 5.5.0-rc6-1-default+ #214
[ 21.469473] Hardware name: Sun Microsystems SUN FIRE X2270 M2/SUN FIRE X2270 M2, BIOS 2.05 07/01/2010
[ 21.469480] Call Trace:
[ 21.469501] dump_stack+0xb8/0x110
[ 21.469528] print_address_description.constprop.0+0x1b/0x1e0
[ 21.469557] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
[ 21.469581] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
[ 21.469597] __kasan_report.cold+0x1a/0x35
[ 21.469640] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
[ 21.469665] kasan_report+0xe/0x20
[ 21.469693] ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
[ 21.469733] drm_atomic_get_crtc_state+0xbf/0x1c0
[ 21.469768] __drm_atomic_helper_set_config+0x81/0x5a0
[ 21.469803] ? drm_atomic_plane_check+0x690/0x690
[ 21.469843] ? drm_client_rotation+0xae/0x240
[ 21.469876] drm_client_modeset_commit_atomic+0x230/0x390
[ 21.469888] ? __mutex_lock+0x8f0/0xbe0
[ 21.469929] ? drm_client_firmware_config.isra.0+0xa60/0xa60
[ 21.469948] ? drm_client_modeset_commit_force+0x28/0x230
[ 21.470031] ? memset+0x20/0x40
[ 21.470078] drm_client_modeset_commit_force+0x90/0x230
[ 21.470110] drm_fb_helper_restore_fbdev_mode_unlocked+0x5f/0xc0
[ 21.470132] drm_fb_helper_set_par+0x59/0x70
[ 21.470155] fbcon_init+0x61d/0xad0
[ 21.470185] ? drm_fb_helper_restore_fbdev_mode_unlocked+0xc0/0xc0
[ 21.470232] visual_init+0x187/0x240
[ 21.470266] do_bind_con_driver+0x2e3/0x460
[ 21.470321] do_take_over_console+0x20a/0x290
[ 21.470371] do_fbcon_takeover+0x85/0x100
[ 21.470402] register_framebuffer+0x2fd/0x490
[ 21.470425] ? kzalloc.constprop.0+0x10/0x10
[ 21.470503] __drm_fb_helper_initial_config_and_unlock+0xf2/0x140
[ 21.470533] drm_fbdev_client_hotplug+0x162/0x250
[ 21.470563] drm_fbdev_generic_setup+0xd2/0x155
[ 21.470602] ast_driver_load+0x688/0x850 [ast]
<...>
[ 21.472625] ==================================================================
Allocating enough memory for struct ast_crtc_state in a custom ast CRTC
reset handler fixes the problem.
v2:
* implement according to drm_atomic_helper_crtc_reset()
* update state with __drm_atomic_helper_crtc_reset()
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 83be6a3ceb ("drm/ast: Introduce struct ast_crtc_state")
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Noralf Trønnes" <noralf@tronnes.org>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200130094012.32140-1-tzimmermann@suse.de
2020-04-20 15:48:23 +02:00
..
2020-04-10 09:52:15 -07:00
2020-04-01 08:03:28 +02:00
2020-04-09 09:31:38 -06:00
2020-03-25 11:50:48 +01:00
2020-04-07 10:43:41 -07:00
2020-04-10 17:20:06 -07:00
2020-04-03 15:05:35 -07:00
2020-04-10 17:57:48 -07:00
2020-04-05 10:43:32 -07:00
2020-04-05 09:24:58 +02:00
2020-04-06 10:14:39 -07:00
2020-04-10 11:32:22 +02:00
2020-04-08 21:35:29 -07:00
2020-04-02 19:15:03 -07:00
2020-03-25 08:35:03 +09:00
2020-04-10 15:36:22 -07:00
2020-04-17 08:12:22 +02:00
2020-03-30 16:40:08 -07:00
2020-03-25 11:50:48 +01:00
2020-04-03 13:22:40 -07:00
2020-04-10 12:27:06 -07:00
2020-04-04 10:27:00 -07:00
2020-04-20 15:48:23 +02:00
2020-04-01 15:18:42 -07:00
2020-04-07 10:43:40 -07:00
2020-04-10 15:36:22 -07:00
2020-03-25 22:30:46 -07:00
2020-03-24 13:45:24 +01:00
2020-04-02 15:54:13 -07:00
2020-03-29 10:35:50 +02:00
2020-04-04 18:07:59 -07:00
2020-03-30 16:40:08 -07:00
2020-04-08 21:25:49 -07:00
2020-04-01 18:18:18 -07:00
2020-04-07 20:20:12 -07:00
2020-03-27 11:33:27 +01:00
2020-04-05 11:57:12 -07:00
2020-04-06 23:12:08 +02:00
2020-03-30 11:43:51 -07:00
2020-04-03 13:22:40 -07:00
2020-04-08 21:03:40 -07:00
2020-03-30 15:05:01 -07:00
2020-04-03 15:05:35 -07:00
2020-03-26 22:40:47 -04:00
2020-03-30 07:35:28 +01:00
2020-04-08 10:51:53 -07:00
2020-03-31 16:13:09 -07:00
2020-03-24 13:42:44 +01:00
2020-04-07 12:40:56 -07:00
2020-04-08 10:51:53 -07:00
2020-03-25 18:58:11 -07:00
2020-04-03 14:25:02 -07:00
2020-04-08 21:03:40 -07:00
2020-04-10 10:06:54 -07:00
2020-03-25 19:23:49 +01:00
2020-04-02 17:32:52 -07:00
2020-04-05 22:05:23 +02:00
2020-04-08 11:00:00 -07:00
2020-03-31 18:48:22 +02:00
2020-03-31 10:05:01 -07:00
2020-04-03 14:25:02 -07:00
2020-04-04 10:27:00 -07:00
2020-04-10 15:36:22 -07:00
2020-04-10 15:36:22 -07:00
2020-03-30 16:40:08 -07:00
2020-04-03 00:09:59 +11:00
2020-03-30 11:16:38 -07:00
2020-04-03 21:41:42 +02:00
2020-03-30 14:58:26 -07:00
2020-04-03 10:47:21 -07:00
2020-04-07 19:48:52 -07:00
2020-04-10 12:21:11 -07:00
2020-04-10 12:21:11 -07:00
2020-04-09 10:51:30 -07:00
2020-04-03 13:22:40 -07:00
2020-04-02 15:50:04 -07:00
2020-04-10 15:36:21 -07:00
2020-04-10 12:21:11 -07:00
2020-04-03 15:05:35 -07:00
2020-04-07 20:00:16 -07:00
2020-04-05 11:12:59 -07:00
2020-04-02 17:03:53 -07:00
2020-04-02 10:41:40 -04:00
2020-04-01 13:51:51 -06:00
2020-04-02 10:41:40 -04:00
2020-04-17 15:50:14 +02:00
2020-04-08 10:51:53 -07:00
2020-04-01 11:35:23 +02:00
2020-04-10 17:20:06 -07:00
2020-04-03 13:12:26 -07:00
2020-04-08 10:51:53 -07:00
2020-04-08 10:51:53 -07:00