drm/sysfb: Do not deref unexisting CRTC state in atomic_disable

tdz · tdz · commit 27a7e8b6c581 · 2025-08-27T14:09:58.000+02:00
Do not access CRTC state in drm_sysfb_plane_helper_atomic_disable(). Use format from sysfb device for clearing scanout buffer. This is the behavior from before commit 061963c ("drm/sysfb: Blit to CRTC destination format"). When being disabled, the plane has no associated CRTC. Trying to deref the format pointer results in a segmentation fault. An example stack track is shown below. [ 58.948915] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000023: 0000 [#1] SMP KASAN PTI [ 58.959971] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] [...] [ 58.979308] RIP: 0010:drm_sysfb_plane_helper_atomic_disable+0x1af/0x520 [...] [ 59.084227] Call Trace: [ 59.086682] <TASK> [ 59.088793] ? __pfx_drm_sysfb_plane_helper_atomic_disable+0x10/0x10 [ 59.095155] ? crtc_disable+0xf2/0x5a0 [ 59.098920] drm_atomic_helper_commit_planes+0x848/0x1030 [ 59.104336] drm_atomic_helper_commit_tail+0x41/0xb0 [ 59.109316] commit_tail+0x204/0x330 [ 59.112903] drm_atomic_helper_commit+0x242/0x2e0 [ 59.117618] ? __pfx_drm_atomic_helper_commit+0x10/0x10 [ 59.122851] drm_atomic_commit+0x1e1/0x290 [ 59.126957] ? drm_atomic_add_affected_connectors+0x266/0x330 [ 59.132714] ? __pfx_drm_atomic_commit+0x10/0x10 [ 59.137343] ? __pfx___drm_printfn_info+0x10/0x10 [ 59.142058] ? drm_atomic_set_crtc_for_connector+0x436/0x630 [ 59.147729] atomic_remove_fb+0x631/0x920 [ 59.151751] ? save_trace+0xcf/0x180 [ 59.155343] ? __pfx_atomic_remove_fb+0x10/0x10 [ 59.159890] ? __pfx___drm_dev_dbg+0x10/0x10 [ 59.164173] drm_framebuffer_remove+0x19a/0x710 Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 061963c ("drm/sysfb: Blit to CRTC destination format") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14874 Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Javier Martinez Canillas <javierm@redhat.com> Cc: dri-devel@lists.freedesktop.org Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Link: https://lore.kernel.org/r/20250826145044.954396-1-tzimmermann@suse.de
diff --git a/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c b/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
@@ -281,10 +281,7 @@ void drm_sysfb_plane_helper_atomic_disable(struct drm_plane *plane,
 	struct drm_plane_state *plane_state = drm_atomic_get_new_plane_state(state, plane);
 	void __iomem *dst_vmap = dst.vaddr_iomem; /* TODO: Use mapping abstraction */
 	unsigned int dst_pitch = sysfb->fb_pitch;
-	struct drm_crtc_state *crtc_state = crtc_state =
-		drm_atomic_get_new_crtc_state(state, plane_state->crtc);
-	struct drm_sysfb_crtc_state *sysfb_crtc_state = to_drm_sysfb_crtc_state(crtc_state);
-	const struct drm_format_info *dst_format = sysfb_crtc_state->format;
+	const struct drm_format_info *dst_format = sysfb->fb_format;
 	struct drm_rect dst_clip;
 	unsigned long lines, linepixels, i;
 	int idx;
