Am 26.08.25 um 16:50 schrieb Thomas Zimmermann:
Do not access CRTC state in drm_sysfb_plane_helper_atomic_disable().
Use format from sysfb device for clearing scanout buffer. This is
the behavior from before commit 061963cd9e5b ("drm/sysfb: Blit to
CRTC destination format").
When being disabled, the plane has no associated CRTC. Trying to deref
the format pointer results in a segmentation fault. An example stack
track is shown below.
[ 58.948915] Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000023: 0000 [#1] SMP KASAN PTI
[ 58.959971] KASAN: null-ptr-deref in range
[0x0000000000000118-0x000000000000011f]
[...]
[ 58.979308] RIP: 0010:drm_sysfb_plane_helper_atomic_disable+0x1af/0x520
[...]
[ 59.084227] Call Trace:
[ 59.086682] <TASK>
[ 59.088793] ? __pfx_drm_sysfb_plane_helper_atomic_disable+0x10/0x10
[ 59.095155] ? crtc_disable+0xf2/0x5a0
[ 59.098920] drm_atomic_helper_commit_planes+0x848/0x1030
[ 59.104336] drm_atomic_helper_commit_tail+0x41/0xb0
[ 59.109316] commit_tail+0x204/0x330
[ 59.112903] drm_atomic_helper_commit+0x242/0x2e0
[ 59.117618] ? __pfx_drm_atomic_helper_commit+0x10/0x10
[ 59.122851] drm_atomic_commit+0x1e1/0x290
[ 59.126957] ? drm_atomic_add_affected_connectors+0x266/0x330
[ 59.132714] ? __pfx_drm_atomic_commit+0x10/0x10
[ 59.137343] ? __pfx___drm_printfn_info+0x10/0x10
[ 59.142058] ? drm_atomic_set_crtc_for_connector+0x436/0x630
[ 59.147729] atomic_remove_fb+0x631/0x920
[ 59.151751] ? save_trace+0xcf/0x180
[ 59.155343] ? __pfx_atomic_remove_fb+0x10/0x10
[ 59.159890] ? __pfx___drm_dev_dbg+0x10/0x10
[ 59.164173] drm_framebuffer_remove+0x19a/0x710
Signed-off-by: Thomas Zimmermann <tzimmerm...@suse.de>
Fixes: 061963cd9e5b ("drm/sysfb: Blit to CRTC destination format")
Cc: Thomas Zimmermann <tzimmerm...@suse.de>
Cc: Javier Martinez Canillas <javi...@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Reviewed-by: Maarten Lankhorst <maarten.lankho...@linux.intel.com>
via IRC:
https://people.freedesktop.org/~cbrill/dri-log/?channel=dri-devel&highlight_names=&date=2025-08-27
---
drivers/gpu/drm/sysfb/drm_sysfb_modeset.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
b/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
index 0e05345cdeee..963c380fea64 100644
--- a/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
+++ b/drivers/gpu/drm/sysfb/drm_sysfb_modeset.c
@@ -281,10 +281,7 @@ void drm_sysfb_plane_helper_atomic_disable(struct
drm_plane *plane,
struct drm_plane_state *plane_state =
drm_atomic_get_new_plane_state(state, plane);
void __iomem *dst_vmap = dst.vaddr_iomem; /* TODO: Use mapping
abstraction */
unsigned int dst_pitch = sysfb->fb_pitch;
- struct drm_crtc_state *crtc_state = crtc_state =
- drm_atomic_get_new_crtc_state(state, plane_state->crtc);
- struct drm_sysfb_crtc_state *sysfb_crtc_state =
to_drm_sysfb_crtc_state(crtc_state);
- const struct drm_format_info *dst_format = sysfb_crtc_state->format;
+ const struct drm_format_info *dst_format = sysfb->fb_format;
struct drm_rect dst_clip;
unsigned long lines, linepixels, i;
int idx;
--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)
