Hello, 

For my HTPC setup, I'm using the option "CustomEDID".
With this option, output attaching and destroying events leads to crashes.

The following sequence leads to a crash:
- In xorg.conf: Option "CustomEDID" "HDMI2:/etc/my_edid.bin"
- Starting Xorg
- Connect HDMI2
- Disconnect HDMI2
- Reconnect HDMI2
  -> Crash


The crash happens in xf86OutputSetEDID 
(xorg/xserver/hw/xfree86/modes/xf86Crtc.c) 
at "free(output->MonInfo)". MonInfo is assigned with sna_output->fake_edid_mon 
which is allocated by intel driver in sna_output_load_fake_edid 
(src/sna/sna_display.c). 


Sequence details:
- Starting Xorg
   -> fake_edid_mon is initialized

- Connect HDMI2
   -> xf86OutputSetEDID is called: 
       - MonInfo is NULL
       - MonInfo is assigned with fake_edid_mon pointer
       - MonInfo is read by Xorg

- Disconnect HDMI2

- Reconnect HDMI2
   -> xf86OutputSetEDID is called:
       - MonInfo is freed thus also fake_edid_mon
       - MonInfo is assigned with fake_edid_mon
       - MonInfo is read but it was freed -> CRASH


The fix consists of a new instance of xf86MonPtr for each calls of 
xf86OutputSetEDID. 
This instance is initialized with fake_edid_raw which render fake_edid_mon 
useless. 
With this proposal, the behaviour of an EDID override is similar to a "real" 
EDID. 

Regards,


Signed-off-by: Dominique Constant <dom.const...@free.fr>
To: Chris Wilson <chris at chris-wilson.co.uk>

diff --git a/src/sna/sna_display.c b/src/sna/sna_display.c
index ea2f148d..ad805c2f 100644
--- a/src/sna/sna_display.c
+++ b/src/sna/sna_display.c
@@ -263,7 +263,6 @@ struct sna_output {
         uint32_t edid_blob_id;
         uint32_t edid_len;
         void *edid_raw;
-        xf86MonPtr fake_edid_mon;
         void *fake_edid_raw;
 
         bool has_panel_limits;
@@ -4102,13 +4101,21 @@ static DisplayModePtr
 sna_output_override_edid(xf86OutputPtr output)
 {
         struct sna_output *sna_output = output->driver_private;
+        xf86MonPtr mon = NULL;
+
+        if (sna_output->fake_edid_raw == NULL)
+                return NULL;
 
-        if (sna_output->fake_edid_mon == NULL)
+        mon = xf86InterpretEDID(output->scrn->scrnIndex, 
sna_output->fake_edid_raw);
+        if (mon == NULL) {
                 return NULL;
+        }
+
+        mon->flags |= MONITOR_EDID_COMPLETE_RAWDATA;
+
+        xf86OutputSetEDID(output, mon);
 
-        xf86OutputSetEDID(output, sna_output->fake_edid_mon);
-        return xf86DDCGetModes(output->scrn->scrnIndex,
-                               sna_output->fake_edid_mon);
+        return xf86DDCGetModes(output->scrn->scrnIndex, mon);
 }
 
 static DisplayModePtr
@@ -4896,7 +4903,6 @@ sna_output_load_fake_edid(xf86OutputPtr output)
         FILE *file;
         void *raw;
         int size;
-        xf86MonPtr mon;
 
         filename = fake_edid_name(output);
         if (filename == NULL)
@@ -4928,16 +4934,6 @@ sna_output_load_fake_edid(xf86OutputPtr output)
         }
         fclose(file);
 
-        mon = xf86InterpretEDID(output->scrn->scrnIndex, raw);
-        if (mon == NULL) {
-                free(raw);
-                goto err;
-        }
-
-        if (mon && size > 128)
-                mon->flags |= MONITOR_EDID_COMPLETE_RAWDATA;
-
-        sna_output->fake_edid_mon = mon;
         sna_output->fake_edid_raw = raw;
 
         xf86DrvMsg(output->scrn->scrnIndex, X_CONFIG,

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Reply via email to