| Message ID | 20181107161130.22683-1-stanislav.lisovskiy@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm: Check if primary mst is null | expand |
On Wed, Nov 07, 2018 at 06:11:30PM +0200, Stanislav Lisovskiy wrote: > Unfortunately drm_dp_get_mst_branch_device which is called from both > drm_dp_mst_handle_down_rep and drm_dp_mst_handle_up_rep seem to rely > on that mgr->mst_primary is not NULL, which seem to be wrong as it can be > cleared with simultaneous mode set, if probing fails or in other case. > mgr->lock mutex doesn't protect against that as it might just get assigned to NULL > right before, not simultaneously. > There are currently bugs 107738, 108816 bugs which crash in > drm_dp_get_mst_branch_device, caused by this issue. Use the proper Bugzilla: tags for those. This also seems like cc:stable material. > > Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com> > --- > drivers/gpu/drm/drm_dp_mst_topology.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c > index 5ff1d79b86c4..fb90ed4cdc3a 100644 > --- a/drivers/gpu/drm/drm_dp_mst_topology.c > +++ b/drivers/gpu/drm/drm_dp_mst_topology.c > @@ -1273,6 +1273,12 @@ static struct drm_dp_mst_branch *drm_dp_get_mst_branch_device(struct drm_dp_mst_ > /* find the port by iterating down */ > > mutex_lock(&mgr->lock); > + > + if (!mgr->mst_primary) { > + mstb = NULL; > + goto out; > + } > + > mstb = mgr->mst_primary; > Or a bit simpler: mstb = mgr->mst_primary; + if (!mstb) + goto out; ccing Lyude as well.. > for (i = 0; i < lct - 1; i++) { > -- > 2.17.1 > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel
Thanks for noticing this one! With the changes that Ville mentioned in their response: Reviewed-by: Lyude Paul <lyude@redhat.com> If you need me to push this for you; poke me here or on IRC On Wed, 2018-11-07 at 18:11 +0200, Stanislav Lisovskiy wrote: > Unfortunately drm_dp_get_mst_branch_device which is called from both > drm_dp_mst_handle_down_rep and drm_dp_mst_handle_up_rep seem to rely > on that mgr->mst_primary is not NULL, which seem to be wrong as it can be > cleared with simultaneous mode set, if probing fails or in other case. > mgr->lock mutex doesn't protect against that as it might just get assigned > to NULL > right before, not simultaneously. > There are currently bugs 107738, 108816 bugs which crash in > drm_dp_get_mst_branch_device, caused by this issue. > > Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com> > --- > drivers/gpu/drm/drm_dp_mst_topology.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c > b/drivers/gpu/drm/drm_dp_mst_topology.c > index 5ff1d79b86c4..fb90ed4cdc3a 100644 > --- a/drivers/gpu/drm/drm_dp_mst_topology.c > +++ b/drivers/gpu/drm/drm_dp_mst_topology.c > @@ -1273,6 +1273,12 @@ static struct drm_dp_mst_branch > *drm_dp_get_mst_branch_device(struct drm_dp_mst_ > /* find the port by iterating down */ > > mutex_lock(&mgr->lock); > + > + if (!mgr->mst_primary) { > + mstb = NULL; > + goto out; > + } > + > mstb = mgr->mst_primary; > > for (i = 0; i < lct - 1; i++) {
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c index 5ff1d79b86c4..fb90ed4cdc3a 100644 --- a/drivers/gpu/drm/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/drm_dp_mst_topology.c @@ -1273,6 +1273,12 @@ static struct drm_dp_mst_branch *drm_dp_get_mst_branch_device(struct drm_dp_mst_ /* find the port by iterating down */ mutex_lock(&mgr->lock); + + if (!mgr->mst_primary) { + mstb = NULL; + goto out; + } + mstb = mgr->mst_primary; for (i = 0; i < lct - 1; i++) {
Unfortunately drm_dp_get_mst_branch_device which is called from both drm_dp_mst_handle_down_rep and drm_dp_mst_handle_up_rep seem to rely on that mgr->mst_primary is not NULL, which seem to be wrong as it can be cleared with simultaneous mode set, if probing fails or in other case. mgr->lock mutex doesn't protect against that as it might just get assigned to NULL right before, not simultaneously. There are currently bugs 107738, 108816 bugs which crash in drm_dp_get_mst_branch_device, caused by this issue. Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com> --- drivers/gpu/drm/drm_dp_mst_topology.c | 6 ++++++ 1 file changed, 6 insertions(+)