drm: bridge: it66121: Fix invalid connector dereference

Message ID	20230825-it66121_edid-v1-1-3ab54923e472@ti.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org> From: Jai Luthra <j-luthra@ti.com> Date: Fri, 25 Aug 2023 16:32:14 +0530 Subject: [PATCH] drm: bridge: it66121: Fix invalid connector dereference MIME-Version: 1.0 Message-ID: <20230825-it66121_edid-v1-1-3ab54923e472@ti.com> To: Phong LE <ple@baylibre.com>, Neil Armstrong <neil.armstrong@linaro.org>, Andrzej Hajda <andrzej.hajda@intel.com>, Robert Foss <rfoss@kernel.org>, Laurent Pinchart <Laurent.pinchart@ideasonboard.com>, Jonas Karlman <jonas@kwiboo.se>, Jernej Skrabec <jernej.skrabec@gmail.com>, David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>, Nicolas Belin <nbelin@baylibre.com>, "Andy.Hsieh" <Andy.Hsieh@mediatek.com> CC: <dri-devel@lists.freedesktop.org>, <linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>, Aradhya Bhatia <a-bhatia1@ti.com>, <devarsht@ti.com>, <nm@ti.com>, Jai Luthra <j-luthra@ti.com> Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
Series	drm: bridge: it66121: Fix invalid connector dereference \| expand drm: bridge: it66121: Fix invalid connector dereference

Jai Luthra Aug. 25, 2023, 11:02 a.m. UTC

Fix the NULL pointer dereference when no monitor is connected, and the
sound card is opened from userspace.

Instead return an error as EDID information cannot be provided to
the sound framework if there is no connector attached.

Fixes: e0fd83dbe924 ("drm: bridge: it66121: Add audio support")
Reported-by: Nishanth Menon <nm@ti.com>
Closes: https://lore.kernel.org/all/20230825105849.crhon42qndxqif4i@gondola/
Signed-off-by: Jai Luthra <j-luthra@ti.com>
---
 drivers/gpu/drm/bridge/ite-it66121.c | 5 +++++
 1 file changed, 5 insertions(+)


---
base-commit: 6269320850097903b30be8f07a5c61d9f7592393
change-id: 20230825-it66121_edid-6ee98517808b

Best regards,

Aradhya Bhatia Aug. 28, 2023, 11:04 a.m. UTC | #1

Hi Jai,

Thanks for debugging the issue.

On 25-Aug-23 16:32, Jai Luthra wrote:
> Fix the NULL pointer dereference when no monitor is connected, and the
> sound card is opened from userspace.
> 
> Instead return an error as EDID information cannot be provided to
> the sound framework if there is no connector attached.
> 
> Fixes: e0fd83dbe924 ("drm: bridge: it66121: Add audio support")
> Reported-by: Nishanth Menon <nm@ti.com>
> Closes: https://lore.kernel.org/all/20230825105849.crhon42qndxqif4i@gondola/
> Signed-off-by: Jai Luthra <j-luthra@ti.com>
> ---
>  drivers/gpu/drm/bridge/ite-it66121.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/gpu/drm/bridge/ite-it66121.c b/drivers/gpu/drm/bridge/ite-it66121.c
> index 466641c77fe9..d6fa00dea464 100644
> --- a/drivers/gpu/drm/bridge/ite-it66121.c
> +++ b/drivers/gpu/drm/bridge/ite-it66121.c
> @@ -1446,6 +1446,11 @@ static int it66121_audio_get_eld(struct device *dev, void *data,
>  {
>  	struct it66121_ctx *ctx = dev_get_drvdata(dev);
>  
> +	if (!ctx->connector) {
> +		dev_dbg(dev, "No connector present, cannot provide EDID data");
> +		return -EINVAL;
> +	}
> +

There are not many HDMI bridges that support codecs in the kernel, but
upon a quick look, bridge/analogix/anx7625.c and
bridge/synopsys/dw-hdmi* gracefully return a buffer of 0s when the
connector is unavailable.

I am not sure why that is done, but I also don't see the hdmi-codec
driver handle the 0s situation properly. It is business as usual for the
hdmi-codec.

Did you come across some observation when you were testing?

Regards
Aradhya

>  	mutex_lock(&ctx->lock);
>  
>  	memcpy(buf, ctx->connector->eld,
> 
> ---
> base-commit: 6269320850097903b30be8f07a5c61d9f7592393
> change-id: 20230825-it66121_edid-6ee98517808b
> 
> Best regards,

Helen Mae Koike Fornazier Aug. 28, 2023, 3:35 p.m. UTC | #2

On Friday, August 25, 2023 08:02 -03, Jai Luthra <j-luthra@ti.com> wrote:

> Fix the NULL pointer dereference when no monitor is connected, and the
> sound card is opened from userspace.
> 
> Instead return an error as EDID information cannot be provided to
> the sound framework if there is no connector attached.
> 
> Fixes: e0fd83dbe924 ("drm: bridge: it66121: Add audio support")
> Reported-by: Nishanth Menon <nm@ti.com>
> Closes: https://lore.kernel.org/all/20230825105849.crhon42qndxqif4i@gondola/
> Signed-off-by: Jai Luthra <j-luthra@ti.com>

Reviewed-by: Helen Koike <helen.koike@collabora.com>

> ---
>  drivers/gpu/drm/bridge/ite-it66121.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/gpu/drm/bridge/ite-it66121.c b/drivers/gpu/drm/bridge/ite-it66121.c
> index 466641c77fe9..d6fa00dea464 100644
> --- a/drivers/gpu/drm/bridge/ite-it66121.c
> +++ b/drivers/gpu/drm/bridge/ite-it66121.c
> @@ -1446,6 +1446,11 @@ static int it66121_audio_get_eld(struct device *dev, void *data,
>  {
>  	struct it66121_ctx *ctx = dev_get_drvdata(dev);
>  
> +	if (!ctx->connector) {
> +		dev_dbg(dev, "No connector present, cannot provide EDID data");
> +		return -EINVAL;
> +	}
> +
>  	mutex_lock(&ctx->lock);
>  
>  	memcpy(buf, ctx->connector->eld,
> 
> ---
> base-commit: 6269320850097903b30be8f07a5c61d9f7592393
> change-id: 20230825-it66121_edid-6ee98517808b
> 
> Best regards,
> -- 
> Jai Luthra <j-luthra@ti.com>
>

Nishanth Menon Aug. 31, 2023, 12:25 p.m. UTC | #3

On 16:35-20230828, Helen Mae Koike Fornazier wrote:
> On Friday, August 25, 2023 08:02 -03, Jai Luthra <j-luthra@ti.com> wrote:
> 
> > Fix the NULL pointer dereference when no monitor is connected, and the
> > sound card is opened from userspace.
> > 
> > Instead return an error as EDID information cannot be provided to
> > the sound framework if there is no connector attached.
> > 
> > Fixes: e0fd83dbe924 ("drm: bridge: it66121: Add audio support")
> > Reported-by: Nishanth Menon <nm@ti.com>
> > Closes: https://lore.kernel.org/all/20230825105849.crhon42qndxqif4i@gondola/
> > Signed-off-by: Jai Luthra <j-luthra@ti.com>
> 
> Reviewed-by: Helen Koike <helen.koike@collabora.com>


Occurs on today's master: v6.5-8894-gb97d64c72259
https://gist.github.com/nmenon/6c7166171729342ee0be7de90b65c5c6#file-v6-5-8894-gb97d64c72259-L821

My only complaint with the patch is - yes, it does'nt crash, but I see
this spam on my console:
https://gist.github.com/nmenon/6c7166171729342ee0be7de90b65c5c6#file-with-patch-on-top-L236


> 
> > ---
> >  drivers/gpu/drm/bridge/ite-it66121.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/drivers/gpu/drm/bridge/ite-it66121.c b/drivers/gpu/drm/bridge/ite-it66121.c
> > index 466641c77fe9..d6fa00dea464 100644
> > --- a/drivers/gpu/drm/bridge/ite-it66121.c
> > +++ b/drivers/gpu/drm/bridge/ite-it66121.c
> > @@ -1446,6 +1446,11 @@ static int it66121_audio_get_eld(struct device *dev, void *data,
> >  {
> >  	struct it66121_ctx *ctx = dev_get_drvdata(dev);
> >  
> > +	if (!ctx->connector) {
> > +		dev_dbg(dev, "No connector present, cannot provide EDID data");
> > +		return -EINVAL;
> > +	}
> > +
> >  	mutex_lock(&ctx->lock);
> >  
> >  	memcpy(buf, ctx->connector->eld,
> > 
> > ---
> > base-commit: 6269320850097903b30be8f07a5c61d9f7592393
> > change-id: 20230825-it66121_edid-6ee98517808b
> > 
> > Best regards,
> > -- 
> > Jai Luthra <j-luthra@ti.com>
> >
>

Jai Luthra Sept. 1, 2023, 8:58 a.m. UTC | #4

Hi Aradhya,

Thanks for the comments.

On Aug 28, 2023 at 16:34:30 +0530, Aradhya Bhatia wrote:
> Hi Jai,
> 
> Thanks for debugging the issue.
> 
> On 25-Aug-23 16:32, Jai Luthra wrote:
> > Fix the NULL pointer dereference when no monitor is connected, and the
> > sound card is opened from userspace.
> > 
> > Instead return an error as EDID information cannot be provided to
> > the sound framework if there is no connector attached.
> > 
> > Fixes: e0fd83dbe924 ("drm: bridge: it66121: Add audio support")
> > Reported-by: Nishanth Menon <nm@ti.com>
> > Closes: https://lore.kernel.org/all/20230825105849.crhon42qndxqif4i@gondola/
> > Signed-off-by: Jai Luthra <j-luthra@ti.com>
> > ---
> >  drivers/gpu/drm/bridge/ite-it66121.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/drivers/gpu/drm/bridge/ite-it66121.c b/drivers/gpu/drm/bridge/ite-it66121.c
> > index 466641c77fe9..d6fa00dea464 100644
> > --- a/drivers/gpu/drm/bridge/ite-it66121.c
> > +++ b/drivers/gpu/drm/bridge/ite-it66121.c
> > @@ -1446,6 +1446,11 @@ static int it66121_audio_get_eld(struct device *dev, void *data,
> >  {
> >  	struct it66121_ctx *ctx = dev_get_drvdata(dev);
> >  
> > +	if (!ctx->connector) {
> > +		dev_dbg(dev, "No connector present, cannot provide EDID data");
> > +		return -EINVAL;
> > +	}
> > +
> 
> There are not many HDMI bridges that support codecs in the kernel, but
> upon a quick look, bridge/analogix/anx7625.c and
> bridge/synopsys/dw-hdmi* gracefully return a buffer of 0s when the
> connector is unavailable.

Interesting, that sounds cleaner to me.

> 
> I am not sure why that is done, but I also don't see the hdmi-codec
> driver handle the 0s situation properly. It is business as usual for the
> hdmi-codec.

Chasing this down through the hdmi-codec driver and sound framework, it 
will use sane defaults for supported channels and sample rates if the 
actual EDID struct we are passing is all 0s. I tested it out on the 
beagle play board and did not see any crashes.

> 
> Did you come across some observation when you were testing?

Yes, with the current state of the patch, if I plug-in a monitor after 
the soundcard is probed I cannot playback audio, because we returned an 
error initially.

This issue goes away if we return a buffer of 0s like those other 
bridges. Overall I'm happy with this idea, so I will send a v2 fixing 
this.

> 
> Regards
> Aradhya
> 
> >  	mutex_lock(&ctx->lock);
> >  
> >  	memcpy(buf, ctx->connector->eld,
> > 
> > ---
> > base-commit: 6269320850097903b30be8f07a5c61d9f7592393
> > change-id: 20230825-it66121_edid-6ee98517808b
> > 
> > Best regards,
>

Jai Luthra Sept. 1, 2023, 9:06 a.m. UTC | #5

Hi Nishanth, Helen,

Thanks for the review.

On Aug 31, 2023 at 07:25:31 -0500, Nishanth Menon wrote:
> On 16:35-20230828, Helen Mae Koike Fornazier wrote:
> > On Friday, August 25, 2023 08:02 -03, Jai Luthra <j-luthra@ti.com> wrote:
> > 
> > > Fix the NULL pointer dereference when no monitor is connected, and the
> > > sound card is opened from userspace.
> > > 
> > > Instead return an error as EDID information cannot be provided to
> > > the sound framework if there is no connector attached.
> > > 
> > > Fixes: e0fd83dbe924 ("drm: bridge: it66121: Add audio support")
> > > Reported-by: Nishanth Menon <nm@ti.com>
> > > Closes: https://lore.kernel.org/all/20230825105849.crhon42qndxqif4i@gondola/
> > > Signed-off-by: Jai Luthra <j-luthra@ti.com>
> > 
> > Reviewed-by: Helen Koike <helen.koike@collabora.com>
> 
> 
> Occurs on today's master: v6.5-8894-gb97d64c72259
> https://gist.github.com/nmenon/6c7166171729342ee0be7de90b65c5c6#file-v6-5-8894-gb97d64c72259-L821
> 
> My only complaint with the patch is - yes, it does'nt crash, but I see
> this spam on my console:
> https://gist.github.com/nmenon/6c7166171729342ee0be7de90b65c5c6#file-with-patch-on-top-L236
> 

Aradhya suggested an alternative approach [1] used by some bridges, 
where we return a buffer of 0s instead of an error here.

That will fix the spam, but more importantly will also allow playback if 
the HDMI monitor is hot-plugged later (after probe). I will send a new 
revision of this patch that uses that approach.

[1] https://lore.kernel.org/dri-devel/d2deac24-d5ab-e1c4-81c5-4874c2f5ea07@ti.com/

> 
> > 
> > > ---
> > >  drivers/gpu/drm/bridge/ite-it66121.c | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > > 
> > > diff --git a/drivers/gpu/drm/bridge/ite-it66121.c b/drivers/gpu/drm/bridge/ite-it66121.c
> > > index 466641c77fe9..d6fa00dea464 100644
> > > --- a/drivers/gpu/drm/bridge/ite-it66121.c
> > > +++ b/drivers/gpu/drm/bridge/ite-it66121.c
> > > @@ -1446,6 +1446,11 @@ static int it66121_audio_get_eld(struct device *dev, void *data,
> > >  {
> > >  	struct it66121_ctx *ctx = dev_get_drvdata(dev);
> > >  
> > > +	if (!ctx->connector) {
> > > +		dev_dbg(dev, "No connector present, cannot provide EDID data");
> > > +		return -EINVAL;
> > > +	}
> > > +
> > >  	mutex_lock(&ctx->lock);
> > >  
> > >  	memcpy(buf, ctx->connector->eld,
> > > 
> > > ---
> > > base-commit: 6269320850097903b30be8f07a5c61d9f7592393
> > > change-id: 20230825-it66121_edid-6ee98517808b
> > > 
> > > Best regards,
> > > -- 
> > > Jai Luthra <j-luthra@ti.com>
> > >
> > 
> 
> -- 
> Regards,
> Nishanth Menon
> Key (0xDDB5849D1736249D) / Fingerprint: F8A2 8693 54EB 8232 17A3  1A34 DDB5 849D 1736 249D

drm: bridge: it66121: Fix invalid connector dereference

Commit Message

Comments

Patch