| Message ID | 20181109090012.24438-1-stanislav.lisovskiy@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] drm: Check if primary mst is null | expand |
Pushed with small changes to drm-misc-fixes: Renamed patch and added stable Cc Thanks! On Fri, 2018-11-09 at 11:00 +0200, Stanislav Lisovskiy wrote: > Unfortunately drm_dp_get_mst_branch_device which is called from both > drm_dp_mst_handle_down_rep and drm_dp_mst_handle_up_rep seem to rely > on that mgr->mst_primary is not NULL, which seem to be wrong as it can be > cleared with simultaneous mode set, if probing fails or in other case. > mgr->lock mutex doesn't protect against that as it might just get > assigned to NULL right before, not simultaneously. > > There are currently bugs 107738, 108616 bugs which crash in > drm_dp_get_mst_branch_device, caused by this issue. > > v2: Refactored the code, as it was nicely noticed. > Fixed Bugzilla bug numbers(second was 108616, but not 108816) > and added links. > > Reviewed-by: Lyude Paul <lyude@redhat.com> > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108616 > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107738 > Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com> > --- > drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c > b/drivers/gpu/drm/drm_dp_mst_topology.c > index 5ff1d79b86c4..0e0df398222d 100644 > --- a/drivers/gpu/drm/drm_dp_mst_topology.c > +++ b/drivers/gpu/drm/drm_dp_mst_topology.c > @@ -1275,6 +1275,9 @@ static struct drm_dp_mst_branch > *drm_dp_get_mst_branch_device(struct drm_dp_mst_ > mutex_lock(&mgr->lock); > mstb = mgr->mst_primary; > > + if (!mstb) > + goto out; > + > for (i = 0; i < lct - 1; i++) { > int shift = (i % 2) ? 0 : 4; > int port_num = (rad[i / 2] >> shift) & 0xf;
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c index 5ff1d79b86c4..0e0df398222d 100644 --- a/drivers/gpu/drm/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/drm_dp_mst_topology.c @@ -1275,6 +1275,9 @@ static struct drm_dp_mst_branch *drm_dp_get_mst_branch_device(struct drm_dp_mst_ mutex_lock(&mgr->lock); mstb = mgr->mst_primary; + if (!mstb) + goto out; + for (i = 0; i < lct - 1; i++) { int shift = (i % 2) ? 0 : 4; int port_num = (rad[i / 2] >> shift) & 0xf;
Unfortunately drm_dp_get_mst_branch_device which is called from both drm_dp_mst_handle_down_rep and drm_dp_mst_handle_up_rep seem to rely on that mgr->mst_primary is not NULL, which seem to be wrong as it can be cleared with simultaneous mode set, if probing fails or in other case. mgr->lock mutex doesn't protect against that as it might just get assigned to NULL right before, not simultaneously. There are currently bugs 107738, 108616 bugs which crash in drm_dp_get_mst_branch_device, caused by this issue. v2: Refactored the code, as it was nicely noticed. Fixed Bugzilla bug numbers(second was 108616, but not 108816) and added links. Reviewed-by: Lyude Paul <lyude@redhat.com> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108616 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107738 Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com> --- drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++ 1 file changed, 3 insertions(+)