From patchwork Wed Jun 14 21:16:52 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Logan Gunthorpe <logang@deltatee.com>
X-Patchwork-Id: 9787745
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	2DB8C602CB for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 15 Jun 2017 00:58:49 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 23AEC284DC
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 15 Jun 2017 00:58:49 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 189EB284ED; Thu, 15 Jun 2017 00:58:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 77565284DC
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Thu, 15 Jun 2017 00:58:48 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 9AC176E66F;
	Thu, 15 Jun 2017 00:57:43 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
X-Greylist: delayed 1627 seconds by postgrey-1.35 at gabe;
	Wed, 14 Jun 2017 21:44:17 UTC
Received: from ale.deltatee.com (ale.deltatee.com [207.54.116.67])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 6C04A6E61E
	for <dri-devel@lists.freedesktop.org>;
	Wed, 14 Jun 2017 21:44:17 +0000 (UTC)
Received: from cgy1-donard.priv.deltatee.com ([172.16.1.31])
	by ale.deltatee.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.84_2) (envelope-from <gunthorp@deltatee.com>)
	id 1dLFew-0002RX-D3; Wed, 14 Jun 2017 15:17:04 -0600
Received: from gunthorp by cgy1-donard.priv.deltatee.com with local (Exim
	4.84_2) (envelope-from <gunthorp@deltatee.com>)
	id 1dLFex-0000V5-2n; Wed, 14 Jun 2017 15:17:03 -0600
From: Logan Gunthorpe <logang@deltatee.com>
To: dri-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org
Date: Wed, 14 Jun 2017 15:16:52 -0600
Message-Id: <20170614211652.1882-1-logang@deltatee.com>
X-Mailer: git-send-email 2.11.0
X-SA-Exim-Connect-IP: 172.16.1.31
X-SA-Exim-Rcpt-To: dri-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org, helgaas@kernel.org, logang@deltatee.com,
	daniel.vetter@intel.com, jani.nikula@linux.intel.com,
	seanpaul@chromium.org, airlied@linux.ie
X-SA-Exim-Mail-From: gunthorp@deltatee.com
Subject: [PATCH] drm: Fix boot panic when register_chrdev fails
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on ale.deltatee.com)
X-Mailman-Approved-At: Thu, 15 Jun 2017 00:57:20 +0000
Cc: Daniel Vetter <daniel.vetter@intel.com>,
	Bjorn Helgaas <helgaas@kernel.org>,
	Logan Gunthorpe <logang@deltatee.com>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This is a bug found by the 0day kernel test robot. When drm is
compiled into the kernel, and register_chrdev fails (due, in this, case
to overfilling the chardev dynamic major numbers), a kernel panic
occurs on boot:

  BUG: unable to handle kernel NULL pointer dereference at
      00000000000000a8
  IP: down_write+0x2a/0x53
  Call Trace:
   start_creating+0x67/0x12e
   debugfs_create_dir+0x12/0x189
   drm_debugfs_init+0x7c/0x1b7
   ? ___might_sleep+0x172/0x192
   ? __might_sleep+0x6b/0xef
   drm_minor_register+0x6b/0x141
   drm_dev_register+0xcd/0x315
   ? pci_enable_device_flags+0x117/0x177
   drm_get_pci_dev+0x106/0x27a
   cirrus_pci_probe+0xfb/0x125
   pci_device_probe+0x11d/0x185
   ...

This is because when register_chrdev fails, it removes drm_debugfs_root.
However, seeing drm is not a module, nothing prevents other code from
calling drm_minor_register after drm_core_init failed and thus using an
invalid drm_debugfs_root.

This commit fixes this issue by setting drm_debugfs_root to NULL after
removal and checking that it's not NULL before using it.

Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: David Airlie <airlied@linux.ie>
Link: https://lkml.org/lkml/2017/6/4/107
---
 drivers/gpu/drm/drm_drv.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index 37b8ad3e30d8..904420304b75 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -214,6 +214,9 @@ static int drm_minor_register(struct drm_device *dev, unsigned int type)
 
 	DRM_DEBUG("\n");
 
+	if (!drm_debugfs_root)
+		return -ENODEV;
+
 	minor = *drm_minor_get_slot(dev, type);
 	if (!minor)
 		return 0;
@@ -935,6 +938,7 @@ static void drm_core_exit(void)
 {
 	unregister_chrdev(DRM_MAJOR, "drm");
 	debugfs_remove(drm_debugfs_root);
+	drm_debugfs_root = NULL;
 	drm_sysfs_destroy();
 	idr_destroy(&drm_minors_idr);
 	drm_connector_ida_destroy();