From patchwork Tue Sep 26 07:59:45 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
X-Patchwork-Id: 9971439
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	56D2360365 for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 26 Sep 2017 08:11:27 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 46DC928963
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 26 Sep 2017 08:11:27 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3BB0F288F3; Tue, 26 Sep 2017 08:11:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id B1EAF2890A
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 26 Sep 2017 08:11:26 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 5481C6E444;
	Tue, 26 Sep 2017 08:10:23 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com
	[IPv6:2607:f8b0:400e:c05::22d])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 00E4089291
	for <dri-devel@lists.freedesktop.org>;
	Tue, 26 Sep 2017 07:59:51 +0000 (UTC)
Received: by mail-pg0-x22d.google.com with SMTP id i195so5512725pgd.9
	for <dri-devel@lists.freedesktop.org>;
	Tue, 26 Sep 2017 00:59:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=date:from:to:cc:subject:message-id:mime-version:content-disposition
	:user-agent; bh=Be6GCKfmL1g0kVqYCBezBwp/m8PKvrtknRSPanIAZBw=;
	b=MlUanI+sfuOs0LlUre/uvX8sohR4bdfhsznArSWzKj7JUfoBz29cj1jDeJ/EEsXqsz
	Vt6OpcYiFfEsOKx4aHW8HLyXpZigARdMWAMpSZ+v5FFWOwHNuGhpvzHC/YuRlxUsKe3Q
	MzZ4ACmHqRrSQJPbjseb9lEB1d3dAMFdl9/byFupFLeiKXHNzBCyoSpgDh+2SDJT4ZPQ
	Mr/I2Rmd1eKjoFvdSpEMa6MtYCpEFI4IBmqjKQIpLGLXXiPWKJyKhTzt2v+BjGW9iaGz
	aU2+KXu+pI7sLEcmTGF8LY74I2SiLkA/WNCfNTbFBpKicrzABf35DROHHY/wCOOBW2CH
	qoKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-disposition:user-agent;
	bh=Be6GCKfmL1g0kVqYCBezBwp/m8PKvrtknRSPanIAZBw=;
	b=HuZxiGcJzANMDKjql2PMKvYjBC+PCBG4eXGZZ2fSEG+z+k0LijCkyXYnGC/IRqu0/e
	N0U+CHh2gvV0MS2RbmVqiBHPWHJxlA41NsoVUyzrNQiCthakxpg03ANoTIzBeAuAYmC8
	pCb5h/HQmlkrBhvwiFFHrQ0XQKJVPWoZmtdi5PKSlbZ23l4/S3WDLoDxsRdN0lt7dVeG
	+1xVYWrmR1DYcbDMvzph5i4tNdRozcE0uXwMO9UxldsJfWpgUfhK/P+CZkr2BmbPJBkT
	z0traES7vumwx2dsdejrZK2LIzerrAiP74oxIkzYVIQ1chGD51u/4KPw9lrb+uo17RjO
	InGQ==
X-Gm-Message-State: AHPjjUgDuwmfifd2yEwOUmnPQBlk0ZKWKsCJMRpCGDtfKQXuHIiHMgrA
	vBh9iXZf6IPTKbCANSm65Fk=
X-Google-Smtp-Source: 
 AOwi7QB0Lgv9dmVg9r6yWOngpc9FLGxxAzPw35xDyUW1baIjJ08BtLQ7DcDizqqj6B+Ao1vaKlKuhg==
X-Received: by 10.159.198.2 with SMTP id f2mr9822937plo.288.1506412790875;
	Tue, 26 Sep 2017 00:59:50 -0700 (PDT)
Received: from localhost ([175.223.27.114]) by smtp.gmail.com with ESMTPSA id
	j83sm14354328pfe.133.2017.09.26.00.59.48
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 26 Sep 2017 00:59:49 -0700 (PDT)
Date: Tue, 26 Sep 2017 16:59:45 +0900
From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
To: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Subject: [next] drm/atomic: NULL pointer dereference
Message-ID: <20170926075945.GA364@jagdpanzerIV.localdomain>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Mailman-Approved-At: Tue, 26 Sep 2017 08:10:09 +0000
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
	Daniel Vetter <daniel.vetter@ffwll.ch>, linux-kernel@vger.kernel.org,
	dri-devel@lists.freedesktop.org,
	Gustavo Padovan <gustavo.padovan@collabora.com>
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Hello,

after commit 669c9215afea4e ("drm/atomic: Make async plane update
checks work as intended") drm_atomic_helper_async_check() can NULL
deference the `new_plane_state' pointer and crashe the kernel at
'new_plane_state->crtc':

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: drm_atomic_helper_async_check+0x70/0xcb
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
[..]
task: ffff880131ac2280 task.stack: ffffc90000464000
RIP: 0010:drm_atomic_helper_async_check+0x70/0xcb
RSP: 0018:ffffc90000467a48 EFLAGS: 00010246
RAX: ffff880131917b60 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffff880131753480 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000010000
R10: ffff880130d3255c R11: ffff880130e56e18 R12: ffff880131670000
R13: 0000000000000000 R14: ffff880131670000 R15: 0000000000000004
FS:  00007fc218f6e940(0000) GS:ffff880137d80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000132aca000 CR4: 00000000000006e0
Call Trace:
 drm_atomic_helper_check+0x3c/0x5a
 nv50_disp_atomic_check+0x15/0x10b
 drm_atomic_check_only+0x2c0/0x42a
 drm_atomic_commit+0x13/0x4d
 drm_atomic_helper_update_plane+0xc9/0xe6
 __setplane_internal+0x1c8/0x229
 ? drm_internal_framebuffer_create+0x314/0x35a
 drm_mode_cursor_universal+0x130/0x15f
 drm_mode_cursor_common+0xcc/0x184
 ? drm_mode_setplane+0x183/0x183
 drm_mode_cursor_ioctl+0x2f/0x34
 drm_ioctl_kernel+0x61/0x9a
 drm_ioctl+0x1d6/0x2a8
 ? drm_mode_setplane+0x183/0x183
 ? _raw_spin_unlock+0x12/0x23
 ? do_wp_page+0x159/0x22e
 ? _raw_spin_unlock_irqrestore+0x14/0x25
 nouveau_drm_ioctl+0x71/0xa4
 vfs_ioctl+0x1b/0x28
 do_vfs_ioctl+0x5a9/0x5bc
 ? handle_mm_fault+0x98/0x9e
 ? __fget+0x5d/0x67
 SyS_ioctl+0x3e/0x5a
 entry_SYSCALL_64_fastpath+0x13/0x94


the below patch fixes the issues for me.
---
 drivers/gpu/drm/drm_atomic_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index 01c34bc5b5b0..922f4d3b17aa 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1405,7 +1405,7 @@ int drm_atomic_helper_async_check(struct drm_device *dev,
 	if (n_planes != 1)
 		return -EINVAL;
 
-	if (!new_plane_state->crtc)
+	if (!new_plane_state || !new_plane_state->crtc)
 		return -EINVAL;
 
 	funcs = plane->helper_private;