diff mbox series

[v2] drm: Check if primary mst is null

Message ID 20181108082057.29001-1-stanislav.lisovskiy@intel.com (mailing list archive)
State New, archived
Headers show
Series [v2] drm: Check if primary mst is null | expand

Commit Message

Stanislav Lisovskiy Nov. 8, 2018, 8:20 a.m. UTC
Unfortunately drm_dp_get_mst_branch_device which is called from both
drm_dp_mst_handle_down_rep and drm_dp_mst_handle_up_rep seem to rely
on that mgr->mst_primary is not NULL, which seem to be wrong as it can be
cleared with simultaneous mode set, if probing fails or in other case.
mgr->lock mutex doesn't protect against that as it might just get
assigned to NULL right before, not simultaneously.

There are currently bugs 107738, 108616 bugs which crash in
drm_dp_get_mst_branch_device, caused by this issue.

v2: Refactored the code, as it was nicely noticed.
    Fixed Bugzilla bug numbers(second was 108616, but not 108816)
    and added links.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108616
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107738
Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
---
 drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Stanislav Lisovskiy Nov. 8, 2018, 9:18 a.m. UTC | #1
On Thu, 2018-11-08 at 10:20 +0200, Stanislav Lisovskiy wrote:
> Unfortunately drm_dp_get_mst_branch_device which is called from both
> drm_dp_mst_handle_down_rep and drm_dp_mst_handle_up_rep seem to rely
> on that mgr->mst_primary is not NULL, which seem to be wrong as it
> can be
> cleared with simultaneous mode set, if probing fails or in other
> case.
> mgr->lock mutex doesn't protect against that as it might just get
> assigned to NULL right before, not simultaneously.
> 
> There are currently bugs 107738, 108616 bugs which crash in
> drm_dp_get_mst_branch_device, caused by this issue.
> 
> v2: Refactored the code, as it was nicely noticed.
>     Fixed Bugzilla bug numbers(second was 108616, but not 108816)
>     and added links.
> 

Hi Lyude Paul,

Thank you for quick review, just poking you
here as requested :)

> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108616
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107738
> Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
> ---
>  drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
> b/drivers/gpu/drm/drm_dp_mst_topology.c
> index 5ff1d79b86c4..0e0df398222d 100644
> --- a/drivers/gpu/drm/drm_dp_mst_topology.c
> +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
> @@ -1275,6 +1275,9 @@ static struct drm_dp_mst_branch
> *drm_dp_get_mst_branch_device(struct drm_dp_mst_
>  	mutex_lock(&mgr->lock);
>  	mstb = mgr->mst_primary;
>  
> +	if (!mstb)
> +		goto out;
> +
>  	for (i = 0; i < lct - 1; i++) {
>  		int shift = (i % 2) ? 0 : 4;
>  		int port_num = (rad[i / 2] >> shift) & 0xf;
diff mbox series

Patch

diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index 5ff1d79b86c4..0e0df398222d 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -1275,6 +1275,9 @@  static struct drm_dp_mst_branch *drm_dp_get_mst_branch_device(struct drm_dp_mst_
 	mutex_lock(&mgr->lock);
 	mstb = mgr->mst_primary;
 
+	if (!mstb)
+		goto out;
+
 	for (i = 0; i < lct - 1; i++) {
 		int shift = (i % 2) ? 0 : 4;
 		int port_num = (rad[i / 2] >> shift) & 0xf;