From patchwork Sun Feb  2 13:43:38 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Chris Wilson <chris@chris-wilson.co.uk>
X-Patchwork-Id: 11361615
Return-Path: <SRS0=842R=3W=lists.freedesktop.org=intel-gfx-bounces@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 53936921
	for <patchwork-intel-gfx@patchwork.kernel.org>;
 Sun,  2 Feb 2020 13:44:12 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 3BB7420658
	for <patchwork-intel-gfx@patchwork.kernel.org>;
 Sun,  2 Feb 2020 13:44:12 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3BB7420658
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=chris-wilson.co.uk
Authentication-Results: mail.kernel.org;
 spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id CF87A6EACB;
	Sun,  2 Feb 2020 13:44:09 +0000 (UTC)
X-Original-To: intel-gfx@lists.freedesktop.org
Delivered-To: intel-gfx@lists.freedesktop.org
Received: from fireflyinternet.com (unknown [77.68.26.236])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 4E9886EACB
 for <intel-gfx@lists.freedesktop.org>; Sun,  2 Feb 2020 13:44:08 +0000 (UTC)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS))
 x-ip-name=78.156.65.138;
Received: from haswell.alporthouse.com (unverified [78.156.65.138])
 by fireflyinternet.com (Firefly Internet (M1)) with ESMTP id 20090464-1500050
 for multiple; Sun, 02 Feb 2020 13:43:39 +0000
From: Chris Wilson <chris@chris-wilson.co.uk>
To: intel-gfx@lists.freedesktop.org
Date: Sun,  2 Feb 2020 13:43:38 +0000
Message-Id: <20200202134338.3796606-1-chris@chris-wilson.co.uk>
X-Mailer: git-send-email 2.25.0
MIME-Version: 1.0
Subject: [Intel-gfx] [PATCH] drm/i915/display: Fix NULL-crtc deref in
 calc_min_cdclk()
X-BeenThere: intel-gfx@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Intel graphics driver community testing & development
 <intel-gfx.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>

[   23.419442] BUG: KASAN: null-ptr-deref in intel_plane_calc_min_cdclk+0x82/0x440 [i915]
[   23.419527] Read of size 4 at addr 00000000000000f8 by task insmod/735
[   23.419578]
[   23.419644] CPU: 2 PID: 735 Comm: insmod Not tainted 5.5.0+ #114
[   23.419716] Hardware name: ��������������������������������� ���������������������������������/���������������������������������, BIOS RYBDWi35.86A.0246.2
[   23.419793] Call Trace:
[   23.419864]  dump_stack+0xef/0x16e
[   23.419927]  __kasan_report.cold+0x60/0x90
[   23.420157]  ? intel_plane_calc_min_cdclk+0x82/0x440 [i915]
[   23.420397]  intel_plane_calc_min_cdclk+0x82/0x440 [i915]
[   23.420630]  intel_atomic_check+0x455f/0x65a0 [i915]
[   23.420708]  ? mark_held_locks+0x90/0x90
[   23.420929]  ? intel_crtc_duplicate_state+0x2e/0x1b0 [i915]
[   23.421172]  ? intel_plane_duplicate_state+0x2d/0xc0 [i915]
[   23.421239]  ? __drm_dbg+0xa4/0x120
[   23.421303]  ? __kasan_kmalloc.constprop.0+0xc2/0xd0
[   23.421355]  ? __kmalloc_track_caller+0x23a/0x320
[   23.421602]  ? intel_calc_active_pipes+0x1c0/0x1c0 [i915]
[   23.421852]  sanitize_watermarks+0x220/0x510 [i915]
[   23.422092]  ? intel_atomic_check+0x65a0/0x65a0 [i915]
[   23.422164]  ? drm_modeset_unlock_all+0x88/0x130
[   23.422402]  intel_modeset_init+0x1b76/0x3c90 [i915]
[   23.422647]  ? intel_finish_reset+0x2d0/0x2d0 [i915]
[   23.422851]  ? intel_irq_install+0x12c/0x210 [i915]
[   23.423076]  i915_driver_probe+0x13e7/0x2930 [i915]

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
---
 drivers/gpu/drm/i915/display/intel_atomic_plane.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/i915/display/intel_atomic_plane.c b/drivers/gpu/drm/i915/display/intel_atomic_plane.c
index 91ab6e2ab1fd..83505bd8ad80 100644
--- a/drivers/gpu/drm/i915/display/intel_atomic_plane.c
+++ b/drivers/gpu/drm/i915/display/intel_atomic_plane.c
@@ -165,14 +165,15 @@ int intel_plane_calc_min_cdclk(struct intel_atomic_state *state,
 		intel_atomic_get_new_plane_state(state, plane);
 	struct intel_crtc *crtc = to_intel_crtc(plane_state->hw.crtc);
 	const struct intel_cdclk_state *cdclk_state;
-	struct intel_crtc_state *new_crtc_state =
-		intel_atomic_get_new_crtc_state(state, crtc);
-	const struct intel_crtc_state *old_crtc_state =
-		intel_atomic_get_old_crtc_state(state, crtc);
+	const struct intel_crtc_state *old_crtc_state;
+	struct intel_crtc_state *new_crtc_state;
 
-	if (!plane_state->uapi.visible || !plane->min_cdclk)
+	if (!crtc || !plane_state->uapi.visible || !plane->min_cdclk)
 		return 0;
 
+	old_crtc_state = intel_atomic_get_old_crtc_state(state, crtc);
+	new_crtc_state = intel_atomic_get_new_crtc_state(state, crtc);
+
 	new_crtc_state->min_cdclk[plane->id] =
 		plane->min_cdclk(new_crtc_state, plane_state);