From patchwork Thu May 31 18:48:58 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Paul <seanpaul@chromium.org>
X-Patchwork-Id: 10441841
X-Patchwork-Delegate: agross@codeaurora.org
Return-Path: <linux-arm-msm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B8557603B5 for <patchwork-linux-arm-msm@patchwork.kernel.org>;
	Thu, 31 May 2018 18:49:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A721D28D8C
	for <patchwork-linux-arm-msm@patchwork.kernel.org>;
	Thu, 31 May 2018 18:49:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9A0F928DB3; Thu, 31 May 2018 18:49:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C1BF328D8C
	for <patchwork-linux-arm-msm@patchwork.kernel.org>;
	Thu, 31 May 2018 18:49:01 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755967AbeEaStB (ORCPT
	<rfc822;patchwork-linux-arm-msm@patchwork.kernel.org>);
	Thu, 31 May 2018 14:49:01 -0400
Received: from mail-yw0-f195.google.com ([209.85.161.195]:36106 "EHLO
	mail-yw0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755877AbeEaStA (ORCPT
	<rfc822;linux-arm-msm@vger.kernel.org>);
	Thu, 31 May 2018 14:49:00 -0400
Received: by mail-yw0-f195.google.com with SMTP id v68-v6so7503084ywd.3
	for <linux-arm-msm@vger.kernel.org>;
	Thu, 31 May 2018 11:49:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=N3iWvWDIApVaM3BuPdgyfBy0m8hkq2MDg+pVmWA8gzA=;
	b=na2A/8nep/3MD3oe5PAo0IYxj66qFw/OxFbVMUDkE55wobuX1BONTyc1lM1blmXGPL
	u7XsiKmZRfgLi5mhdOZeDG4cRTdUoOPrb12rCW9ZO+7RWhPXv6CDjOh4k2Cn5KCrVExv
	UHsMWiSFdhwTbGYaPv6DucgcudZD9l0tcUQG8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=N3iWvWDIApVaM3BuPdgyfBy0m8hkq2MDg+pVmWA8gzA=;
	b=feJeLE9sha4q/vtStjWhOA400UfoIK7vRL/272/PhDlHoTffR3b3iSs9aN8KRw1SXC
	KKIIv+IGZmnxDnEtlh1ZqFDH94LQ+rP/4Vsbo3WGviBZcNU7kloPFJRPLI8ggQPWKoId
	Od6/o91J+rR/NMWedxhLaPH2Y3lIN3vjr6VTfYXareoTRbjiFOi1XNAxY3PzUR53CiE9
	7YAgfTd79q6nTl77vKK8Kjo0hnpPAGkBN+09F+yT2Gnq7pt+JxGcMDYdRGpCN+bVQ4pj
	cTdI9PNj0uILGVf5aDsLXvVpZrAbbL4nSvxgxgz/Ick43w0QfknBFCwHdFl1SS1r7rDr
	GKlw==
X-Gm-Message-State: ALKqPwcz2Ev539k+KePtY4/idTFRGcuLKa9DA1yS+Ih5A55tNArhQydR
	sYVAoGhuwO4SgIbg61H8dNksFg==
X-Google-Smtp-Source: 
 ADUXVKLP9GAUbFCieSkRUa00fC6wjdx+mPRxqgkKNxUKn3SJG1wZ0iDND/zTYxblUUDZ9BghygVuyw==
X-Received: by 2002:a81:22d7:: with SMTP id
	i206-v6mr2066362ywi.487.1527792539879;
	Thu, 31 May 2018 11:48:59 -0700 (PDT)
Received: from rosewood.cam.corp.google.com
	([2620:0:1013:11:ad55:b1db:adfe:3b9f])
	by smtp.gmail.com with ESMTPSA id
	n187-v6sm8300302ywe.66.2018.05.31.11.48.59
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 31 May 2018 11:48:59 -0700 (PDT)
From: Sean Paul <seanpaul@chromium.org>
To: freedreno@lists.freedesktop.org, linux-arm-msm@vger.kernel.org
Cc: robdclark@gmail.com, hoegsberg@chromium.org, jsanka@codeaurora.org,
	abhinavk@codeaurora.org, Sean Paul <seanpaul@chromium.org>,
	Daniel Mack <daniel@zonque.org>
Subject: [PATCH] drm/msm: Fix NULL deref on bind/probe deferral
Date: Thu, 31 May 2018 14:48:58 -0400
Message-Id: <20180531184858.181917-1-seanpaul@chromium.org>
X-Mailer: git-send-email 2.17.0.921.gf22659ad46-goog
Sender: linux-arm-msm-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-arm-msm.vger.kernel.org>
X-Mailing-List: linux-arm-msm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

This patch avoids dereferencing msm_host->dev when it is NULL.

If we find ourselves tearing down dsi before calling
(mdp4|mdp5|dpu)_kms_init(), we'll end up in a state where the dev
pointer is NULL and trying to extract priv from it will fail.

This was introduced in a seemingly innocuous commit to ensure the
arguments to msm_gem_put_iova() are correct (even though that
function has been a stub for ~5 years). Correctness FTW! \o/

Fixes: b01884a286b0 drm/msm: use correct aspace pointer in msm_gem_put_iova()
Cc: Daniel Mack <daniel@zonque.org>
Cc: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org>
---
 drivers/gpu/drm/msm/dsi/dsi_host.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index b916f464f4ec..2f1a2780658a 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -1066,8 +1066,18 @@ static int dsi_tx_buf_alloc(struct msm_dsi_host *msm_host, int size)
 static void dsi_tx_buf_free(struct msm_dsi_host *msm_host)
 {
 	struct drm_device *dev = msm_host->dev;
-	struct msm_drm_private *priv = dev->dev_private;
+	struct msm_drm_private *priv;
+
+	/*
+	 * This is possible if we're tearing down before we've had a chance to
+	 * fully initialize. A very real possibility if our probe is deferred,
+	 * in which case we'll hit msm_dsi_host_destroy() without having run
+	 * through the dsi_tx_buf_alloc().
+	 */
+	if (!dev)
+		return;
 
+	priv = dev->dev_private;
 	if (msm_host->tx_gem_obj) {
 		msm_gem_put_iova(msm_host->tx_gem_obj, priv->kms->aspace);
 		drm_gem_object_put_unlocked(msm_host->tx_gem_obj);