[Why] Found kernel NULL pointer dereference under the below situation:
src — HDMI_Monitor src — HDMI_Monitor e.g.: \ => MSTB — MSTB (unplug) MSTB — MSTB
When display 1 HDMI and 2 DP daisy chain monitors, unplugging the dp cable connected to source causes kernel NULL pointer dereference at drm_dp_mst_atomic_check_bw_limit(). When calculating pbn_limit, if branch is null, accessing "&branch->ports" causes the problem.
[How] Judge branch is null or not at the beginning. If it is null, return 0.
Signed-off-by: Wayne Lin Wayne.Lin@amd.com Cc: stable@vger.kernel.org --- drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c index 7d2d31eaf003..a6473e3ab448 100644 --- a/drivers/gpu/drm/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/drm_dp_mst_topology.c @@ -4707,6 +4707,9 @@ int drm_dp_mst_atomic_check_bw_limit(struct drm_dp_mst_branch *branch, struct drm_dp_vcpi_allocation *vcpi; int pbn_limit = 0, pbn_used = 0;
+ if (!branch) + return 0; + list_for_each_entry(port, &branch->ports, next) { if (port->mstb) if (drm_dp_mst_atomic_check_bw_limit(port->mstb, mst_state))
[AMD Official Use Only - Internal Distribution Only]
Thanks for the catch,
Reviewed-by: Mikita Lipski Mikita.Lipski@amd.com
From: Wayne Lin Wayne.Lin@amd.com
Sent: Wednesday, December 25, 2019 9:31 PM
To: dri-devel@lists.freedesktop.org dri-devel@lists.freedesktop.org; amd-gfx@lists.freedesktop.org amd-gfx@lists.freedesktop.org
Cc: lyude@redhat.com lyude@redhat.com; Kazlauskas, Nicholas Nicholas.Kazlauskas@amd.com; Wentland, Harry Harry.Wentland@amd.com; Lipski, Mikita Mikita.Lipski@amd.com; Zuo, Jerry Jerry.Zuo@amd.com; stable@vger.kernel.org stable@vger.kernel.org; Lin, Wayne Wayne.Lin@amd.com
Subject: [PATCH] drm/dp_mst: Avoid NULL pointer dereference
[Why]
Found kernel NULL pointer dereference under the below situation:
src — HDMI_Monitor src — HDMI_Monitor
e.g.: \ =>
MSTB — MSTB (unplug) MSTB — MSTB
When display 1 HDMI and 2 DP daisy chain monitors, unplugging the dp
cable connected to source causes kernel NULL pointer dereference at
drm_dp_mst_atomic_check_bw_limit(). When calculating pbn_limit, if
branch is null, accessing "&branch->ports" causes the problem.
[How]
Judge branch is null or not at the beginning. If it is null, return 0.
Signed-off-by: Wayne Lin Wayne.Lin@amd.com
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index 7d2d31eaf003..a6473e3ab448 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -4707,6 +4707,9 @@ int drm_dp_mst_atomic_check_bw_limit(struct drm_dp_mst_branch *branch,
struct drm_dp_vcpi_allocation *vcpi;
int pbn_limit = 0, pbn_used = 0;
+ if (!branch)
+ return 0;
+
list_for_each_entry(port, &branch->ports, next) {
if (port->mstb)
if (drm_dp_mst_atomic_check_bw_limit(port->mstb, mst_state))
--
2.17.1
Back from the holidays!
Reviewed-by: Lyude Paul lyude@redhat.com
Do you need me to push this to drm-misc?
On Thu, 2019-12-26 at 10:31 +0800, Wayne Lin wrote:
[Why] Found kernel NULL pointer dereference under the below situation:
src — HDMI_Monitor src — HDMI_Monitor e.g.: \ => MSTB — MSTB (unplug) MSTB — MSTB
When display 1 HDMI and 2 DP daisy chain monitors, unplugging the dp cable connected to source causes kernel NULL pointer dereference at drm_dp_mst_atomic_check_bw_limit(). When calculating pbn_limit, if branch is null, accessing "&branch->ports" causes the problem.
[How] Judge branch is null or not at the beginning. If it is null, return 0.
Signed-off-by: Wayne Lin Wayne.Lin@amd.com Cc: stable@vger.kernel.org
drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c index 7d2d31eaf003..a6473e3ab448 100644 --- a/drivers/gpu/drm/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/drm_dp_mst_topology.c @@ -4707,6 +4707,9 @@ int drm_dp_mst_atomic_check_bw_limit(struct drm_dp_mst_branch *branch, struct drm_dp_vcpi_allocation *vcpi; int pbn_limit = 0, pbn_used = 0;
- if (!branch)
return 0;- list_for_each_entry(port, &branch->ports, next) { if (port->mstb) if (drm_dp_mst_atomic_check_bw_limit(port->mstb,
mst_state))
[AMD Public Use]
-----原始郵件----- 寄件者: Lyude Paul lyude@redhat.com 寄件日期: Saturday, January 4, 2020 4:35 AM 收件者: Lin, Wayne Wayne.Lin@amd.com; dri- devel@lists.freedesktop.org; amd-gfx@lists.freedesktop.org 副本: Kazlauskas, Nicholas Nicholas.Kazlauskas@amd.com; Wentland, Harry Harry.Wentland@amd.com; Lipski, Mikita Mikita.Lipski@amd.com; Zuo, Jerry Jerry.Zuo@amd.com; stable@vger.kernel.org 主旨: Re: [PATCH] drm/dp_mst: Avoid NULL pointer dereference
Back from the holidays!
Reviewed-by: Lyude Paul lyude@redhat.com
Do you need me to push this to drm-misc?
Thanks for your time! And yes, please help to push this to drm-misc.
On Thu, 2019-12-26 at 10:31 +0800, Wayne Lin wrote:
[Why] Found kernel NULL pointer dereference under the below situation:
src — HDMI_Monitor src — HDMI_Monitor e.g.: \ => MSTB — MSTB (unplug) MSTB — MSTB
When display 1 HDMI and 2 DP daisy chain monitors, unplugging the dp cable connected to source causes kernel NULL pointer dereference at drm_dp_mst_atomic_check_bw_limit(). When calculating pbn_limit, if branch is null, accessing "&branch->ports" causes the problem.
[How] Judge branch is null or not at the beginning. If it is null, return 0.
Signed-off-by: Wayne Lin Wayne.Lin@amd.com Cc: stable@vger.kernel.org
drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c index 7d2d31eaf003..a6473e3ab448 100644 --- a/drivers/gpu/drm/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/drm_dp_mst_topology.c @@ -4707,6 +4707,9 @@ int drm_dp_mst_atomic_check_bw_limit(struct drm_dp_mst_branch *branch, struct drm_dp_vcpi_allocation *vcpi; int pbn_limit = 0, pbn_used = 0;
- if (!branch)
return 0;- list_for_each_entry(port, &branch->ports, next) { if (port->mstb) if (drm_dp_mst_atomic_check_bw_limit(port->mstb,
mst_state))
-- Cheers, Lyude Paul
-- Best regards, Wayne Lin
linux-stable-mirror@lists.linaro.org
-
Lin, Wayne -
Lipski, Mikita -
Lyude Paul -
Wayne Lin