From: Josip Pavic Josip.Pavic@amd.com
[Why] Failing to allocate a transfer function during stream construction leads to a null pointer dereference
[How] Handle the failed allocation by failing the stream construction
Cc: stable@vger.kernel.org Signed-off-by: Josip Pavic Josip.Pavic@amd.com Reviewed-by: Aric Cyr Aric.Cyr@amd.com Acked-by: Rodrigo Siqueira Rodrigo.Siqueira@amd.com --- .../gpu/drm/amd/display/dc/core/dc_stream.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c index 3b897372ed27..d6989d115c5c 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c @@ -56,7 +56,7 @@ void update_stream_signal(struct dc_stream_state *stream, struct dc_sink *sink) } }
-static void dc_stream_construct(struct dc_stream_state *stream, +static bool dc_stream_construct(struct dc_stream_state *stream, struct dc_sink *dc_sink_data) { uint32_t i = 0; @@ -118,11 +118,17 @@ static void dc_stream_construct(struct dc_stream_state *stream, update_stream_signal(stream, dc_sink_data);
stream->out_transfer_func = dc_create_transfer_func(); + if (stream->out_transfer_func == NULL) { + dc_sink_release(dc_sink_data); + return false; + } stream->out_transfer_func->type = TF_TYPE_BYPASS; stream->out_transfer_func->ctx = stream->ctx;
stream->stream_id = stream->ctx->dc_stream_id_count; stream->ctx->dc_stream_id_count++; + + return true; }
static void dc_stream_destruct(struct dc_stream_state *stream) @@ -164,13 +170,20 @@ struct dc_stream_state *dc_create_stream_for_sink(
stream = kzalloc(sizeof(struct dc_stream_state), GFP_KERNEL); if (stream == NULL) - return NULL; + goto alloc_fail;
- dc_stream_construct(stream, sink); + if (dc_stream_construct(stream, sink) == false) + goto construct_fail;
kref_init(&stream->refcount);
return stream; + +construct_fail: + kfree(stream); + +alloc_fail: + return NULL; }
struct dc_stream_state *dc_copy_stream(const struct dc_stream_state *stream)
Hi
[This is an automated email]
This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.7.8, v5.4.51, v4.19.132, v4.14.188, v4.9.230, v4.4.230.
v5.7.8: Build OK! v5.4.51: Failed to apply! Possible dependencies: d9e32672a1285 ("drm/amd/display: cleanup of construct and destruct funcs")
v4.19.132: Failed to apply! Possible dependencies: 0e3d73f1a440e ("drm/amd/display: Add Raven2 definitions in dc") 1e7e86c43f38d ("drm/amd/display: decouple front and backend pgm using dpms_off as backend enable flag") 21e471f0850de ("drm/amd/display: Set dispclk and dprefclock directly") 24f7dd7ea98dc ("drm/amd/display: move pplib/smu notification to dccg block") 4e60536d093f4 ("drm/amd/display: Set DFS bypass flags for dce110") 5a83c93249098 ("drm/amd/display: Add support for toggling DFS bypass") 76d981a9fe823 ("Revert "drm/amd/display: make clk_mgr call enable_pme_wa"") 7ed4e6352c16f ("drm/amd/display: Add DCN2 HW Sequencer and Resource") 84e7fc05a9270 ("drm/amd/display: rename dccg to clk_mgr") 8c3db1284a016 ("drm/amdgpu: fill in amdgpu_dm_remove_sink_from_freesync_module") 98e6436d3af5f ("drm/amd/display: Refactor FreeSync module") ad908423ef86f ("drm/amd/display: support 48 MHZ refclk off") d9673c920c035 ("drm/amd/display: Pass init_data into DCN resource creation") d9e32672a1285 ("drm/amd/display: cleanup of construct and destruct funcs")
v4.14.188: Failed to apply! Possible dependencies: 1b0c0f9dc5ca6 ("drm/amdgpu: move userptr BOs to CPU domain during CS v2") 1ed3d2567c800 ("drm/amdgpu: keep the MMU lock until the update ends v4") 3fe89771cb0a6 ("drm/amdgpu: stop reserving the BO in the MMU callback v3") 4562236b3bc0a ("drm/amd/dc: Add dc display driver (v2)") 60de1c1740f39 ("drm/amdgpu: use a rw_semaphore for MMU notifiers") 9a18999640fa6 ("drm/amdgpu: move MMU notifier related defines to amdgpu_mn.h") 9cca0b8e5df0a ("drm/amdgpu: move amdgpu_cs_sysvm_access_required into find_mapping") a216ab09955d6 ("drm/amdgpu: fix userptr put_page handling") b72cf4fca2bb7 ("drm/amdgpu: move taking mmap_sem into get_user_pages v2") ca666a3c298f8 ("drm/amdgpu: stop using BO status for user pages")
v4.9.230: Failed to apply! Possible dependencies: 1cec20f0ea0e3 ("dma-buf: Restart reservation_object_wait_timeout_rcu() after writes") 3fe89771cb0a6 ("drm/amdgpu: stop reserving the BO in the MMU callback v3") 4562236b3bc0a ("drm/amd/dc: Add dc display driver (v2)") 4df654d293c64 ("drm/amdgpu: move amdgpu_uvd structure to uvd header") 5e5681788befb ("drm/amdgpu: move amdgpu_vce structure to vce header") 660e855813f78 ("amdgpu: use drm sync objects for shared semaphores (v6)") 78010cd9736ec ("dma-buf/fence: add an lockdep_assert_held()") 95aa13f6b196d ("drm/amdgpu: move amdgpu_vcn structure to vcn header") 95d0906f85065 ("drm/amdgpu: add initial vcn support and decode tests") 9a18999640fa6 ("drm/amdgpu: move MMU notifier related defines to amdgpu_mn.h") b636922553ee2 ("drm/amdgpu: only move VM BOs in the LRU during validation v2") b72cf4fca2bb7 ("drm/amdgpu: move taking mmap_sem into get_user_pages v2") f54d1867005c3 ("dma-buf: Rename struct fence to dma_fence") fedf54132d241 ("dma-buf: Restart reservation_object_get_fences_rcu() after writes")
v4.4.230: Failed to apply! Possible dependencies: 1f7371b2a5faf ("drm/amd/powerplay: add basic powerplay framework") 288912cb95d15 ("drm/amdgpu: use $(src) in Makefile (v2)") 37cd0ca204a55 ("drm/amdgpu: unify AMDGPU_CTX_MAX_CS_PENDING and amdgpu_sched_jobs") 3c0eea6c35d93 ("drm/amdgpu: put VM page tables directly into duplicates list") 3f99dd814a6fd ("drm/amdgpu: save and restore UVD context with suspend and resume") 4325198180e5a ("drm/amdgpu: remove GART page addr array") 4562236b3bc0a ("drm/amd/dc: Add dc display driver (v2)") 4acabfe3793eb ("drm/amdgpu: fix num_ibs check") 4df654d293c64 ("drm/amdgpu: move amdgpu_uvd structure to uvd header") 50838c8cc413d ("drm/amdgpu: add proper job alloc/free functions") 56467ebfb2548 ("drm/amdgpu: split VM PD and PT handling during CS") 5e5681788befb ("drm/amdgpu: move amdgpu_vce structure to vce header") 7270f8391df1a ("drm/amdgpu: add amdgpu_set_ib_value helper (v2)") 95aa13f6b196d ("drm/amdgpu: move amdgpu_vcn structure to vcn header") 9a18999640fa6 ("drm/amdgpu: move MMU notifier related defines to amdgpu_mn.h") a1d29476d666f ("drm/amdgpu: optionally enable GART debugfs file") a8fe58cec351c ("drm/amd: add ACP driver support") c036554170fcc ("drm/amdgpu: handle more than 10 UVD sessions (v2)") c3cca41e6249e ("drm/amdgpu: cleanup amdgpu_cs_parser structure") cadf97b196a1e ("drm/amdgpu: clean up non-scheduler code path (v2)") cd75dc6887f1e ("drm/amdgpu: separate pushing CS to scheduler") d71518b5aa7c9 ("drm/amdgpu: cleanup in kernel job submission") d7af97dbccf01 ("drm/amdgpu: send UVD IB tests directly to the ring again") d8e0cae645504 ("drm/amdgpu: validate duplicates first") f69f90a113f28 ("drm/amdgpu: fix amdgpu_cs_get_threshold_for_moves handling") fdba11f4079ec ("drm/amdgpu: move all Kconfig options to amdgpu/Kconfig")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
linux-stable-mirror@lists.linaro.org
-
Rodrigo Siqueira -
Sasha Levin