| Message ID | 20170128170157.22956-1-marex@denx.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
2017-01-28 15:01 GMT-02:00 Marek Vasut <marex@denx.de>: > > The mxsfb driver will crash if the mxsfb DT node has a subnode, > but the content of the subnode is not of-graph binding with an > endpoint linking to panel. The crash was triggered by providing > old-style panel bindings to the mxsfb driver instead of the new > of-graph ones. > > The problem happens in mxsfb_create_output(), which is invoked > from mxsfb_load(). The mxsfb_create_output() iterates over all > mxsfb DT subnode endpoints and tries to bind a panel on each > endpoint. If there is any problem binding the panel, that is, > mxsfb->panel == NULL, this function will return an error code, > otherwise success 0 is returned. > > If the subnodes do not specify of-graph binding with an endpoint, > the iteration over endpoints in mxsfb_create_output() will have > zero cycles and the function will immediatelly return 0, but the > mxsfb->panel will remain NULL. This is propagated back into the > mxsfb_load(), which does not detect any problem and expects that > the mxsfb->panel is valid, thus calls mxsfb_panel_attach(). But > since mxsfb->panel == NULL, mxsfb_panel_attach() is called with > first argument NULL and this crashes the kernel. > > This patch fixes the problem by explicitly checking for valid > mxsfb->panel at the end of the iteration in mxsfb_create_output(). > > Signed-off-by: Marek Vasut <marex@denx.de> > Cc: Daniel Vetter <daniel.vetter@ffwll.ch> > Cc: Dave Airlie <airlied@redhat.com> > Cc: Stefan Agner <stefan@agner.ch> > Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com>
On 01/31/2017 03:55 PM, Breno Matheus Lima wrote: > 2017-01-28 15:01 GMT-02:00 Marek Vasut <marex@denx.de>: >> >> The mxsfb driver will crash if the mxsfb DT node has a subnode, >> but the content of the subnode is not of-graph binding with an >> endpoint linking to panel. The crash was triggered by providing >> old-style panel bindings to the mxsfb driver instead of the new >> of-graph ones. >> >> The problem happens in mxsfb_create_output(), which is invoked >> from mxsfb_load(). The mxsfb_create_output() iterates over all >> mxsfb DT subnode endpoints and tries to bind a panel on each >> endpoint. If there is any problem binding the panel, that is, >> mxsfb->panel == NULL, this function will return an error code, >> otherwise success 0 is returned. >> >> If the subnodes do not specify of-graph binding with an endpoint, >> the iteration over endpoints in mxsfb_create_output() will have >> zero cycles and the function will immediatelly return 0, but the >> mxsfb->panel will remain NULL. This is propagated back into the >> mxsfb_load(), which does not detect any problem and expects that >> the mxsfb->panel is valid, thus calls mxsfb_panel_attach(). But >> since mxsfb->panel == NULL, mxsfb_panel_attach() is called with >> first argument NULL and this crashes the kernel. >> >> This patch fixes the problem by explicitly checking for valid >> mxsfb->panel at the end of the iteration in mxsfb_create_output(). >> >> Signed-off-by: Marek Vasut <marex@denx.de> >> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> >> Cc: Dave Airlie <airlied@redhat.com> >> Cc: Stefan Agner <stefan@agner.ch> >> Cc: Breno Matheus Lima <brenomatheus@gmail.com> > > Tested-by: Breno Lima <breno.lima@nxp.com> > Thanks, it'd be great if we could get this into 4.11 still.
diff --git a/drivers/gpu/drm/mxsfb/mxsfb_out.c b/drivers/gpu/drm/mxsfb/mxsfb_out.c index fa8d17399407..b8e81422d4e2 100644 --- a/drivers/gpu/drm/mxsfb/mxsfb_out.c +++ b/drivers/gpu/drm/mxsfb/mxsfb_out.c @@ -112,6 +112,7 @@ static int mxsfb_attach_endpoint(struct drm_device *drm, int mxsfb_create_output(struct drm_device *drm) { + struct mxsfb_drm_private *mxsfb = drm->dev_private; struct device_node *ep_np = NULL; struct of_endpoint ep; int ret; @@ -127,5 +128,8 @@ int mxsfb_create_output(struct drm_device *drm) } } + if (!mxsfb->panel) + return -EPROBE_DEFER; + return 0; }
The mxsfb driver will crash if the mxsfb DT node has a subnode, but the content of the subnode is not of-graph binding with an endpoint linking to panel. The crash was triggered by providing old-style panel bindings to the mxsfb driver instead of the new of-graph ones. The problem happens in mxsfb_create_output(), which is invoked from mxsfb_load(). The mxsfb_create_output() iterates over all mxsfb DT subnode endpoints and tries to bind a panel on each endpoint. If there is any problem binding the panel, that is, mxsfb->panel == NULL, this function will return an error code, otherwise success 0 is returned. If the subnodes do not specify of-graph binding with an endpoint, the iteration over endpoints in mxsfb_create_output() will have zero cycles and the function will immediatelly return 0, but the mxsfb->panel will remain NULL. This is propagated back into the mxsfb_load(), which does not detect any problem and expects that the mxsfb->panel is valid, thus calls mxsfb_panel_attach(). But since mxsfb->panel == NULL, mxsfb_panel_attach() is called with first argument NULL and this crashes the kernel. This patch fixes the problem by explicitly checking for valid mxsfb->panel at the end of the iteration in mxsfb_create_output(). Signed-off-by: Marek Vasut <marex@denx.de> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Dave Airlie <airlied@redhat.com> Cc: Stefan Agner <stefan@agner.ch> Cc: Breno Matheus Lima <brenomatheus@gmail.com> --- drivers/gpu/drm/mxsfb/mxsfb_out.c | 4 ++++ 1 file changed, 4 insertions(+)