diff mbox series

drm/dp_mst: Avoid NULL pointer dereference

Message ID 20191226023151.5448-1-Wayne.Lin@amd.com (mailing list archive)
State New, archived
Headers show
Series drm/dp_mst: Avoid NULL pointer dereference | expand

Commit Message

Lin, Wayne Dec. 26, 2019, 2:31 a.m. UTC 
[Why]
Found kernel NULL pointer dereference under the below situation:

	src — HDMI_Monitor   src — HDMI_Monitor
e.g.:	    \            =>
	     MSTB — MSTB     (unplug) MSTB — MSTB

When display 1 HDMI and 2 DP daisy chain monitors, unplugging the dp
cable connected to source causes kernel NULL pointer dereference at
drm_dp_mst_atomic_check_bw_limit(). When calculating pbn_limit, if
branch is null, accessing "&branch->ports" causes the problem.

[How]
Judge branch is null or not at the beginning. If it is null, return 0.

Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Lipski, Mikita Dec. 26, 2019, 3:04 p.m. UTC | #1 
[AMD Official Use Only - Internal Distribution Only]

Thanks for the catch,

Reviewed-by: Mikita Lipski <Mikita.Lipski@amd.com>




From: Wayne Lin <Wayne.Lin@amd.com>

Sent: Wednesday, December 25, 2019 9:31 PM

To: dri-devel@lists.freedesktop.org <dri-devel@lists.freedesktop.org>; amd-gfx@lists.freedesktop.org <amd-gfx@lists.freedesktop.org>

Cc: lyude@redhat.com <lyude@redhat.com>; Kazlauskas, Nicholas <Nicholas.Kazlauskas@amd.com>; Wentland, Harry <Harry.Wentland@amd.com>; Lipski, Mikita <Mikita.Lipski@amd.com>; Zuo, Jerry <Jerry.Zuo@amd.com>; stable@vger.kernel.org <stable@vger.kernel.org>;
 Lin, Wayne <Wayne.Lin@amd.com>

Subject: [PATCH] drm/dp_mst: Avoid NULL pointer dereference




[Why]

Found kernel NULL pointer dereference under the below situation:



        src — HDMI_Monitor   src — HDMI_Monitor

e.g.:       \            =>

             MSTB — MSTB     (unplug) MSTB — MSTB



When display 1 HDMI and 2 DP daisy chain monitors, unplugging the dp

cable connected to source causes kernel NULL pointer dereference at

drm_dp_mst_atomic_check_bw_limit(). When calculating pbn_limit, if

branch is null, accessing "&branch->ports" causes the problem.



[How]

Judge branch is null or not at the beginning. If it is null, return 0.



Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>

Cc: stable@vger.kernel.org

---

 drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++

 1 file changed, 3 insertions(+)



diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c

index 7d2d31eaf003..a6473e3ab448 100644

--- a/drivers/gpu/drm/drm_dp_mst_topology.c

+++ b/drivers/gpu/drm/drm_dp_mst_topology.c

@@ -4707,6 +4707,9 @@ int drm_dp_mst_atomic_check_bw_limit(struct drm_dp_mst_branch *branch,

         struct drm_dp_vcpi_allocation *vcpi;

         int pbn_limit = 0, pbn_used = 0;



+       if (!branch)

+               return 0;

+

         list_for_each_entry(port, &branch->ports, next) {

                 if (port->mstb)

                         if (drm_dp_mst_atomic_check_bw_limit(port->mstb, mst_state))

--

2.17.1
Lyude Paul Jan. 3, 2020, 8:35 p.m. UTC | #2 
Back from the holidays!

Reviewed-by: Lyude Paul <lyude@redhat.com>

Do you need me to push this to drm-misc?

On Thu, 2019-12-26 at 10:31 +0800, Wayne Lin wrote:
> [Why]
> Found kernel NULL pointer dereference under the below situation:
> 
> 	src — HDMI_Monitor   src — HDMI_Monitor
> e.g.:	    \            =>
> 	     MSTB — MSTB     (unplug) MSTB — MSTB
> 
> When display 1 HDMI and 2 DP daisy chain monitors, unplugging the dp
> cable connected to source causes kernel NULL pointer dereference at
> drm_dp_mst_atomic_check_bw_limit(). When calculating pbn_limit, if
> branch is null, accessing "&branch->ports" causes the problem.
> 
> [How]
> Judge branch is null or not at the beginning. If it is null, return 0.
> 
> Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
> Cc: stable@vger.kernel.org
> ---
>  drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
> b/drivers/gpu/drm/drm_dp_mst_topology.c
> index 7d2d31eaf003..a6473e3ab448 100644
> --- a/drivers/gpu/drm/drm_dp_mst_topology.c
> +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
> @@ -4707,6 +4707,9 @@ int drm_dp_mst_atomic_check_bw_limit(struct
> drm_dp_mst_branch *branch,
>  	struct drm_dp_vcpi_allocation *vcpi;
>  	int pbn_limit = 0, pbn_used = 0;
>  
> +	if (!branch)
> +		return 0;
> +
>  	list_for_each_entry(port, &branch->ports, next) {
>  		if (port->mstb)
>  			if (drm_dp_mst_atomic_check_bw_limit(port->mstb,
> mst_state))
Lin, Wayne Jan. 6, 2020, 7:34 a.m. UTC | #3 
[AMD Public Use]



> -----原始郵件-----
> 寄件者: Lyude Paul <lyude@redhat.com>
> 寄件日期: Saturday, January 4, 2020 4:35 AM
> 收件者: Lin, Wayne <Wayne.Lin@amd.com>; dri-
> devel@lists.freedesktop.org; amd-gfx@lists.freedesktop.org
> 副本: Kazlauskas, Nicholas <Nicholas.Kazlauskas@amd.com>; Wentland,
> Harry <Harry.Wentland@amd.com>; Lipski, Mikita <Mikita.Lipski@amd.com>;
> Zuo, Jerry <Jerry.Zuo@amd.com>; stable@vger.kernel.org
> 主旨: Re: [PATCH] drm/dp_mst: Avoid NULL pointer dereference
> 
> Back from the holidays!
> 
> Reviewed-by: Lyude Paul <lyude@redhat.com>
> 
> Do you need me to push this to drm-misc?
> 
Thanks for your time!
And yes, please help to push this to drm-misc.

> On Thu, 2019-12-26 at 10:31 +0800, Wayne Lin wrote:
> > [Why]
> > Found kernel NULL pointer dereference under the below situation:
> >
> > 	src — HDMI_Monitor   src — HDMI_Monitor
> > e.g.:	    \            =>
> > 	     MSTB — MSTB     (unplug) MSTB — MSTB
> >
> > When display 1 HDMI and 2 DP daisy chain monitors, unplugging the dp
> > cable connected to source causes kernel NULL pointer dereference at
> > drm_dp_mst_atomic_check_bw_limit(). When calculating pbn_limit, if
> > branch is null, accessing "&branch->ports" causes the problem.
> >
> > [How]
> > Judge branch is null or not at the beginning. If it is null, return 0.
> >
> > Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
> > Cc: stable@vger.kernel.org
> > ---
> >  drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
> > b/drivers/gpu/drm/drm_dp_mst_topology.c
> > index 7d2d31eaf003..a6473e3ab448 100644
> > --- a/drivers/gpu/drm/drm_dp_mst_topology.c
> > +++ b/drivers/gpu/drm/drm_dp_mst_topology.c
> > @@ -4707,6 +4707,9 @@ int drm_dp_mst_atomic_check_bw_limit(struct
> > drm_dp_mst_branch *branch,
> >  	struct drm_dp_vcpi_allocation *vcpi;
> >  	int pbn_limit = 0, pbn_used = 0;
> >
> > +	if (!branch)
> > +		return 0;
> > +
> >  	list_for_each_entry(port, &branch->ports, next) {
> >  		if (port->mstb)
> >  			if (drm_dp_mst_atomic_check_bw_limit(port->mstb,
> > mst_state))
> --
> Cheers,
> 	Lyude Paul
--
Best regards,
Wayne Lin
diff mbox series

Patch

diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index 7d2d31eaf003..a6473e3ab448 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -4707,6 +4707,9 @@  int drm_dp_mst_atomic_check_bw_limit(struct drm_dp_mst_branch *branch,
 	struct drm_dp_vcpi_allocation *vcpi;
 	int pbn_limit = 0, pbn_used = 0;
 
+	if (!branch)
+		return 0;
+
 	list_for_each_entry(port, &branch->ports, next) {
 		if (port->mstb)
 			if (drm_dp_mst_atomic_check_bw_limit(port->mstb, mst_state))