diff mbox series

[1/1] drm/mediatek: Fix access violation in mtk_drm_crtc_dma_dev_get

Message ID 20231110012914.14884-2-stuart.lee@mediatek.com (mailing list archive)
State New, archived
Headers show
Series Fix access violation in mtk_drm_crtc_dma_dev_get | expand

Commit Message

Stuart Lee Nov. 10, 2023, 1:29 a.m. UTC 
Add error handling to check NULL input in
mtk_drm_crtc_dma_dev_get function.

While display path is not configured correctly, none of crtc is
established. So the caller of mtk_drm_crtc_dma_dev_get may pass
input parameter *crtc as NULL, Which may cause coredump when
we try to get the container of NULL pointer.

Fixes: cb1d6bcca542 ("drm/mediatek: Add dma dev get function")
Signed-off-by: Stuart Lee <stuart.lee@mediatek.com>
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Comments

CK Hu (胡俊光) Nov. 10, 2023, 2 a.m. UTC | #1 
Hi, Stuart:

On Fri, 2023-11-10 at 09:29 +0800, Stuart Lee wrote:
> Add error handling to check NULL input in
> mtk_drm_crtc_dma_dev_get function.
> 
> While display path is not configured correctly, none of crtc is
> established. So the caller of mtk_drm_crtc_dma_dev_get may pass
> input parameter *crtc as NULL, Which may cause coredump when
> we try to get the container of NULL pointer.

Reviewed-by: CK Hu <ck.hu@mediatek.com>

> 
> Fixes: cb1d6bcca542 ("drm/mediatek: Add dma dev get function")
> Signed-off-by: Stuart Lee <stuart.lee@mediatek.com>
> Cc: stable@vger.kernel.org
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> index c277b9fae950..047c9a31d306 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> @@ -921,7 +921,14 @@ static int mtk_drm_crtc_init_comp_planes(struct
> drm_device *drm_dev,
>  
>  struct device *mtk_drm_crtc_dma_dev_get(struct drm_crtc *crtc)
>  {
> -	struct mtk_drm_crtc *mtk_crtc = to_mtk_crtc(crtc);
> +	struct mtk_drm_crtc *mtk_crtc = NULL;
> +
> +	if (!crtc)
> +		return NULL;
> +
> +	mtk_crtc = to_mtk_crtc(crtc);
> +	if (!mtk_crtc)
> +		return NULL;
>  
>  	return mtk_crtc->dma_dev;
>  }
AngeloGioacchino Del Regno Nov. 10, 2023, 11:57 a.m. UTC | #2 
Il 10/11/23 02:29, Stuart Lee ha scritto:
> Add error handling to check NULL input in
> mtk_drm_crtc_dma_dev_get function.
> 
> While display path is not configured correctly, none of crtc is
> established. So the caller of mtk_drm_crtc_dma_dev_get may pass
> input parameter *crtc as NULL, Which may cause coredump when
> we try to get the container of NULL pointer.
> 
> Fixes: cb1d6bcca542 ("drm/mediatek: Add dma dev get function")
> Signed-off-by: Stuart Lee <stuart.lee@mediatek.com>
> Cc: stable@vger.kernel.org

Reviewed-by: AngeloGioacchino DEl Regno <angelogioacchino.delregno@collabora.com>
Macpaul Lin Nov. 14, 2023, 9:16 a.m. UTC | #3 
On 11/10/23 09:29, Stuart Lee wrote:
> Add error handling to check NULL input in
> mtk_drm_crtc_dma_dev_get function.
> 
> While display path is not configured correctly, none of crtc is
> established. So the caller of mtk_drm_crtc_dma_dev_get may pass
> input parameter *crtc as NULL, Which may cause coredump when
> we try to get the container of NULL pointer.
> 
> Fixes: cb1d6bcca542 ("drm/mediatek: Add dma dev get function")
> Signed-off-by: Stuart Lee <stuart.lee@mediatek.com>
> Cc: stable@vger.kernel.org
> ---
>   drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 9 ++++++++-
>   1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> index c277b9fae950..047c9a31d306 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> @@ -921,7 +921,14 @@ static int mtk_drm_crtc_init_comp_planes(struct drm_device *drm_dev,
>   
>   struct device *mtk_drm_crtc_dma_dev_get(struct drm_crtc *crtc)
>   {
> -	struct mtk_drm_crtc *mtk_crtc = to_mtk_crtc(crtc);
> +	struct mtk_drm_crtc *mtk_crtc = NULL;
> +
> +	if (!crtc)
> +		return NULL;
> +
> +	mtk_crtc = to_mtk_crtc(crtc);
> +	if (!mtk_crtc)
> +		return NULL;
>   
>   	return mtk_crtc->dma_dev;
>   }

Maybe you could attach the stack dump log in commit message next time.

I've tested this patch with 6.7-rc1 on mt8395-genio-1200-evk.

The following error dump can be solved with this patch, thanks.

Tested-by: Macpaul Lin <macpaul.lin@mediatek.com>


[    2.804652] mediatek-drm mediatek-drm.6.auto: bound 
1c110000.vpp-merge (ops mtk_disp_merge_component_ops [mediatek_drm])
[    2.804660] mediatek-drm mediatek-drm.4.auto: Not creating crtc 0 
because component 8 is disabled or missing
[    2.804662] mediatek-drm mediatek-drm.4.auto: Not creating crtc 0 
because component 9 is disabled or missing
[    2.804666] Unable to handle kernel NULL pointer dereference at 
virtual address 00000000000004a0
[    2.804668] Mem abort info:
[    2.804669]   ESR = 0x0000000096000004
[    2.804670]   EC = 0x25: DABT (current EL), IL = 32 bits
[    2.804671]   SET = 0, FnV = 0
[    2.804672]   EA = 0, S1PTW = 0
[    2.804673]   FSC = 0x04: level 0 translation fault
[    2.804674] Data abort info:
[    2.804674]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[    2.804676]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[    2.804677]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    2.804678] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107380000
[    2.804680] [00000000000004a0] pgd=0000000000000000, p4d=0000000000000000
[    2.804683] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[    2.804684] Modules linked in: mt6315_regulator mtk_jpeg 
mtk_jpeg_enc_hw crct10dif_ce mtk_jpeg_dec_hw btusb btrtl mtk_vcodec_dec 
btintel btmtk v4l2_vp9 mtk_vcodec_enc btbcm v4l2_h264 mtk_vcodec_dbgfs 
mediatek_drm bluetooth mtk_vcodec_common v4l2_mem2mem ecdh_generic 
videobuf2_dma_contig ecc videobuf2_memops videobuf2_v4l2 rfkill 
goodix_ts videodev videobuf2_common mc drm_kms_helper mtk_mmsys 
mtk_mutex mtk_cmdq_helper mcp251xfd mtk_cmdq_mailbox pcie_mediatek_gen3 
can_dev mtk_scp pwm_mtk_disp mtk_rpmsg rtc_mt6397 mtk_scp_ipi 
snd_soc_dmic spmi_mtk_pmif mediatek_cpufreq_hw pwm_bl fuse drm backlight 
ipv6
[    2.828100] CPU: 7 PID: 56 Comm: kworker/u16:1 Not tainted 
6.7.0-rc1-mtk+modified #1
[    2.829073] Hardware name: MediaTek Genio 1200 EVK-P1V2-EMMC (DT)
[    2.829838] Workqueue: events_unbound deferred_probe_work_func
[    2.830578] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS 
BTYPE=--)
[    2.831452] pc : mtk_drm_crtc_dma_dev_get+0x0/0x8 [mediatek_drm]
[    2.832212] lr : mtk_drm_bind+0x418/0x5e8 [mediatek_drm]
[    2.832885] sp : ffff800082d93a20
[    2.833301] x29: ffff800082d93a40 x28: ffff8000824379c0 x27: 
ffff80007acc8c10
[    2.834197] x26: ffff0000c7e3e080 x25: 0000000000000002 x24: 
0000000000000000
[    2.835093] x23: ffff0000c7e3e080 x22: 0000000000000002 x21: 
0000000000000000
[    2.835989] x20: ffff0000ca5a2800 x19: ffff0000c7e3e080 x18: 
ffffffffffffffff
[    2.836884] x17: 69645f6b746d2073 x16: 706f28206c61612e x15: 
ffff80008288a5aa
[    2.837779] x14: ffffffffffffffff x13: 0a676e697373696d x12: 
20726f2064656c62
[    2.838676] x11: fffffffffffe0000 x10: 0000000000000020 x9 : 
ffff800082d93900
[    2.839572] x8 : 0000000000000020 x7 : 20726f2064656c62 x6 : 
000000000000000c
[    2.840468] x5 : ffff0001fef70d08 x4 : 0000000000000000 x3 : 
ffff0000ca5a2ae0
[    2.841363] x2 : ffff0000ca5a2ae0 x1 : 0000000000000000 x0 : 
0000000000000000
[    2.842259] Call trace:
[    2.842568]  mtk_drm_crtc_dma_dev_get+0x0/0x8 [mediatek_drm]
[    2.843285]  try_to_bring_up_aggregate_device+0x168/0x1d4
[    2.843965]  __component_add+0xa4/0x170
[    2.844448]  component_add+0x14/0x20
[    2.844898]  mtk_disp_rdma_probe+0x178/0x268 [mediatek_drm]
[    2.845602]  platform_probe+0x68/0xdc
[    2.846064]  really_probe+0x148/0x2ac
[    2.846525]  __driver_probe_device+0x78/0x12c
[    2.847074]  driver_probe_device+0x40/0x160
[    2.847600]  __device_attach_driver+0xb8/0x134
[    2.848158]  bus_for_each_drv+0x84/0xe4
[    2.848641]  __device_attach+0xac/0x1b8
[    2.849124]  device_initial_probe+0x14/0x20
[    2.849651]  bus_probe_device+0xa8/0xac
[    2.850133]  deferred_probe_work_func+0x88/0xc0
[    2.850702]  process_one_work+0x138/0x260
[    2.851209]  worker_thread+0x32c/0x438
[    2.851681]  kthread+0x118/0x11c
[    2.852088]  ret_from_fork+0x10/0x20
[    2.852540] Code: 97fffdec a8c17bfd d50323bf d65f03c0 (f9425000)
[    2.853305] ---[ end trace 0000000000000000 ]---
[    4.102725] random: crng init done

Best regards,
Macpaul Lin
Chun-Kuang Hu Dec. 11, 2023, 2:44 p.m. UTC | #4 
Hi, Stuart:

Stuart Lee <stuart.lee@mediatek.com> 於 2023年11月10日 週五 上午9:29寫道:
>
> Add error handling to check NULL input in
> mtk_drm_crtc_dma_dev_get function.
>
> While display path is not configured correctly, none of crtc is
> established. So the caller of mtk_drm_crtc_dma_dev_get may pass
> input parameter *crtc as NULL, Which may cause coredump when
> we try to get the container of NULL pointer.

Applied to mediatek-drm-fixes [1], thanks.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/chunkuang.hu/linux.git/log/?h=mediatek-drm-fixes

Regards,
Chun-Kuang.

>
> Fixes: cb1d6bcca542 ("drm/mediatek: Add dma dev get function")
> Signed-off-by: Stuart Lee <stuart.lee@mediatek.com>
> Cc: stable@vger.kernel.org
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> index c277b9fae950..047c9a31d306 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> @@ -921,7 +921,14 @@ static int mtk_drm_crtc_init_comp_planes(struct drm_device *drm_dev,
>
>  struct device *mtk_drm_crtc_dma_dev_get(struct drm_crtc *crtc)
>  {
> -       struct mtk_drm_crtc *mtk_crtc = to_mtk_crtc(crtc);
> +       struct mtk_drm_crtc *mtk_crtc = NULL;
> +
> +       if (!crtc)
> +               return NULL;
> +
> +       mtk_crtc = to_mtk_crtc(crtc);
> +       if (!mtk_crtc)
> +               return NULL;
>
>         return mtk_crtc->dma_dev;
>  }
> --
> 2.18.0
>
diff mbox series

Patch

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
index c277b9fae950..047c9a31d306 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
@@ -921,7 +921,14 @@  static int mtk_drm_crtc_init_comp_planes(struct drm_device *drm_dev,
 
 struct device *mtk_drm_crtc_dma_dev_get(struct drm_crtc *crtc)
 {
-	struct mtk_drm_crtc *mtk_crtc = to_mtk_crtc(crtc);
+	struct mtk_drm_crtc *mtk_crtc = NULL;
+
+	if (!crtc)
+		return NULL;
+
+	mtk_crtc = to_mtk_crtc(crtc);
+	if (!mtk_crtc)
+		return NULL;
 
 	return mtk_crtc->dma_dev;
 }