Re: [PATCH] drm/msm: Fix NULL deref on bind/probe deferral - abhinavk-sgV2jX0FEOL9JmXXK+q4OQ

From: abhinavk-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org
To: Sean Paul <seanpaul-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Cc: linux-arm-msm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-arm-msm-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	robdclark-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
	jsanka-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org,
	freedreno-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
	hoegsberg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org,
	Daniel Mack <daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
Subject: Re: [PATCH] drm/msm: Fix NULL deref on bind/probe deferral
Date: Thu, 31 May 2018 15:40:29 -0700	[thread overview]
Message-ID: <f27412892439e05304e8a403802eeab6@codeaurora.org> (raw)
In-Reply-To: <20180531184858.181917-1-seanpaul-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>

On 2018-05-31 11:48, Sean Paul wrote:
> This patch avoids dereferencing msm_host->dev when it is NULL.
> 
> If we find ourselves tearing down dsi before calling
> (mdp4|mdp5|dpu)_kms_init(), we'll end up in a state where the dev
> pointer is NULL and trying to extract priv from it will fail.
> 
> This was introduced in a seemingly innocuous commit to ensure the
> arguments to msm_gem_put_iova() are correct (even though that
> function has been a stub for ~5 years). Correctness FTW! \o/
> 
> Fixes: b01884a286b0 drm/msm: use correct aspace pointer in 
> msm_gem_put_iova()
> Cc: Daniel Mack <daniel@zonque.org>
> Cc: Rob Clark <robdclark@gmail.com>
> Signed-off-by: Sean Paul <seanpaul@chromium.org>
Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org>
> ---
>  drivers/gpu/drm/msm/dsi/dsi_host.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c
> b/drivers/gpu/drm/msm/dsi/dsi_host.c
> index b916f464f4ec..2f1a2780658a 100644
> --- a/drivers/gpu/drm/msm/dsi/dsi_host.c
> +++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
> @@ -1066,8 +1066,18 @@ static int dsi_tx_buf_alloc(struct msm_dsi_host
> *msm_host, int size)
>  static void dsi_tx_buf_free(struct msm_dsi_host *msm_host)
>  {
>  	struct drm_device *dev = msm_host->dev;
> -	struct msm_drm_private *priv = dev->dev_private;
> +	struct msm_drm_private *priv;
> +
> +	/*
> +	 * This is possible if we're tearing down before we've had a chance 
> to
> +	 * fully initialize. A very real possibility if our probe is 
> deferred,
> +	 * in which case we'll hit msm_dsi_host_destroy() without having run
> +	 * through the dsi_tx_buf_alloc().
> +	 */
> +	if (!dev)
> +		return;
> 
> +	priv = dev->dev_private;
>  	if (msm_host->tx_gem_obj) {
>  		msm_gem_put_iova(msm_host->tx_gem_obj, priv->kms->aspace);
>  		drm_gem_object_put_unlocked(msm_host->tx_gem_obj);
_______________________________________________
Freedreno mailing list
Freedreno@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/freedreno