[PATCH] drm/i915: don't reference null pointer at i915_sink_crc

[PATCH] drm/i915: don't reference null pointer at i915_sink_crc

[Paulo Zanoni]

From: Paulo Zanoni <paulo.r.zanoni@intel.com>

Reproducible by runtime suspending a Haswell machine with eDP + HDMI
outputs connected.

[  209.600086] [drm:i915_runtime_suspend], Suspending device
[  209.688435] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[  209.688500] IP: [<ffffffffa0109d4e>] i915_sink_crc+0x6e/0xf0 [i915]
[  209.688577] PGD 36aba067 PUD 35d7f067 PMD 0 
[  209.688613] Oops: 0000 [#1] SMP 
[  209.688641] Modules linked in: fuse ip6table_filter ip6_tables ebtable_nat ebtables iTCO_wdt iTCO_vendor_support x86_pkg_temp_thermal coretemp microcode serio_raw e1000e pcspkr i2c_i801 ptp mei_me mei lpc_ich mfd_core pps_core dm_crypt i915 i2c_algo_bit crc32_pclmul drm_kms_helper crc32c_intel drm ghash_clmulni_intel video
[  209.688893] CPU: 1 PID: 1797 Comm: pm_pc8 Not tainted 3.13.0+ #118
[  209.688937] Hardware name: Intel Corporation Shark Bay Client platform/WhiteTip Mountain 1, BIOS HSWLPTU1.86C.0133.R00.1309172123 09/17/2013
[  209.689023] task: ffff88007fb4b690 ti: ffff88007d9d2000 task.ti: ffff88007d9d2000
[  209.689074] RIP: 0010:[<ffffffffa0109d4e>]  [<ffffffffa0109d4e>] i915_sink_crc+0x6e/0xf0 [i915]
[  209.689169] RSP: 0018:ffff88007d9d3e68  EFLAGS: 00010246
[  209.689205] RAX: 0000000000000000 RBX: ffff880036a03478 RCX: ffff8800366c9770
[  209.689252] RDX: ffff88014325cf38 RSI: ffff88007fb4bd08 RDI: ffff88007fb4b690
[  209.689299] RBP: ffff88007d9d3e98 R08: 0000000000000000 R09: 0000000000000000
[  209.689346] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8800366c9148
[  209.689393] R13: 00000000ffffffed R14: ffff88007d9d3f50 R15: ffff880036a03478
[  209.689441] FS:  00007f5a74bc29c0(0000) GS:ffff88014f240000(0000) knlGS:0000000000000000
[  209.689494] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  209.689533] CR2: 0000000000000060 CR3: 0000000079d7e000 CR4: 00000000001407e0
[  209.689580] Stack:
[  209.689594]  0000000000001000 ffff880146083980 ffff880146083980 0000000000000000
[  209.689649]  ffff880146083980 0000000000000001 ffff88007d9d3f00 ffffffff811d0744
[  209.689702]  0000000000000046 00007fff7949fe20 ffff880036a034b8 0000000000000080
[  209.689756] Call Trace:
[  209.689778]  [<ffffffff811d0744>] seq_read+0x164/0x3e0
[  209.689816]  [<ffffffff811ab165>] vfs_read+0x95/0x160
[  209.689851]  [<ffffffff811abc79>] SyS_read+0x49/0xa0
[  209.689888]  [<ffffffff810ef64c>] ? __audit_syscall_entry+0x9c/0xf0
[  209.689933]  [<ffffffff81659412>] system_call_fastpath+0x16/0x1b

Testcase: igt/pm_pc8 (do a full run, it will fail at the debugfs-read subtest)
Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
---
 drivers/gpu/drm/i915/i915_debugfs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
index b737583..cb3d0f4 100644
--- a/drivers/gpu/drm/i915/i915_debugfs.c
+++ b/drivers/gpu/drm/i915/i915_debugfs.c
@@ -1938,6 +1938,8 @@ static int i915_sink_crc(struct seq_file *m, void *data)
 			continue;
 
 		encoder = to_intel_encoder(connector->base.encoder);
+		if (!encoder)
+			continue;
 		if (encoder->type != INTEL_OUTPUT_EDP)
 			continue;
 
-- 
1.8.5.3

Re: [PATCH] drm/i915: don't reference null pointer at i915_sink_crc

[Daniel Vetter]

On Thu, Feb 13, 2014 at 8:51 PM, Paulo Zanoni <przanoni@gmail.com> wrote:
>                 encoder = to_intel_encoder(connector->base.encoder);
> +               if (!encoder)
> +                       continue;

to_intel_connector can change a NULL pointer to something slightly
different if the base structure isn't the very first thing. Hence you
must do the check before the casting. I've fixed that up while
applying, thanks for spotting and fixing this.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch