From dd6d18d0590fd2f50664917e9ffdaa093f1e6acb Mon Sep 17 00:00:00 2001 From: Seth Forshee Date: Mon, 28 Sep 2020 11:14:15 -0500 Subject: [PATCH] UBUNTU: SAUCE: drm/i915/display: Fix null deref in intel_psr_atomic_check() I'm seeing an oops when booting my laptop when attached to my dock: RIP: 0010:intel_psr_atomic_check+0x37/0xa0 [i915] Code: 80 56 06 00 00 20 74 42 80 b8 74 6a 00 00 00 74 39 48 8b 72 08 48 85 f6 74 30 80 b8 38 6b 00 00 00 74 27 4c 8b 87 80 04 00 00 <41> 8b 78 78 83 ff 08 77 19 31 c9 83 ff 05 77 19 48 81 c1 28 01 00 RSP: 0018:ffffadd0401bfb38 EFLAGS: 00010202 RAX: ffff97425d200000 RBX: ffff974276144800 RCX: 0000000000000000 RDX: ffff974279b9a900 RSI: ffff97425f1c7800 RDI: ffff974278308000 RBP: ffffadd0401bfb38 R08: 0000000000000000 R09: ffff974274b08970 R10: ffff974279b9a900 R11: 0000000000000007 R12: ffff974278308000 R13: ffff974279b9a900 R14: ffff974279731480 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff9742804c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000078 CR3: 000000047220a003 CR4: 00000000003606e0 Call Trace: intel_digital_connector_atomic_check+0x53/0x130 [i915] intel_dp_mst_atomic_check+0x46/0xe0 [i915] drm_atomic_helper_check_modeset+0x1ea/0x460 [drm_kms_helper] intel_atomic_check+0x93/0x6b0 [i915] ? drm_atomic_plane_check+0x7a/0x3a0 [drm] ? drm_atomic_set_crtc_for_connector+0xcb/0x110 [drm] drm_atomic_check_only+0x1e9/0x360 [drm] drm_atomic_commit+0x18/0x50 [drm] drm_client_modeset_commit_atomic+0x1c9/0x200 [drm] drm_client_modeset_commit_locked+0x51/0x80 [drm] drm_client_modeset_commit+0x27/0x50 [drm] drm_fb_helper_set_par+0xb3/0xe0 [drm_kms_helper] drm_fb_helper_hotplug_event.part.0+0xb4/0xe0 [drm_kms_helper] drm_fb_helper_hotplug_event+0x1c/0x30 [drm_kms_helper] intel_fbdev_output_poll_changed+0x6f/0xa0 [i915] drm_kms_helper_hotplug_event+0x2c/0x40 [drm_kms_helper] drm_dp_mst_link_probe_work+0xd9/0x180 [drm_kms_helper] process_one_work+0x1e8/0x3b0 worker_thread+0x50/0x370 kthread+0x12f/0x150 ? process_one_work+0x3b0/0x3b0 ? __kthread_bind_mask+0x70/0x70 ret_from_fork+0x1f/0x30 Modules linked in: ... CR2: 0000000000000078 ---[ end trace be497c0ed3de6229 ]--- RIP: 0010:intel_psr_atomic_check+0x37/0xa0 [i915] Code: 80 56 06 00 00 20 74 42 80 b8 74 6a 00 00 00 74 39 48 8b 72 08 48 85 f6 74 30 80 b8 38 6b 00 00 00 74 27 4c 8b 87 80 04 00 00 <41> 8b 78 78 83 ff 08 77 19 31 c9 83 ff 05 77 19 48 81 c1 28 01 00 RSP: 0018:ffffadd0401bfb38 EFLAGS: 00010202 RAX: ffff97425d200000 RBX: ffff974276144800 RCX: 0000000000000000 RDX: ffff974279b9a900 RSI: ffff97425f1c7800 RDI: ffff974278308000 RBP: ffffadd0401bfb38 R08: 0000000000000000 R09: ffff974274b08970 R10: ffff974279b9a900 R11: 0000000000000007 R12: ffff974278308000 R13: ffff974279b9a900 R14: ffff974279731480 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff9742804c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000078 CR3: 000000047cb9e002 CR4: 00000000003606e0 Looking through intel_psr_atomic_check(), I note that enc_to_dig_port() may return NULL, but the pointer is not being checked before it is dereferenced. Adding an extra check that the returned pointer is not NULL eliminates the oops. Signed-off-by: Seth Forshee --- drivers/gpu/drm/i915/display/intel_psr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c index b886ac97ae77d8..d796c81052517d 100644 --- a/drivers/gpu/drm/i915/display/intel_psr.c +++ b/drivers/gpu/drm/i915/display/intel_psr.c @@ -1631,7 +1631,7 @@ void intel_psr_atomic_check(struct drm_connector *connector, intel_connector = to_intel_connector(connector); dig_port = enc_to_dig_port(intel_attached_encoder(intel_connector)); - if (dev_priv->psr.dp != &dig_port->dp) + if (!dig_port || dev_priv->psr.dp != &dig_port->dp) return; crtc_state = drm_atomic_get_new_crtc_state(new_state->state,