kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   7df24046a1510e64670d278fbacd785c50635908
  2.   patches.suse
  3.   0370-drm-dp_mst-Fix-NULL-deref-in-drm_dp_get_one_sb_msg.patch
Blob Blame History Raw 
From f03d69e5324c2b30c565c504e14bf9f9adac1ea7 Mon Sep 17 00:00:00 2001
From: Lyude Paul <lyude@redhat.com>
Date: Mon, 6 Apr 2020 15:33:52 -0400
Subject: drm/dp_mst: Fix NULL deref in drm_dp_get_one_sb_msg()
Git-commit: cbfb1b74438fdab9ab34a24bb3a206033d807dc0
Patch-mainline: v5.8-rc1
References: jsc#SLE-12680, jsc#SLE-12880, jsc#SLE-12882, jsc#SLE-12883, jsc#SLE-13496, jsc#SLE-15322

While we don't need this function to store an mstb anywhere for UP
requests since we process them asynchronously, we do need to make sure
that we don't try to write to **mstb for UP requests otherwise we'll
cause a NULL pointer deref:

    RIP: 0010:drm_dp_get_one_sb_msg+0x4b/0x460 [drm_kms_helper]
    Call Trace:
     ? vprintk_emit+0x16a/0x230
     ? drm_dp_mst_hpd_irq+0x133/0x1010 [drm_kms_helper]
     drm_dp_mst_hpd_irq+0x133/0x1010 [drm_kms_helper]
     ? __drm_dbg+0x87/0x90 [drm]
     ? intel_dp_hpd_pulse+0x24b/0x400 [i915]
     intel_dp_hpd_pulse+0x24b/0x400 [i915]
     i915_digport_work_func+0xd6/0x160 [i915]
     process_one_work+0x1a9/0x370
     worker_thread+0x4d/0x3a0
     kthread+0xf9/0x130
     ? process_one_work+0x370/0x370
     ? kthread_park+0x90/0x90
     ret_from_fork+0x35/0x40

So, fix this.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Fixes: fbc821c4a506 ("drm/mst: Support simultaneous down replies")
Cc: Wayne Lin <Wayne.Lin@amd.com>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Wayne Lin <waynelin@amd.com>
Cc: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20200406193352.1245985-1-lyude@redhat.com
Reviewed-by: Sean Paul <sean@poorly.run>
Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
---
 drivers/gpu/drm/drm_dp_mst_topology.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index bf2d74cb9ff9..a0ebe8de819f 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -3707,7 +3707,8 @@ static bool drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up,
 	int basereg = up ? DP_SIDEBAND_MSG_UP_REQ_BASE :
 			   DP_SIDEBAND_MSG_DOWN_REP_BASE;
 
-	*mstb = NULL;
+	if (!up)
+		*mstb = NULL;
 	*seqno = -1;
 
 	len = min(mgr->max_dpcd_transaction_bytes, 16);
-- 
2.28.0
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.