[next] drm/atomic: NULL pointer dereference
From: Sergey Senozhatsky
Date: Tue Sep 26 2017 - 03:59:56 EST
Hello,
after commit 669c9215afea4e ("drm/atomic: Make async plane update
checks work as intended") drm_atomic_helper_async_check() can NULL
deference the `new_plane_state' pointer and crashe the kernel at
'new_plane_state->crtc':
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: drm_atomic_helper_async_check+0x70/0xcb
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
[..]
task: ffff880131ac2280 task.stack: ffffc90000464000
RIP: 0010:drm_atomic_helper_async_check+0x70/0xcb
RSP: 0018:ffffc90000467a48 EFLAGS: 00010246
RAX: ffff880131917b60 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffff880131753480 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000010000
R10: ffff880130d3255c R11: ffff880130e56e18 R12: ffff880131670000
R13: 0000000000000000 R14: ffff880131670000 R15: 0000000000000004
FS: 00007fc218f6e940(0000) GS:ffff880137d80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000132aca000 CR4: 00000000000006e0
Call Trace:
drm_atomic_helper_check+0x3c/0x5a
nv50_disp_atomic_check+0x15/0x10b
drm_atomic_check_only+0x2c0/0x42a
drm_atomic_commit+0x13/0x4d
drm_atomic_helper_update_plane+0xc9/0xe6
__setplane_internal+0x1c8/0x229
? drm_internal_framebuffer_create+0x314/0x35a
drm_mode_cursor_universal+0x130/0x15f
drm_mode_cursor_common+0xcc/0x184
? drm_mode_setplane+0x183/0x183
drm_mode_cursor_ioctl+0x2f/0x34
drm_ioctl_kernel+0x61/0x9a
drm_ioctl+0x1d6/0x2a8
? drm_mode_setplane+0x183/0x183
? _raw_spin_unlock+0x12/0x23
? do_wp_page+0x159/0x22e
? _raw_spin_unlock_irqrestore+0x14/0x25
nouveau_drm_ioctl+0x71/0xa4
vfs_ioctl+0x1b/0x28
do_vfs_ioctl+0x5a9/0x5bc
? handle_mm_fault+0x98/0x9e
? __fget+0x5d/0x67
SyS_ioctl+0x3e/0x5a
entry_SYSCALL_64_fastpath+0x13/0x94
the below patch fixes the issues for me.
---
drivers/gpu/drm/drm_atomic_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index 01c34bc5b5b0..922f4d3b17aa 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1405,7 +1405,7 @@ int drm_atomic_helper_async_check(struct drm_device *dev,
if (n_planes != 1)
return -EINVAL;
- if (!new_plane_state->crtc)
+ if (!new_plane_state || !new_plane_state->crtc)
return -EINVAL;
funcs = plane->helper_private;
--
2.14.1