[PATCH] gpu: drm: i915: intel_hotplug: avoid NULL pointer dereference
From: Olivier Sobrie
Date: Sun Jan 07 2018 - 13:23:31 EST
I observed the following crash on my laptop after undocking it:
BUG: unable to handle kernel NULL pointer dereference at 00000000000000e4
IP: i915_hpd_poll_init_work+0x8f/0x100 [i915]
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ppp_mppe ppp_async ppp_generic slhc nf_conntrack_pptp nf_conntrack_proto_gre veth ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user
kvm irqbypass crct10dif_pclmul iwlmvm crc32_pclmul ghash_clmulni_intel mei_wdt iTCO_wdt iTCO_vendor_support mac80211 wmi_bmof pcbc i2c_algo_bit snd_hda_intel drm_kms_helper snd_hd
usbcore usb_common i8042 serio vfat fat trusted tpm crc32c_generic crc32c_intel btrfs xor zstd_decompress zstd_compress xxhash raid6_pq
CPU: 0 PID: 37 Comm: kworker/0:1 Tainted: G U O 4.14.9-1-ARCH #1
Hardware name: LENOVO 20F9CTO1WW/20F9CTO1WW, BIOS N1CET56W (1.24 ) 04/19/2017
Workqueue: events i915_hpd_poll_init_work [i915]
task: ffffa0bd09132dc0 task.stack: ffffb177032b0000
RIP: 0010:i915_hpd_poll_init_work+0x8f/0x100 [i915]
RSP: 0018:ffffb177032b3e58 EFLAGS: 00010202
RAX: ffffa0bcf5b2d800 RBX: 0000000000000001 RCX: 0000000000000056
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffc0a9d8f7
RBP: ffffa0bcf8f1abc0 R08: 0000000000000003 R09: 0000000000000002
R10: ffffa0bcf8f182f8 R11: 0000000000000c00 R12: ffffa0bcf8f18000
R13: 0000000000000000 R14: ffffa0bcf8f181f8 R15: ffffa0bd092843c0
FS: 0000000000000000(0000) GS:ffffa0bd21400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000e4 CR3: 0000000157c09002 CR4: 00000000003606f0
Call Trace:
process_one_work+0x1db/0x410
worker_thread+0x2b/0x3d0
? process_one_work+0x410/0x410
kthread+0x118/0x130
? kthread_create_on_node+0x70/0x70
ret_from_fork+0x1f/0x30
Code: 0f b6 90 a0 04 00 00 48 83 b8 b0 04 00 00 00 88 90 e8 02 00 00 75 dc 84 d2 75 d8 f6 85 70 da ff ff 02 74 cf 48 8b 90 00 04 00 00 <8b> 92 e4 00 00 00 85 d2 74 be 88 98 e8 02 0
RIP: i915_hpd_poll_init_work+0x8f/0x100 [i915] RSP: ffffb177032b3e58
CR2: 00000000000000e4
---[ end trace 098075e41d0a597e ]---
The values of the registers seems to indicate that it tries to
dereference the hpd_pin field of the encoder structure. The value 0xe4
corresponds to the offset of the field hpd_pin in the encoder structure.
It appears that encoder->hpd_pin is accessed without checking first that
encoder is not NULL. The same issue may happen in
intel_hpd_irq_storm_reenable_work().
This patch should fix these issues.
Signed-off-by: Olivier Sobrie <olivier@xxxxxxxxx>
---
drivers/gpu/drm/i915/intel_hotplug.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/intel_hotplug.c b/drivers/gpu/drm/i915/intel_hotplug.c
index 875d5d218d5c..ab7e8dd0cf5b 100644
--- a/drivers/gpu/drm/i915/intel_hotplug.c
+++ b/drivers/gpu/drm/i915/intel_hotplug.c
@@ -245,7 +245,8 @@ static void intel_hpd_irq_storm_reenable_work(struct work_struct *work)
drm_for_each_connector_iter(connector, &conn_iter) {
struct intel_connector *intel_connector = to_intel_connector(connector);
- if (intel_connector->encoder->hpd_pin == i) {
+ if (intel_connector->encoder &&
+ (intel_connector->encoder->hpd_pin == i)) {
if (connector->polled != intel_connector->polled)
DRM_DEBUG_DRIVER("Reenabling HPD on connector %s\n",
connector->name);
@@ -546,6 +547,7 @@ static void i915_hpd_poll_init_work(struct work_struct *work)
continue;
if (!connector->polled && I915_HAS_HOTPLUG(dev_priv) &&
+ intel_connector->encoder &&
intel_connector->encoder->hpd_pin > HPD_NONE) {
connector->polled = enabled ?
DRM_CONNECTOR_POLL_CONNECT |
--
2.15.1