Re: [PATCH] drm/bridge: dumb-vga-dac: Fix dereferencing -ENODEV DDC channel

From: Neil Armstrong
Date: Tue Aug 13 2019 - 08:01:32 EST

Hi,


On 13/08/2019 11:30, Geert Uytterhoeven wrote:
> If the VGA connector has no DDC channel, an error pointer will be
> dereferenced, e.g. on Salvator-XS:
>
> Unable to handle kernel NULL pointer dereference at virtual address 000000000000017d
> ...
> Call trace:
> sysfs_do_create_link_sd.isra.0+0x40/0x108
> sysfs_create_link+0x20/0x40
> drm_sysfs_connector_add+0xa8/0xc8
> drm_connector_register.part.3+0x54/0xb0
> drm_connector_register_all+0xb0/0xd0
> drm_modeset_register_all+0x54/0x88
> drm_dev_register+0x18c/0x1d8
> rcar_du_probe+0xe4/0x150
> ...
>
> This happens because vga->ddc either contains a valid DDC channel
> pointer, or -ENODEV, and drm_connector_init_with_ddc() expects a valid
> DDC channel pointer, or NULL.
>
> Fix this by resetting vga->ddc to NULL in case of -ENODEV, and replacing
> the existing error checks by non-NULL checks.
> This is similar to what the HDMI connector driver does.
>
> Fixes: a4f9087e85de141e ("drm/bridge: dumb-vga-dac: Provide ddc symlink in connector sysfs directory")
> Signed-off-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
> ---
> An alternative would be to check if vga->ddc contains an error pointer,
> and calling drm_connector_init() instead of
> drm_connector_init_with_ddc(), like before.
> ---
> drivers/gpu/drm/bridge/dumb-vga-dac.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/bridge/dumb-vga-dac.c b/drivers/gpu/drm/bridge/dumb-vga-dac.c
> index 8ef6539ae78a6eb3..7aa789c358829b05 100644
> --- a/drivers/gpu/drm/bridge/dumb-vga-dac.c
> +++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c
> @@ -42,7 +42,7 @@ static int dumb_vga_get_modes(struct drm_connector *connector)
> struct edid *edid;
> int ret;
>
> - if (IS_ERR(vga->ddc))
> + if (!vga->ddc)
> goto fallback;
>
> edid = drm_get_edid(connector, vga->ddc);
> @@ -84,7 +84,7 @@ dumb_vga_connector_detect(struct drm_connector *connector, bool force)
> * wire the DDC pins, or the I2C bus might not be working at
> * all.
> */
> - if (!IS_ERR(vga->ddc) && drm_probe_ddc(vga->ddc))
> + if (vga->ddc && drm_probe_ddc(vga->ddc))
> return connector_status_connected;
>
> return connector_status_unknown;
> @@ -197,6 +197,7 @@ static int dumb_vga_probe(struct platform_device *pdev)
> if (PTR_ERR(vga->ddc) == -ENODEV) {
> dev_dbg(&pdev->dev,
> "No i2c bus specified. Disabling EDID readout\n");
> + vga->ddc = NULL;
> } else {
> dev_err(&pdev->dev, "Couldn't retrieve i2c bus\n");
> return PTR_ERR(vga->ddc);
> @@ -218,7 +219,7 @@ static int dumb_vga_remove(struct platform_device *pdev)
>
> drm_bridge_remove(&vga->bridge);
>
> - if (!IS_ERR(vga->ddc))
> + if (vga->ddc)
> i2c_put_adapter(vga->ddc);
>
> return 0;
>

Looks sane,

Reviewed-by: Neil Armstrong <narmstrong@xxxxxxxxxxxx>

Guenter, can you confirm it also fixes qemu:versatilepb ?

Neil