Re: [PATCH] drm/bridge: dumb-vga-dac: Fix dereferencing -ENODEV DDC channel

From: Guenter Roeck
Date: Wed Aug 14 2019 - 10:39:26 EST


On Tue, Aug 13, 2019 at 02:01:26PM +0200, Neil Armstrong wrote:
> Hi,
>
>
> On 13/08/2019 11:30, Geert Uytterhoeven wrote:
> > If the VGA connector has no DDC channel, an error pointer will be
> > dereferenced, e.g. on Salvator-XS:
> >
> > Unable to handle kernel NULL pointer dereference at virtual address 000000000000017d
> > ...
> > Call trace:
> > sysfs_do_create_link_sd.isra.0+0x40/0x108
> > sysfs_create_link+0x20/0x40
> > drm_sysfs_connector_add+0xa8/0xc8
> > drm_connector_register.part.3+0x54/0xb0
> > drm_connector_register_all+0xb0/0xd0
> > drm_modeset_register_all+0x54/0x88
> > drm_dev_register+0x18c/0x1d8
> > rcar_du_probe+0xe4/0x150
> > ...
> >
> > This happens because vga->ddc either contains a valid DDC channel
> > pointer, or -ENODEV, and drm_connector_init_with_ddc() expects a valid
> > DDC channel pointer, or NULL.
> >
> > Fix this by resetting vga->ddc to NULL in case of -ENODEV, and replacing
> > the existing error checks by non-NULL checks.
> > This is similar to what the HDMI connector driver does.
> >
> > Fixes: a4f9087e85de141e ("drm/bridge: dumb-vga-dac: Provide ddc symlink in connector sysfs directory")
> > Signed-off-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
> > ---
> > An alternative would be to check if vga->ddc contains an error pointer,
> > and calling drm_connector_init() instead of
> > drm_connector_init_with_ddc(), like before.
> > ---
> > drivers/gpu/drm/bridge/dumb-vga-dac.c | 7 ++++---
> > 1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/bridge/dumb-vga-dac.c b/drivers/gpu/drm/bridge/dumb-vga-dac.c
> > index 8ef6539ae78a6eb3..7aa789c358829b05 100644
> > --- a/drivers/gpu/drm/bridge/dumb-vga-dac.c
> > +++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c
> > @@ -42,7 +42,7 @@ static int dumb_vga_get_modes(struct drm_connector *connector)
> > struct edid *edid;
> > int ret;
> >
> > - if (IS_ERR(vga->ddc))
> > + if (!vga->ddc)
> > goto fallback;
> >
> > edid = drm_get_edid(connector, vga->ddc);
> > @@ -84,7 +84,7 @@ dumb_vga_connector_detect(struct drm_connector *connector, bool force)
> > * wire the DDC pins, or the I2C bus might not be working at
> > * all.
> > */
> > - if (!IS_ERR(vga->ddc) && drm_probe_ddc(vga->ddc))
> > + if (vga->ddc && drm_probe_ddc(vga->ddc))
> > return connector_status_connected;
> >
> > return connector_status_unknown;
> > @@ -197,6 +197,7 @@ static int dumb_vga_probe(struct platform_device *pdev)
> > if (PTR_ERR(vga->ddc) == -ENODEV) {
> > dev_dbg(&pdev->dev,
> > "No i2c bus specified. Disabling EDID readout\n");
> > + vga->ddc = NULL;
> > } else {
> > dev_err(&pdev->dev, "Couldn't retrieve i2c bus\n");
> > return PTR_ERR(vga->ddc);
> > @@ -218,7 +219,7 @@ static int dumb_vga_remove(struct platform_device *pdev)
> >
> > drm_bridge_remove(&vga->bridge);
> >
> > - if (!IS_ERR(vga->ddc))
> > + if (vga->ddc)
> > i2c_put_adapter(vga->ddc);
> >
> > return 0;
> >
>
> Looks sane,
>
> Reviewed-by: Neil Armstrong <narmstrong@xxxxxxxxxxxx>
>
> Guenter, can you confirm it also fixes qemu:versatilepb ?
>

Yes, it does.

Tested-by: Guenter Roeck <linux@xxxxxxxxxxxx>

Guenter