Re: [PATCH] drm/bridge: dumb-vga-dac: Fix dereferencing -ENODEV DDC channel

From: Neil Armstrong
Date: Wed Aug 14 2019 - 10:46:15 EST


On 14/08/2019 16:39, Guenter Roeck wrote:
> On Tue, Aug 13, 2019 at 02:01:26PM +0200, Neil Armstrong wrote:
>> Hi,
>>
>>
>> On 13/08/2019 11:30, Geert Uytterhoeven wrote:
>>> If the VGA connector has no DDC channel, an error pointer will be
>>> dereferenced, e.g. on Salvator-XS:
>>>
>>> Unable to handle kernel NULL pointer dereference at virtual address 000000000000017d
>>> ...
>>> Call trace:
>>> sysfs_do_create_link_sd.isra.0+0x40/0x108
>>> sysfs_create_link+0x20/0x40
>>> drm_sysfs_connector_add+0xa8/0xc8
>>> drm_connector_register.part.3+0x54/0xb0
>>> drm_connector_register_all+0xb0/0xd0
>>> drm_modeset_register_all+0x54/0x88
>>> drm_dev_register+0x18c/0x1d8
>>> rcar_du_probe+0xe4/0x150
>>> ...
>>>
>>> This happens because vga->ddc either contains a valid DDC channel
>>> pointer, or -ENODEV, and drm_connector_init_with_ddc() expects a valid
>>> DDC channel pointer, or NULL.
>>>
>>> Fix this by resetting vga->ddc to NULL in case of -ENODEV, and replacing
>>> the existing error checks by non-NULL checks.
>>> This is similar to what the HDMI connector driver does.
>>>
>>> Fixes: a4f9087e85de141e ("drm/bridge: dumb-vga-dac: Provide ddc symlink in connector sysfs directory")
>>> Signed-off-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
>>> ---
>>> An alternative would be to check if vga->ddc contains an error pointer,
>>> and calling drm_connector_init() instead of
>>> drm_connector_init_with_ddc(), like before.
>>> ---
>>> drivers/gpu/drm/bridge/dumb-vga-dac.c | 7 ++++---
>>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/bridge/dumb-vga-dac.c b/drivers/gpu/drm/bridge/dumb-vga-dac.c
>>> index 8ef6539ae78a6eb3..7aa789c358829b05 100644
>>> --- a/drivers/gpu/drm/bridge/dumb-vga-dac.c
>>> +++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c
>>> @@ -42,7 +42,7 @@ static int dumb_vga_get_modes(struct drm_connector *connector)
>>> struct edid *edid;
>>> int ret;
>>>
>>> - if (IS_ERR(vga->ddc))
>>> + if (!vga->ddc)
>>> goto fallback;
>>>
>>> edid = drm_get_edid(connector, vga->ddc);
>>> @@ -84,7 +84,7 @@ dumb_vga_connector_detect(struct drm_connector *connector, bool force)
>>> * wire the DDC pins, or the I2C bus might not be working at
>>> * all.
>>> */
>>> - if (!IS_ERR(vga->ddc) && drm_probe_ddc(vga->ddc))
>>> + if (vga->ddc && drm_probe_ddc(vga->ddc))
>>> return connector_status_connected;
>>>
>>> return connector_status_unknown;
>>> @@ -197,6 +197,7 @@ static int dumb_vga_probe(struct platform_device *pdev)
>>> if (PTR_ERR(vga->ddc) == -ENODEV) {
>>> dev_dbg(&pdev->dev,
>>> "No i2c bus specified. Disabling EDID readout\n");
>>> + vga->ddc = NULL;
>>> } else {
>>> dev_err(&pdev->dev, "Couldn't retrieve i2c bus\n");
>>> return PTR_ERR(vga->ddc);
>>> @@ -218,7 +219,7 @@ static int dumb_vga_remove(struct platform_device *pdev)
>>>
>>> drm_bridge_remove(&vga->bridge);
>>>
>>> - if (!IS_ERR(vga->ddc))
>>> + if (vga->ddc)
>>> i2c_put_adapter(vga->ddc);
>>>
>>> return 0;
>>>
>>
>> Looks sane,
>>
>> Reviewed-by: Neil Armstrong <narmstrong@xxxxxxxxxxxx>
>>
>> Guenter, can you confirm it also fixes qemu:versatilepb ?
>>
>
> Yes, it does.
>
> Tested-by: Guenter Roeck <linux@xxxxxxxxxxxx>
>
> Guenter
>

Thanks for testing,

Applying to drm-misc-next