Re: [PATCH] drm/edid: Fix crash with zero/invalid EDID
From: Ville Syrjälä
Date: Tue Oct 05 2021 - 12:45:33 EST
On Mon, Oct 04, 2021 at 09:21:27AM -0700, Douglas Anderson wrote:
> In the commit bac9c2948224 ("drm/edid: Break out reading block 0 of
> the EDID") I broke out reading the base block of the EDID to its own
> function. Unfortunately, when I did that I messed up the handling when
> drm_edid_is_zero() indicated that we had an EDID that was all 0x00 or
> when we went through 4 loops and didn't get a valid EDID. Specifically
> I needed to pass the broken EDID to connector_bad_edid() but now I was
> passing an error-pointer.
>
> Let's re-jigger things so we can pass the bad EDID in properly.
>
> Fixes: bac9c2948224 ("drm/edid: Break out reading block 0 of the EDID")
> Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> Reported-by: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>
> Signed-off-by: Douglas Anderson <dianders@xxxxxxxxxxxx>
A bit of historical fallout zone this part of the code. So
not the easiest thing to read in general. But looks like what
you have here should work.
Reviewed-by: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
> ---
>
> drivers/gpu/drm/drm_edid.c | 27 +++++++++++----------------
> 1 file changed, 11 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
> index 9b19eee0e1b4..9c9463ec5465 100644
> --- a/drivers/gpu/drm/drm_edid.c
> +++ b/drivers/gpu/drm/drm_edid.c
> @@ -1911,13 +1911,15 @@ int drm_add_override_edid_modes(struct drm_connector *connector)
> }
> EXPORT_SYMBOL(drm_add_override_edid_modes);
>
> -static struct edid *drm_do_get_edid_base_block(
> +static struct edid *drm_do_get_edid_base_block(struct drm_connector *connector,
> int (*get_edid_block)(void *data, u8 *buf, unsigned int block,
> size_t len),
> - void *data, bool *edid_corrupt, int *null_edid_counter)
> + void *data)
> {
> - int i;
> + int *null_edid_counter = connector ? &connector->null_edid_counter : NULL;
> + bool *edid_corrupt = connector ? &connector->edid_corrupt : NULL;
> void *edid;
> + int i;
>
> edid = kmalloc(EDID_LENGTH, GFP_KERNEL);
> if (edid == NULL)
> @@ -1941,9 +1943,8 @@ static struct edid *drm_do_get_edid_base_block(
> return edid;
>
> carp:
> - kfree(edid);
> - return ERR_PTR(-EINVAL);
> -
> + if (connector)
> + connector_bad_edid(connector, edid, 1);
> out:
> kfree(edid);
> return NULL;
> @@ -1982,14 +1983,9 @@ struct edid *drm_do_get_edid(struct drm_connector *connector,
> if (override)
> return override;
>
> - edid = (u8 *)drm_do_get_edid_base_block(get_edid_block, data,
> - &connector->edid_corrupt,
> - &connector->null_edid_counter);
> - if (IS_ERR_OR_NULL(edid)) {
> - if (IS_ERR(edid))
> - connector_bad_edid(connector, edid, 1);
> + edid = (u8 *)drm_do_get_edid_base_block(connector, get_edid_block, data);
> + if (!edid)
> return NULL;
> - }
>
> /* if there's no extensions or no connector, we're done */
> valid_extensions = edid[0x7e];
> @@ -2142,14 +2138,13 @@ u32 drm_edid_get_panel_id(struct i2c_adapter *adapter)
> struct edid *edid;
> u32 panel_id;
>
> - edid = drm_do_get_edid_base_block(drm_do_probe_ddc_edid, adapter,
> - NULL, NULL);
> + edid = drm_do_get_edid_base_block(NULL, drm_do_probe_ddc_edid, adapter);
>
> /*
> * There are no manufacturer IDs of 0, so if there is a problem reading
> * the EDID then we'll just return 0.
> */
> - if (IS_ERR_OR_NULL(edid))
> + if (!edid)
> return 0;
>
> panel_id = edid_extract_panel_id(edid);
> --
> 2.33.0.800.g4c38ced690-goog
--
Ville Syrjälä
Intel