2019-08-13 09:33:20

by Geert Uytterhoeven

Subject: [PATCH] drm/bridge: dumb-vga-dac: Fix dereferencing -ENODEV DDC channel

If the VGA connector has no DDC channel, an error pointer will be
dereferenced, e.g. on Salvator-XS:

Unable to handle kernel NULL pointer dereference at virtual address 000000000000017d
...
Call trace:
sysfs_do_create_link_sd.isra.0+0x40/0x108
sysfs_create_link+0x20/0x40
drm_sysfs_connector_add+0xa8/0xc8
drm_connector_register.part.3+0x54/0xb0
drm_connector_register_all+0xb0/0xd0
drm_modeset_register_all+0x54/0x88
drm_dev_register+0x18c/0x1d8
rcar_du_probe+0xe4/0x150
...

This happens because vga->ddc either contains a valid DDC channel
pointer, or -ENODEV, and drm_connector_init_with_ddc() expects a valid
DDC channel pointer, or NULL.

Fix this by resetting vga->ddc to NULL in case of -ENODEV, and replacing
the existing error checks by non-NULL checks.
This is similar to what the HDMI connector driver does.

Fixes: a4f9087e85de141e ("drm/bridge: dumb-vga-dac: Provide ddc symlink in connector sysfs directory")
Signed-off-by: Geert Uytterhoeven <[email protected]>
---
An alternative would be to check if vga->ddc contains an error pointer,
and calling drm_connector_init() instead of
drm_connector_init_with_ddc(), like before.
---
drivers/gpu/drm/bridge/dumb-vga-dac.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/bridge/dumb-vga-dac.c b/drivers/gpu/drm/bridge/dumb-vga-dac.c
index 8ef6539ae78a6eb3..7aa789c358829b05 100644
--- a/drivers/gpu/drm/bridge/dumb-vga-dac.c
+++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c
@@ -42,7 +42,7 @@ static int dumb_vga_get_modes(struct drm_connector *connector)
struct edid *edid;
int ret;

- if (IS_ERR(vga->ddc))
+ if (!vga->ddc)
goto fallback;

edid = drm_get_edid(connector, vga->ddc);
@@ -84,7 +84,7 @@ dumb_vga_connector_detect(struct drm_connector *connector, bool force)
* wire the DDC pins, or the I2C bus might not be working at
* all.
*/
- if (!IS_ERR(vga->ddc) && drm_probe_ddc(vga->ddc))
+ if (vga->ddc && drm_probe_ddc(vga->ddc))
return connector_status_connected;

return connector_status_unknown;
@@ -197,6 +197,7 @@ static int dumb_vga_probe(struct platform_device *pdev)
if (PTR_ERR(vga->ddc) == -ENODEV) {
dev_dbg(&pdev->dev,
"No i2c bus specified. Disabling EDID readout\n");
+ vga->ddc = NULL;
} else {
dev_err(&pdev->dev, "Couldn't retrieve i2c bus\n");
return PTR_ERR(vga->ddc);
@@ -218,7 +219,7 @@ static int dumb_vga_remove(struct platform_device *pdev)

drm_bridge_remove(&vga->bridge);

- if (!IS_ERR(vga->ddc))
+ if (vga->ddc)
i2c_put_adapter(vga->ddc);

return 0;
--
2.17.1

2019-08-13 15:26:20

by Neil Armstrong

Subject: Re: [PATCH] drm/bridge: dumb-vga-dac: Fix dereferencing -ENODEV DDC channel

Hi,


On 13/08/2019 11:30, Geert Uytterhoeven wrote:
> If the VGA connector has no DDC channel, an error pointer will be
> dereferenced, e.g. on Salvator-XS:
>
> Unable to handle kernel NULL pointer dereference at virtual address 000000000000017d
> ...
> Call trace:
> sysfs_do_create_link_sd.isra.0+0x40/0x108
> sysfs_create_link+0x20/0x40
> drm_sysfs_connector_add+0xa8/0xc8
> drm_connector_register.part.3+0x54/0xb0
> drm_connector_register_all+0xb0/0xd0
> drm_modeset_register_all+0x54/0x88
> drm_dev_register+0x18c/0x1d8
> rcar_du_probe+0xe4/0x150
> ...
>
> This happens because vga->ddc either contains a valid DDC channel
> pointer, or -ENODEV, and drm_connector_init_with_ddc() expects a valid
> DDC channel pointer, or NULL.
>
> Fix this by resetting vga->ddc to NULL in case of -ENODEV, and replacing
> the existing error checks by non-NULL checks.
> This is similar to what the HDMI connector driver does.
>
> Fixes: a4f9087e85de141e ("drm/bridge: dumb-vga-dac: Provide ddc symlink in connector sysfs directory")
> Signed-off-by: Geert Uytterhoeven <[email protected]>
> ---
> An alternative would be to check if vga->ddc contains an error pointer,
> and calling drm_connector_init() instead of
> drm_connector_init_with_ddc(), like before.
> ---
> drivers/gpu/drm/bridge/dumb-vga-dac.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/bridge/dumb-vga-dac.c b/drivers/gpu/drm/bridge/dumb-vga-dac.c
> index 8ef6539ae78a6eb3..7aa789c358829b05 100644
> --- a/drivers/gpu/drm/bridge/dumb-vga-dac.c
> +++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c
> @@ -42,7 +42,7 @@ static int dumb_vga_get_modes(struct drm_connector *connector)
> struct edid *edid;
> int ret;
>
> - if (IS_ERR(vga->ddc))
> + if (!vga->ddc)
> goto fallback;
>
> edid = drm_get_edid(connector, vga->ddc);
> @@ -84,7 +84,7 @@ dumb_vga_connector_detect(struct drm_connector *connector, bool force)
> * wire the DDC pins, or the I2C bus might not be working at
> * all.
> */
> - if (!IS_ERR(vga->ddc) && drm_probe_ddc(vga->ddc))
> + if (vga->ddc && drm_probe_ddc(vga->ddc))
> return connector_status_connected;
>
> return connector_status_unknown;
> @@ -197,6 +197,7 @@ static int dumb_vga_probe(struct platform_device *pdev)
> if (PTR_ERR(vga->ddc) == -ENODEV) {
> dev_dbg(&pdev->dev,
> "No i2c bus specified. Disabling EDID readout\n");
> + vga->ddc = NULL;
> } else {
> dev_err(&pdev->dev, "Couldn't retrieve i2c bus\n");
> return PTR_ERR(vga->ddc);
> @@ -218,7 +219,7 @@ static int dumb_vga_remove(struct platform_device *pdev)
>
> drm_bridge_remove(&vga->bridge);
>
> - if (!IS_ERR(vga->ddc))
> + if (vga->ddc)
> i2c_put_adapter(vga->ddc);
>
> return 0;
>

Looks sane,

Reviewed-by: Neil Armstrong <[email protected]>

Guenter, can you confirm it also fixes qemu:versatilepb ?

Neil

2019-08-14 14:40:26

by Guenter Roeck

Subject: Re: [PATCH] drm/bridge: dumb-vga-dac: Fix dereferencing -ENODEV DDC channel

On Tue, Aug 13, 2019 at 02:01:26PM +0200, Neil Armstrong wrote:
> Hi,
>
>
> On 13/08/2019 11:30, Geert Uytterhoeven wrote:
> > If the VGA connector has no DDC channel, an error pointer will be
> > dereferenced, e.g. on Salvator-XS:
> >
> > Unable to handle kernel NULL pointer dereference at virtual address 000000000000017d
> > ...
> > Call trace:
> > sysfs_do_create_link_sd.isra.0+0x40/0x108
> > sysfs_create_link+0x20/0x40
> > drm_sysfs_connector_add+0xa8/0xc8
> > drm_connector_register.part.3+0x54/0xb0
> > drm_connector_register_all+0xb0/0xd0
> > drm_modeset_register_all+0x54/0x88
> > drm_dev_register+0x18c/0x1d8
> > rcar_du_probe+0xe4/0x150
> > ...
> >
> > This happens because vga->ddc either contains a valid DDC channel
> > pointer, or -ENODEV, and drm_connector_init_with_ddc() expects a valid
> > DDC channel pointer, or NULL.
> >
> > Fix this by resetting vga->ddc to NULL in case of -ENODEV, and replacing
> > the existing error checks by non-NULL checks.
> > This is similar to what the HDMI connector driver does.
> >
> > Fixes: a4f9087e85de141e ("drm/bridge: dumb-vga-dac: Provide ddc symlink in connector sysfs directory")
> > Signed-off-by: Geert Uytterhoeven <[email protected]>
> > ---
> > An alternative would be to check if vga->ddc contains an error pointer,
> > and calling drm_connector_init() instead of
> > drm_connector_init_with_ddc(), like before.
> > ---
> > drivers/gpu/drm/bridge/dumb-vga-dac.c | 7 ++++---
> > 1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/bridge/dumb-vga-dac.c b/drivers/gpu/drm/bridge/dumb-vga-dac.c
> > index 8ef6539ae78a6eb3..7aa789c358829b05 100644
> > --- a/drivers/gpu/drm/bridge/dumb-vga-dac.c
> > +++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c
> > @@ -42,7 +42,7 @@ static int dumb_vga_get_modes(struct drm_connector *connector)
> > struct edid *edid;
> > int ret;
> >
> > - if (IS_ERR(vga->ddc))
> > + if (!vga->ddc)
> > goto fallback;
> >
> > edid = drm_get_edid(connector, vga->ddc);
> > @@ -84,7 +84,7 @@ dumb_vga_connector_detect(struct drm_connector *connector, bool force)
> > * wire the DDC pins, or the I2C bus might not be working at
> > * all.
> > */
> > - if (!IS_ERR(vga->ddc) && drm_probe_ddc(vga->ddc))
> > + if (vga->ddc && drm_probe_ddc(vga->ddc))
> > return connector_status_connected;
> >
> > return connector_status_unknown;
> > @@ -197,6 +197,7 @@ static int dumb_vga_probe(struct platform_device *pdev)
> > if (PTR_ERR(vga->ddc) == -ENODEV) {
> > dev_dbg(&pdev->dev,
> > "No i2c bus specified. Disabling EDID readout\n");
> > + vga->ddc = NULL;
> > } else {
> > dev_err(&pdev->dev, "Couldn't retrieve i2c bus\n");
> > return PTR_ERR(vga->ddc);
> > @@ -218,7 +219,7 @@ static int dumb_vga_remove(struct platform_device *pdev)
> >
> > drm_bridge_remove(&vga->bridge);
> >
> > - if (!IS_ERR(vga->ddc))
> > + if (vga->ddc)
> > i2c_put_adapter(vga->ddc);
> >
> > return 0;
> >
>
> Looks sane,
>
> Reviewed-by: Neil Armstrong <[email protected]>
>
> Guenter, can you confirm it also fixes qemu:versatilepb ?
>

Yes, it does.

Tested-by: Guenter Roeck <[email protected]>

Guenter

2019-08-14 14:47:08

by Neil Armstrong

Subject: Re: [PATCH] drm/bridge: dumb-vga-dac: Fix dereferencing -ENODEV DDC channel

On 14/08/2019 16:39, Guenter Roeck wrote:
> On Tue, Aug 13, 2019 at 02:01:26PM +0200, Neil Armstrong wrote:
>> Hi,
>>
>>
>> On 13/08/2019 11:30, Geert Uytterhoeven wrote:
>>> If the VGA connector has no DDC channel, an error pointer will be
>>> dereferenced, e.g. on Salvator-XS:
>>>
>>> Unable to handle kernel NULL pointer dereference at virtual address 000000000000017d
>>> ...
>>> Call trace:
>>> sysfs_do_create_link_sd.isra.0+0x40/0x108
>>> sysfs_create_link+0x20/0x40
>>> drm_sysfs_connector_add+0xa8/0xc8
>>> drm_connector_register.part.3+0x54/0xb0
>>> drm_connector_register_all+0xb0/0xd0
>>> drm_modeset_register_all+0x54/0x88
>>> drm_dev_register+0x18c/0x1d8
>>> rcar_du_probe+0xe4/0x150
>>> ...
>>>
>>> This happens because vga->ddc either contains a valid DDC channel
>>> pointer, or -ENODEV, and drm_connector_init_with_ddc() expects a valid
>>> DDC channel pointer, or NULL.
>>>
>>> Fix this by resetting vga->ddc to NULL in case of -ENODEV, and replacing
>>> the existing error checks by non-NULL checks.
>>> This is similar to what the HDMI connector driver does.
>>>
>>> Fixes: a4f9087e85de141e ("drm/bridge: dumb-vga-dac: Provide ddc symlink in connector sysfs directory")
>>> Signed-off-by: Geert Uytterhoeven <[email protected]>
>>> ---
>>> An alternative would be to check if vga->ddc contains an error pointer,
>>> and calling drm_connector_init() instead of
>>> drm_connector_init_with_ddc(), like before.
>>> ---
>>> drivers/gpu/drm/bridge/dumb-vga-dac.c | 7 ++++---
>>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/bridge/dumb-vga-dac.c b/drivers/gpu/drm/bridge/dumb-vga-dac.c
>>> index 8ef6539ae78a6eb3..7aa789c358829b05 100644
>>> --- a/drivers/gpu/drm/bridge/dumb-vga-dac.c
>>> +++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c
>>> @@ -42,7 +42,7 @@ static int dumb_vga_get_modes(struct drm_connector *connector)
>>> struct edid *edid;
>>> int ret;
>>>
>>> - if (IS_ERR(vga->ddc))
>>> + if (!vga->ddc)
>>> goto fallback;
>>>
>>> edid = drm_get_edid(connector, vga->ddc);
>>> @@ -84,7 +84,7 @@ dumb_vga_connector_detect(struct drm_connector *connector, bool force)
>>> * wire the DDC pins, or the I2C bus might not be working at
>>> * all.
>>> */
>>> - if (!IS_ERR(vga->ddc) && drm_probe_ddc(vga->ddc))
>>> + if (vga->ddc && drm_probe_ddc(vga->ddc))
>>> return connector_status_connected;
>>>
>>> return connector_status_unknown;
>>> @@ -197,6 +197,7 @@ static int dumb_vga_probe(struct platform_device *pdev)
>>> if (PTR_ERR(vga->ddc) == -ENODEV) {
>>> dev_dbg(&pdev->dev,
>>> "No i2c bus specified. Disabling EDID readout\n");
>>> + vga->ddc = NULL;
>>> } else {
>>> dev_err(&pdev->dev, "Couldn't retrieve i2c bus\n");
>>> return PTR_ERR(vga->ddc);
>>> @@ -218,7 +219,7 @@ static int dumb_vga_remove(struct platform_device *pdev)
>>>
>>> drm_bridge_remove(&vga->bridge);
>>>
>>> - if (!IS_ERR(vga->ddc))
>>> + if (vga->ddc)
>>> i2c_put_adapter(vga->ddc);
>>>
>>> return 0;
>>>
>>
>> Looks sane,
>>
>> Reviewed-by: Neil Armstrong <[email protected]>
>>
>> Guenter, can you confirm it also fixes qemu:versatilepb ?
>>
>
> Yes, it does.
>
> Tested-by: Guenter Roeck <[email protected]>
>
> Guenter
>

Thanks for testing,

Applying to drm-misc-next