Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754403AbeAGSX2 (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Sun, 7 Jan 2018 13:23:28 -0500
Received: from mail-wm0-f68.google.com ([74.125.82.68]:36141 "EHLO
        mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754191AbeAGSX0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 7 Jan 2018 13:23:26 -0500
X-Google-Smtp-Source: ACJfBot9dfc7A1OyR6HZMmzVz0BEdoO8KJXI50ddYd7enlmBLWoVpdi3334AQcdckKAphHZ/f49BDA==
From: Olivier Sobrie <olivier@sobrie.be>
To: Jani Nikula <jani.nikula@linux.intel.com>,
        Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@intel.com>,
        David Airlie <airlied@linux.ie>
Cc: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
        linux-kernel@vger.kernel.org, olivier@sobrie.be
Subject: [PATCH] gpu: drm: i915: intel_hotplug: avoid NULL pointer dereference
Date: Sun,  7 Jan 2018 09:00:18 +0100
Message-Id: <20180107080018.18532-1-olivier@sobrie.be>
X-Mailer: git-send-email 2.15.1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

I observed the following crash on my laptop after undocking it:

BUG: unable to handle kernel NULL pointer dereference at 00000000000000e4
IP: i915_hpd_poll_init_work+0x8f/0x100 [i915]
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ppp_mppe ppp_async ppp_generic slhc nf_conntrack_pptp nf_conntrack_proto_gre veth ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user
 kvm irqbypass crct10dif_pclmul iwlmvm crc32_pclmul ghash_clmulni_intel mei_wdt iTCO_wdt iTCO_vendor_support mac80211 wmi_bmof pcbc i2c_algo_bit snd_hda_intel drm_kms_helper snd_hd
 usbcore usb_common i8042 serio vfat fat trusted tpm crc32c_generic crc32c_intel btrfs xor zstd_decompress zstd_compress xxhash raid6_pq
CPU: 0 PID: 37 Comm: kworker/0:1 Tainted: G     U     O    4.14.9-1-ARCH #1
Hardware name: LENOVO 20F9CTO1WW/20F9CTO1WW, BIOS N1CET56W (1.24 ) 04/19/2017
Workqueue: events i915_hpd_poll_init_work [i915]
task: ffffa0bd09132dc0 task.stack: ffffb177032b0000
RIP: 0010:i915_hpd_poll_init_work+0x8f/0x100 [i915]
RSP: 0018:ffffb177032b3e58 EFLAGS: 00010202
RAX: ffffa0bcf5b2d800 RBX: 0000000000000001 RCX: 0000000000000056
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffc0a9d8f7
RBP: ffffa0bcf8f1abc0 R08: 0000000000000003 R09: 0000000000000002
R10: ffffa0bcf8f182f8 R11: 0000000000000c00 R12: ffffa0bcf8f18000
R13: 0000000000000000 R14: ffffa0bcf8f181f8 R15: ffffa0bd092843c0
FS:  0000000000000000(0000) GS:ffffa0bd21400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000e4 CR3: 0000000157c09002 CR4: 00000000003606f0
Call Trace:
 process_one_work+0x1db/0x410
 worker_thread+0x2b/0x3d0
 ? process_one_work+0x410/0x410
 kthread+0x118/0x130
 ? kthread_create_on_node+0x70/0x70
 ret_from_fork+0x1f/0x30
Code: 0f b6 90 a0 04 00 00 48 83 b8 b0 04 00 00 00 88 90 e8 02 00 00 75 dc 84 d2 75 d8 f6 85 70 da ff ff 02 74 cf 48 8b 90 00 04 00 00 <8b> 92 e4 00 00 00 85 d2 74 be 88 98 e8 02 0
RIP: i915_hpd_poll_init_work+0x8f/0x100 [i915] RSP: ffffb177032b3e58
CR2: 00000000000000e4
---[ end trace 098075e41d0a597e ]---

The values of the registers seems to indicate that it tries to
dereference the hpd_pin field of the encoder structure. The value 0xe4
corresponds to the offset of the field hpd_pin in the encoder structure.
It appears that encoder->hpd_pin is accessed without checking first that
encoder is not NULL. The same issue may happen in
intel_hpd_irq_storm_reenable_work().
This patch should fix these issues.

Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
---
 drivers/gpu/drm/i915/intel_hotplug.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_hotplug.c b/drivers/gpu/drm/i915/intel_hotplug.c
index 875d5d218d5c..ab7e8dd0cf5b 100644
--- a/drivers/gpu/drm/i915/intel_hotplug.c
+++ b/drivers/gpu/drm/i915/intel_hotplug.c
@@ -245,7 +245,8 @@ static void intel_hpd_irq_storm_reenable_work(struct work_struct *work)
 		drm_for_each_connector_iter(connector, &conn_iter) {
 			struct intel_connector *intel_connector = to_intel_connector(connector);
 
-			if (intel_connector->encoder->hpd_pin == i) {
+			if (intel_connector->encoder &&
+			    (intel_connector->encoder->hpd_pin == i)) {
 				if (connector->polled != intel_connector->polled)
 					DRM_DEBUG_DRIVER("Reenabling HPD on connector %s\n",
 							 connector->name);
@@ -546,6 +547,7 @@ static void i915_hpd_poll_init_work(struct work_struct *work)
 			continue;
 
 		if (!connector->polled && I915_HAS_HOTPLUG(dev_priv) &&
+		    intel_connector->encoder &&
 		    intel_connector->encoder->hpd_pin > HPD_NONE) {
 			connector->polled = enabled ?
 				DRM_CONNECTOR_POLL_CONNECT |
-- 
2.15.1