Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2207441imu; Wed, 21 Nov 2018 08:11:14 -0800 (PST) X-Google-Smtp-Source: AFSGD/VasxUYvtNapQqV1QXQVCTItJZc8c/TRVgwebkJB7BqX19E9vn8EhznN9sCtKNab+k0yuKJ X-Received: by 2002:a63:1412:: with SMTP id u18mr6429396pgl.247.1542816674468; Wed, 21 Nov 2018 08:11:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542816674; cv=none; d=google.com; s=arc-20160816; b=A5KLzKipKM+Ox6W7E6wPe6X73fprq6JV3tv8Rp1vbrDjLSN3osQgklUJUEfgLXXaB3 K/7KgmEWU+sU4it/gBwMB2ZBMwzR/UB6uNUyoFYNtbtxIXlMeN8Z7KyrcQlvHvoURS2U htWX95zS2Yu8hcDny6SkGCgW73IhpnXndGTa+/9C6VbAek3swDhhhSyPdPwpyTA2/6o7 7iSreHQBIzlPDhfNi8FABtsKC/PZemgAf1Kz9+koS5bY7zP2WLVexvGWU4syRJPuYZSc qXAmkK9nIe+37WkZll9Zfjot50YuRKZN4zvYD36R43tjVkvpy4rSqgr4qmQkqjVCNGh4 McAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=ZldbxtfHBycBcimdZ+mu/dBY5CHvmjl3grLyYHnbVHw=; b=A4qfFdO06HNSfPFzvVzY9GYU7IhPxfPrK1j5YAI3Y6lTFD8VdKghwUMmWp7XXc7NPY +6m+5bzxfUm1FOobG55qIaI/E2+mtgalVQvAh+wLN6u7C3nJ5X6JpclGElNE2IChqPfQ PCms3dJPKEWkxphHfEgCDMVml5AxZZ/J/Pk++B0V/uGnYdEuUbCOPlF1iVNl65BgwTGF UU7r+VhVubebZJKm1jU024sKTiCgaN3oi74UK92ktbGa89S1YSBPv2xaef/utSeSOSBX yJ1L3GsNy2doUxSxFfSlspMcGb+9rQZF37jd+7C2t17U70Ef7skbIA3t3mV3e8tZGWJQ gxAA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f95si9725748plb.60.2018.11.21.08.10.35; Wed, 21 Nov 2018 08:11:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731784AbeKVCoh (ORCPT + 99 others); Wed, 21 Nov 2018 21:44:37 -0500 Received: from bhuna.collabora.co.uk ([46.235.227.227]:49214 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731421AbeKVCog (ORCPT ); Wed, 21 Nov 2018 21:44:36 -0500 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: sre) with ESMTPSA id 6B53A260A1E From: Sebastian Reichel To: Sebastian Reichel , Tomi Valkeinen , Tony Lindgren , Pavel Machek , Laurent Pinchart Cc: "H. Nikolaus Schaller" , dri-devel@lists.freedesktop.org, linux-omap@vger.kernel.org, linux-kernel@vger.kernel.org, kernel@collabora.com, Sebastian Reichel Subject: [PATCHv5 4/6] drm/omap: fix incorrect union usage Date: Wed, 21 Nov 2018 17:09:14 +0100 Message-Id: <20181121160916.22017-5-sebastian.reichel@collabora.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181121160916.22017-1-sebastian.reichel@collabora.com> References: <20181121160916.22017-1-sebastian.reichel@collabora.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The DSI encoder sets dssdev->ops->dsi.set_config, which is stored at the same offset as dssdev->ops->hdmi.set_hdmi_mode. The code in omap_encoder only checks if dssdev->ops->hdmi.set_hdmi_mode is NULL. Due to the way union works, it won't be NULL if dsi.set_config is set. This means dsi_set_config will be called with config=hdmi_mode=false=NULL parameter resulting in a NULL dereference. Also the dereference happens while console is locked, so kernel hangs without any debug output without "fb.lockless_register_fb=1" parameter. This restructures the code, so that the HDMI mode is only configured for HDMI output types. The new function also has a safe-guard directly before accessing the union, that can be optimized away by the compiler when the function is inlined and HDMI type has already been checked. Fixes: 83910ad3f51fb ("drm/omap: Move most omap_dss_driver operations to omap_dss_device_ops") Signed-off-by: Sebastian Reichel --- drivers/gpu/drm/omapdrm/omap_encoder.c | 62 +++++++++++++++----------- 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/drivers/gpu/drm/omapdrm/omap_encoder.c b/drivers/gpu/drm/omapdrm/omap_encoder.c index 32bbe3a80e7d..f356821cd078 100644 --- a/drivers/gpu/drm/omapdrm/omap_encoder.c +++ b/drivers/gpu/drm/omapdrm/omap_encoder.c @@ -52,17 +52,48 @@ static const struct drm_encoder_funcs omap_encoder_funcs = { .destroy = omap_encoder_destroy, }; +static void omap_encoder_hdmi_mode_set(struct drm_encoder *encoder, + struct drm_display_mode *adjusted_mode) +{ + struct drm_device *dev = encoder->dev; + struct omap_encoder *omap_encoder = to_omap_encoder(encoder); + struct omap_dss_device *dssdev = omap_encoder->output; + struct drm_connector *connector; + bool hdmi_mode; + + hdmi_mode = false; + list_for_each_entry(connector, &dev->mode_config.connector_list, head) { + if (connector->encoder == encoder) { + hdmi_mode = omap_connector_get_hdmi_mode(connector); + break; + } + } + + /* safe-guard for accessing dssdev->ops->hdmi union */ + if (dssdev->output_type != OMAP_DISPLAY_TYPE_HDMI) + return; + + if (dssdev->ops->hdmi.set_hdmi_mode) + dssdev->ops->hdmi.set_hdmi_mode(dssdev, hdmi_mode); + + if (hdmi_mode && dssdev->ops->hdmi.set_infoframe) { + struct hdmi_avi_infoframe avi; + int r; + + r = drm_hdmi_avi_infoframe_from_display_mode(&avi, adjusted_mode, + false); + if (r == 0) + dssdev->ops->hdmi.set_infoframe(dssdev, &avi); + } +} + static void omap_encoder_mode_set(struct drm_encoder *encoder, struct drm_display_mode *mode, struct drm_display_mode *adjusted_mode) { - struct drm_device *dev = encoder->dev; struct omap_encoder *omap_encoder = to_omap_encoder(encoder); - struct drm_connector *connector; struct omap_dss_device *dssdev; struct videomode vm = { 0 }; - bool hdmi_mode; - int r; drm_display_mode_to_videomode(adjusted_mode, &vm); @@ -112,27 +143,8 @@ static void omap_encoder_mode_set(struct drm_encoder *encoder, } /* Set the HDMI mode and HDMI infoframe if applicable. */ - hdmi_mode = false; - list_for_each_entry(connector, &dev->mode_config.connector_list, head) { - if (connector->encoder == encoder) { - hdmi_mode = omap_connector_get_hdmi_mode(connector); - break; - } - } - - dssdev = omap_encoder->output; - - if (dssdev->ops->hdmi.set_hdmi_mode) - dssdev->ops->hdmi.set_hdmi_mode(dssdev, hdmi_mode); - - if (hdmi_mode && dssdev->ops->hdmi.set_infoframe) { - struct hdmi_avi_infoframe avi; - - r = drm_hdmi_avi_infoframe_from_display_mode(&avi, adjusted_mode, - false); - if (r == 0) - dssdev->ops->hdmi.set_infoframe(dssdev, &avi); - } + if (omap_encoder->output->output_type == OMAP_DISPLAY_TYPE_HDMI) + omap_encoder_hdmi_mode_set(encoder, adjusted_mode); } static void omap_encoder_disable(struct drm_encoder *encoder) -- 2.19.1