Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com;
From:   Perry Yuan <Perry.Yuan@amd.com>
To:     <dri-devel@lists.freedesktop.org>,
        Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
        Maxime Ripard <mripard@kernel.org>,
        Thomas Zimmermann <tzimmermann@suse.de>,
        David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>
CC:     <Ray.Huang@amd.com>, <Mario.Limonciello@amd.com>,
        <Harry.Wentland@amd.com>, <Xinmei.Huang@amd.com>,
        <Perry.Yuan@amd.com>, <linux-kernel@vger.kernel.org>
Subject: [PATCH v2] drm/dp: Fix aux->transfer NULL pointer dereference on drm_dp_dpcd_access
Date:   Mon, 1 Nov 2021 02:02:49 -0400
Message-ID: <20211101060249.35041-1-Perry.Yuan@amd.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Nov 2021 06:03:03.8361
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: eca9585c-a3dc-4c13-7cf7-08d99cfd4488
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT061.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR12MB4724
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Fix below crash by adding a check in the drm_dp_dpcd_access which
ensures that aux->transfer was actually initialized earlier.

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0010 [#1] SMP NOPTI
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffa8d64225bab8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000020 RCX: ffffa8d64225bb5e
RDX: ffff93151d921880 RSI: ffffa8d64225bac8 RDI: ffff931511a1a9d8
RBP: ffffa8d64225bb10 R08: 0000000000000001 R09: ffffa8d64225ba60
R10: 0000000000000002 R11: 000000000000000d R12: 0000000000000001
R13: 0000000000000000 R14: ffffa8d64225bb5e R15: ffff931511a1a9d8
FS: 00007ff8ea7fa9c0(0000) GS:ffff9317fe6c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010d5a4000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
drm_dp_dpcd_access+0x72/0x110 [drm_kms_helper]
drm_dp_dpcd_read+0xb7/0xf0 [drm_kms_helper]
drm_dp_start_crc+0x38/0xb0 [drm_kms_helper]
amdgpu_dm_crtc_set_crc_source+0x1ae/0x3e0 [amdgpu]
crtc_crc_open+0x174/0x220 [drm]
full_proxy_open+0x168/0x1f0
? open_proxy_open+0x100/0x100
do_dentry_open+0x156/0x370
vfs_open+0x2d/0x30

v2: fix some typo

Signed-off-by: Perry Yuan <Perry.Yuan@amd.com>
---
 drivers/gpu/drm/drm_dp_helper.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/drm_dp_helper.c b/drivers/gpu/drm/drm_dp_helper.c
index 6d0f2c447f3b..76b28396001a 100644
--- a/drivers/gpu/drm/drm_dp_helper.c
+++ b/drivers/gpu/drm/drm_dp_helper.c
@@ -260,6 +260,10 @@ static int drm_dp_dpcd_access(struct drm_dp_aux *aux, u8 request,
 	msg.buffer = buffer;
 	msg.size = size;
 
+	/* No transfer function is set, so not an available DP connector */
+	if (!aux->transfer)
+		return -EINVAL;
+
 	mutex_lock(&aux->hw_mutex);
 
 	/*
-- 
2.25.1