Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp233101pxb;
        Tue, 12 Apr 2022 00:05:49 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyqSf1ygODqhrnu5cNS2YgvKGkU/0J6W0VyFO6dcviW3WJPNLcwQ7TolY64L/OjLypW35SN
X-Received: by 2002:a05:6402:4487:b0:41d:9622:3292 with SMTP id er7-20020a056402448700b0041d96223292mr774958edb.330.1649747141496;
        Tue, 12 Apr 2022 00:05:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649747141; cv=none;
        d=google.com; s=arc-20160816;
        b=Nyc2/HyP5L4oWj+2fPAPh34xEh35tECOxJXASQo8+AlcSSYpeBbBL3Oa3ZYGpN29aL
         kB1cmGWOv5fY714koZ0jVmtiX5KqideFdpJMqmhpy/adOCdzHLaQyPwJR4hH+F+HFsKC
         zfPK2AuyctP507pVRK7QhFi8K/BU7P8WLu62RZJM/dpMiKP3f5HwBQ05GagMoiXUBsts
         rM79DZaC2FPZGGrNsLHer/6vV1lhofAAlZw125moZRzWPpnnetCgsDx3/6Nec8exAJMb
         2xnLH2Qiw2tVjsaCTc0YtjJREXjiRZap10ZJw2mLpoVnZxxAQ6F7D+5fLrfaKhL9iqkW
         Ju4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=9nnU/hlsgDy+lppU4ToxpqXZCXzo/JN9tONmD8z7t0M=;
        b=yM4rK7yDV+12P1voLC59gwcL0XBpAzFm92CY7/rOSEO2RaEV47EgBmNP1BPQcbCZ6o
         IRKWkdu4QUArDqZnM9yPaOTqYmztJLXKoRfzaEwAvfNR1A3Oi0SPqBdoar/ao+Itzs2x
         Xg7ZW9CD3sE+2u4RYMEE3ryvgcGaGwj6RP0d7vysYwTr0z0gDDlPh42reCOIOZY9aRa5
         FDHLrhN2Gi0j7wRPd3Udkyo714g2RIfv7TmGLHpfcA0boXbbehN3WpIrA/y4f43xq4Wu
         u9H2D9jNgDscv8EzUvN5dO7yhKUOX0HFUymDbdEhYzOIDuvFbb/nh/8TZOEr6snsSoul
         Qk1A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=s+acL3Gu;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a25-20020a1709062b1900b006e86c3056c2si6664015ejg.33.2022.04.12.00.05.07;
        Tue, 12 Apr 2022 00:05:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=s+acL3Gu;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238500AbiDKA6t (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Sun, 10 Apr 2022 20:58:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35136 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S238783AbiDKA6q (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 10 Apr 2022 20:58:46 -0400
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBD041CB17
        for <linux-kernel@vger.kernel.org>; Sun, 10 Apr 2022 17:56:33 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id u7so6849177lfs.8
        for <linux-kernel@vger.kernel.org>; Sun, 10 Apr 2022 17:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :cc:references:from:in-reply-to:content-transfer-encoding;
        bh=9nnU/hlsgDy+lppU4ToxpqXZCXzo/JN9tONmD8z7t0M=;
        b=s+acL3GufGKRuADS3DU+Tl535oN0NiRYHOaSbwAGp1nnqf4i2AelYYSwf2pC0rcdQo
         CetSVGmAhbEgKZAjlpABCeudEqT6qApYSA2mgKmkWtQgBNLag2Z+Y0014IxV42g8J6TS
         KQm0uUNjx/+IW74QYTlE1lnhuoGVi4f//EXt65PPRH0phWmuy2xpf7PF5VsvRcHV9dHv
         SZj3130pFZZF8vy97v1FWFW2BoSCbHr3WH+L6m0IBPc7I0sq19w79edI8xd+M8lHbwI3
         9aVMwMV/4QWr5k8UZmZbGHEvu6MiFwG7xyiBgiW6aFZY44XLnmZtk8U2DdNHDzLWjg7U
         d/Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:cc:references:from:in-reply-to
         :content-transfer-encoding;
        bh=9nnU/hlsgDy+lppU4ToxpqXZCXzo/JN9tONmD8z7t0M=;
        b=7yF+ZWnCrOJ53I0kkXrsR32gGs44onkB/0Rq/f7Cie2B8BaeLfXwj7+AoHhGXqV9u3
         9BPfwj7Pgoq2++qJdAkNDfVsB8m8eDR8uDDr1Ndg0uPWSRwfQZlsDwzf1N4S4A5Eq21m
         lNnE2H1/nO+9/6xAc4Lal3YW6svw+0aGRQbQk5QS4+a5exy6VNRPQHybU4nOuNLle7r9
         0sjPmwTCoQQw4TWxCbC0UUyiDv9dzx53J3RBwV4HzPBrQJNpL2LeprDGY+5Sjo7ZHj2P
         IyCH5tIEEuzZGrkDhoX79/mpt5FKqQfNt74PwmlGDfdggxJFQk7M6X+8mbjG2k8ClaUZ
         C4xg==
X-Gm-Message-State: AOAM530p38BY6MGHOVUG+wcuDnHq/txGdA2v2hJoxWsL/ytJWcovzeku
        fmaqXN6a4I27S6X3yusfW5uIqg==
X-Received: by 2002:a05:6512:3050:b0:44b:111:be72 with SMTP id b16-20020a056512305000b0044b0111be72mr19981248lfb.138.1649638592169;
        Sun, 10 Apr 2022 17:56:32 -0700 (PDT)
Received: from [192.168.1.211] ([37.153.55.125])
        by smtp.gmail.com with ESMTPSA id j29-20020a056512029d00b0046ba6e0cc32sm125926lfp.300.2022.04.10.17.56.31
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 10 Apr 2022 17:56:31 -0700 (PDT)
Message-ID: <0788b245-ee8f-25de-dde3-7ff10f6c688c@linaro.org>
Date:   Mon, 11 Apr 2022 03:56:31 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Subject: Re: [PATCH] dpu1: dpu_encoder: fix a missing check on list iterator
Content-Language: en-GB
To:     Xiaomeng Tong <xiam0nd.tong@gmail.com>, robdclark@gmail.com,
        sean@poorly.run, airlied@linux.ie, daniel@ffwll.ch
Cc:     quic_abhinavk@quicinc.com, swboyd@chromium.org,
        bjorn.andersson@linaro.org, quic_khsieh@quicinc.com,
        quic_kalyant@quicinc.com, markyacoub@google.com,
        jsanka@codeaurora.org, linux-arm-msm@vger.kernel.org,
        dri-devel@lists.freedesktop.org, freedreno@lists.freedesktop.org,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
References: <20220327073252.10871-1-xiam0nd.tong@gmail.com>
From:   Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
In-Reply-To: <20220327073252.10871-1-xiam0nd.tong@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-5.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 27/03/2022 10:32, Xiaomeng Tong wrote:
> The bug is here:
> 	 cstate = to_dpu_crtc_state(drm_crtc->state);
> 
> For the drm_for_each_crtc(), just like list_for_each_entry(),
> the list iterator 'drm_crtc' will point to a bogus position
> containing HEAD if the list is empty or no element is found.
> This case must be checked before any use of the iterator,
> otherwise it will lead to a invalid memory access.
> 
> To fix this bug, use a new variable 'iter' as the list iterator,
> while use the origin variable 'drm_crtc' as a dedicated pointer
> to point to the found element.
> 
> Cc: stable@vger.kernel.org
> Fixes: b107603b4ad0f ("drm/msm/dpu: map mixer/ctl hw blocks in encoder modeset")
> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>

Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

> ---
>   drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 11 ++++++++---
>   1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
> index 1e648db439f9..d3fdb18e96f9 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
> @@ -965,7 +965,7 @@ static void dpu_encoder_virt_mode_set(struct drm_encoder *drm_enc,
>   	struct dpu_kms *dpu_kms;
>   	struct list_head *connector_list;
>   	struct drm_connector *conn = NULL, *conn_iter;
> -	struct drm_crtc *drm_crtc;
> +	struct drm_crtc *drm_crtc = NULL, *iter;
>   	struct dpu_crtc_state *cstate;
>   	struct dpu_global_state *global_state;
>   	struct dpu_hw_blk *hw_pp[MAX_CHANNELS_PER_ENC];
> @@ -1007,9 +1007,14 @@ static void dpu_encoder_virt_mode_set(struct drm_encoder *drm_enc,
>   		return;
>   	}
>   
> -	drm_for_each_crtc(drm_crtc, drm_enc->dev)
> -		if (drm_crtc->state->encoder_mask & drm_encoder_mask(drm_enc))
> +	drm_for_each_crtc(iter, drm_enc->dev)
> +		if (iter->state->encoder_mask & drm_encoder_mask(drm_enc)) {
> +			drm_crtc = iter;
>   			break;
> +		}
> +
> +	if (!drm_crtc)
> +		return;
>   
>   	/* Query resource that have been reserved in atomic check step. */
>   	num_pp = dpu_rm_get_assigned_resources(&dpu_kms->rm, global_state,


-- 
With best wishes
Dmitry