Received-SPF: pass (google.com: domain of linux-kernel+bounces-146895-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Precedence: bulk
MIME-Version: 1.0
References: <20240412083532.11540-1-amishin@t-argos.ru>
In-Reply-To: <20240412083532.11540-1-amishin@t-argos.ru>
From: Robert Foss <rfoss@kernel.org>
Date: Tue, 16 Apr 2024 15:33:18 +0200
Message-ID: <CAN6tsi6kGCGU5_zQD17-tELy94w6W5hU0nzfeR2KPhEztCayNQ@mail.gmail.com>
Subject: Re: [PATCH v2] drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
To: Aleksandr Mishin <amishin@t-argos.ru>
Cc: Swapnil Jakhade <sjakhade@cadence.com>, Andrzej Hajda <andrzej.hajda@intel.com>, 
	Neil Armstrong <neil.armstrong@linaro.org>, 
	Laurent Pinchart <Laurent.pinchart@ideasonboard.com>, Jonas Karlman <jonas@kwiboo.se>, 
	Jernej Skrabec <jernej.skrabec@gmail.com>, 
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, 
	Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>, 
	Tomi Valkeinen <tomi.valkeinen@ti.com>, 
	=?UTF-8?Q?Uwe_Kleine=2DK=C3=B6nig?= <u.kleine-koenig@pengutronix.de>, 
	Nikhil Devshatwar <nikhil.nd@ti.com>, Aradhya Bhatia <a-bhatia1@ti.com>, Jani Nikula <jani.nikula@intel.com>, 
	Rob Herring <robh@kernel.org>, Zhu Wang <wangzhu9@huawei.com>, 
	Yuti Amonkar <yamonkar@cadence.com>, Jyri Sarha <jsarha@ti.com>, 
	Quentin Schulz <quentin.schulz@free-electrons.com>, dri-devel@lists.freedesktop.org, 
	linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hey Aleksandr,

On Fri, Apr 12, 2024 at 10:40=E2=80=AFAM Aleksandr Mishin <amishin@t-argos.=
ru> wrote:
>
> In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is
> assigned to mhdp_state->current_mode, and there is a dereference of it in
> drm_mode_set_name(), which will lead to a NULL pointer dereference on
> failure of drm_mode_duplicate().
>
> Fix this bug by adding a check of mhdp_state->current_mode.
>
> Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/D=
P bridge")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
> v2: Fix a mistake where the mutex remained locked
>
>  drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/driver=
s/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> index e226acc5c15e..5b831d6d7764 100644
> --- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> +++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> @@ -2059,6 +2059,11 @@ static void cdns_mhdp_atomic_enable(struct drm_bri=
dge *bridge,
>         mhdp_state =3D to_cdns_mhdp_bridge_state(new_state);
>
>         mhdp_state->current_mode =3D drm_mode_duplicate(bridge->dev, mode=
);
> +       if (!mhdp_state->current_mode) {
> +               ret =3D -EINVAL;
> +               goto out;
> +       }
> +

This chunk no longer applies on drm-misc-next.

I think the approach here is still better than what is in
drm-misc-next since it unlocks link_mutex.

Can you rebase + reword the commit message and send that out as v3?

>         drm_mode_set_name(mhdp_state->current_mode);
>
>         dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name=
);
> --
> 2.30.2
>