[PATCH] gpu: drm: i915: intel_hotplug: avoid NULL pointer dereference

[PATCH] gpu: drm: i915: intel_hotplug: avoid NULL pointer dereference

[Olivier Sobrie]

I observed the following crash on my laptop after undocking it:

BUG: unable to handle kernel NULL pointer dereference at 00000000000000e4
IP: i915_hpd_poll_init_work+0x8f/0x100 [i915]
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ppp_mppe ppp_async ppp_generic slhc nf_conntrack_pptp nf_conntrack_proto_gre veth ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user
 kvm irqbypass crct10dif_pclmul iwlmvm crc32_pclmul ghash_clmulni_intel mei_wdt iTCO_wdt iTCO_vendor_support mac80211 wmi_bmof pcbc i2c_algo_bit snd_hda_intel drm_kms_helper snd_hd
 usbcore usb_common i8042 serio vfat fat trusted tpm crc32c_generic crc32c_intel btrfs xor zstd_decompress zstd_compress xxhash raid6_pq
CPU: 0 PID: 37 Comm: kworker/0:1 Tainted: G     U     O    4.14.9-1-ARCH #1
Hardware name: LENOVO 20F9CTO1WW/20F9CTO1WW, BIOS N1CET56W (1.24 ) 04/19/2017
Workqueue: events i915_hpd_poll_init_work [i915]
task: ffffa0bd09132dc0 task.stack: ffffb177032b0000
RIP: 0010:i915_hpd_poll_init_work+0x8f/0x100 [i915]
RSP: 0018:ffffb177032b3e58 EFLAGS: 00010202
RAX: ffffa0bcf5b2d800 RBX: 0000000000000001 RCX: 0000000000000056
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffc0a9d8f7
RBP: ffffa0bcf8f1abc0 R08: 0000000000000003 R09: 0000000000000002
R10: ffffa0bcf8f182f8 R11: 0000000000000c00 R12: ffffa0bcf8f18000
R13: 0000000000000000 R14: ffffa0bcf8f181f8 R15: ffffa0bd092843c0
FS:  0000000000000000(0000) GS:ffffa0bd21400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000e4 CR3: 0000000157c09002 CR4: 00000000003606f0
Call Trace:
 process_one_work+0x1db/0x410
 worker_thread+0x2b/0x3d0
 ? process_one_work+0x410/0x410
 kthread+0x118/0x130
 ? kthread_create_on_node+0x70/0x70
 ret_from_fork+0x1f/0x30
Code: 0f b6 90 a0 04 00 00 48 83 b8 b0 04 00 00 00 88 90 e8 02 00 00 75 dc 84 d2 75 d8 f6 85 70 da ff ff 02 74 cf 48 8b 90 00 04 00 00 <8b> 92 e4 00 00 00 85 d2 74 be 88 98 e8 02 0
RIP: i915_hpd_poll_init_work+0x8f/0x100 [i915] RSP: ffffb177032b3e58
CR2: 00000000000000e4
---[ end trace 098075e41d0a597e ]---

The values of the registers seems to indicate that it tries to
dereference the hpd_pin field of the encoder structure. The value 0xe4
corresponds to the offset of the field hpd_pin in the encoder structure.
It appears that encoder->hpd_pin is accessed without checking first that
encoder is not NULL. The same issue may happen in
intel_hpd_irq_storm_reenable_work().
This patch should fix these issues.

Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
---
 drivers/gpu/drm/i915/intel_hotplug.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_hotplug.c b/drivers/gpu/drm/i915/intel_hotplug.c
index 875d5d218d5c..ab7e8dd0cf5b 100644
--- a/drivers/gpu/drm/i915/intel_hotplug.c
+++ b/drivers/gpu/drm/i915/intel_hotplug.c
@@ -245,7 +245,8 @@ static void intel_hpd_irq_storm_reenable_work(struct work_struct *work)
 		drm_for_each_connector_iter(connector, &conn_iter) {
 			struct intel_connector *intel_connector = to_intel_connector(connector);
 
-			if (intel_connector->encoder->hpd_pin == i) {
+			if (intel_connector->encoder &&
+			    (intel_connector->encoder->hpd_pin == i)) {
 				if (connector->polled != intel_connector->polled)
 					DRM_DEBUG_DRIVER("Reenabling HPD on connector %s\n",
 							 connector->name);
@@ -546,6 +547,7 @@ static void i915_hpd_poll_init_work(struct work_struct *work)
 			continue;
 
 		if (!connector->polled && I915_HAS_HOTPLUG(dev_priv) &&
+		    intel_connector->encoder &&
 		    intel_connector->encoder->hpd_pin > HPD_NONE) {
 			connector->polled = enabled ?
 				DRM_CONNECTOR_POLL_CONNECT |
-- 
2.15.1

✓ Fi.CI.BAT: success for gpu: drm: i915: intel_hotplug: avoid NULL pointer dereference

[Patchwork]

== Series Details ==

Series: gpu: drm: i915: intel_hotplug: avoid NULL pointer dereference
URL   : https://patchwork.freedesktop.org/series/36150/
State : success

== Summary ==

Series 36150v1 gpu: drm: i915: intel_hotplug: avoid NULL pointer dereference
https://patchwork.freedesktop.org/api/1.0/series/36150/revisions/1/mbox/

Test debugfs_test:
        Subgroup read_all_entries:
                incomplete -> PASS       (fi-snb-2520m) fdo#103713
Test kms_flip:
        Subgroup basic-flip-vs-wf_vblank:
                pass       -> FAIL       (fi-hsw-4770r) fdo#100368

fdo#103713 https://bugs.freedesktop.org/show_bug.cgi?id=103713
fdo#100368 https://bugs.freedesktop.org/show_bug.cgi?id=100368

fi-bdw-5557u     total:288  pass:267  dwarn:0   dfail:0   fail:0   skip:21  time:421s
fi-bdw-gvtdvm    total:288  pass:264  dwarn:0   dfail:0   fail:0   skip:24  time:432s
fi-blb-e6850     total:288  pass:223  dwarn:1   dfail:0   fail:0   skip:64  time:372s
fi-bsw-n3050     total:288  pass:242  dwarn:0   dfail:0   fail:0   skip:46  time:491s
fi-bwr-2160      total:288  pass:183  dwarn:0   dfail:0   fail:0   skip:105 time:282s
fi-bxt-dsi       total:288  pass:258  dwarn:0   dfail:0   fail:0   skip:30  time:488s
fi-bxt-j4205     total:288  pass:259  dwarn:0   dfail:0   fail:0   skip:29  time:489s
fi-byt-j1900     total:288  pass:253  dwarn:0   dfail:0   fail:0   skip:35  time:480s
fi-byt-n2820     total:288  pass:249  dwarn:0   dfail:0   fail:0   skip:39  time:461s
fi-elk-e7500     total:224  pass:168  dwarn:10  dfail:0   fail:0   skip:45 
fi-gdg-551       total:288  pass:179  dwarn:0   dfail:0   fail:1   skip:108 time:278s
fi-glk-1         total:288  pass:260  dwarn:0   dfail:0   fail:0   skip:28  time:517s
fi-hsw-4770      total:288  pass:261  dwarn:0   dfail:0   fail:0   skip:27  time:393s
fi-hsw-4770r     total:288  pass:260  dwarn:0   dfail:0   fail:1   skip:27  time:389s
fi-ilk-650       total:288  pass:228  dwarn:0   dfail:0   fail:0   skip:60  time:413s
fi-ivb-3520m     total:288  pass:259  dwarn:0   dfail:0   fail:0   skip:29  time:451s
fi-ivb-3770      total:288  pass:255  dwarn:0   dfail:0   fail:0   skip:33  time:424s
fi-kbl-7500u     total:288  pass:263  dwarn:1   dfail:0   fail:0   skip:24  time:468s
fi-kbl-7560u     total:288  pass:269  dwarn:0   dfail:0   fail:0   skip:19  time:501s
fi-kbl-7567u     total:288  pass:268  dwarn:0   dfail:0   fail:0   skip:20  time:455s
fi-kbl-r         total:288  pass:260  dwarn:1   dfail:0   fail:0   skip:27  time:506s
fi-pnv-d510      total:288  pass:222  dwarn:1   dfail:0   fail:0   skip:65  time:581s
fi-skl-6260u     total:288  pass:268  dwarn:0   dfail:0   fail:0   skip:20  time:429s
fi-skl-6600u     total:288  pass:261  dwarn:0   dfail:0   fail:0   skip:27  time:508s
fi-skl-6700hq    total:288  pass:262  dwarn:0   dfail:0   fail:0   skip:26  time:531s
fi-skl-6700k2    total:288  pass:264  dwarn:0   dfail:0   fail:0   skip:24  time:495s
fi-skl-6770hq    total:288  pass:268  dwarn:0   dfail:0   fail:0   skip:20  time:499s
fi-snb-2520m     total:288  pass:248  dwarn:0   dfail:0   fail:0   skip:40  time:535s
fi-snb-2600      total:288  pass:248  dwarn:0   dfail:0   fail:0   skip:40  time:403s
Blacklisted hosts:
fi-cfl-s2        total:288  pass:262  dwarn:0   dfail:0   fail:0   skip:26  time:568s
fi-glk-dsi       total:288  pass:258  dwarn:0   dfail:0   fail:0   skip:30  time:479s

70afdd6e5dfe93544afc231645c09084ec508b01 drm-tip: 2018y-01m-08d-13h-41m-31s UTC integration manifest
1fb3c852ea0e gpu: drm: i915: intel_hotplug: avoid NULL pointer dereference

== Logs ==

For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_7623/issues.html
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx