Re: general protection fault in drm_atomic_set_crtc_for_connector

* Re: general protection fault in drm_atomic_set_crtc_for_connector
@ 2021-08-18  9:35 Desmond Cheong Zhi Xi
  0 siblings, 0 replies; only message in thread
From: Desmond Cheong Zhi Xi @ 2021-08-18  9:35 UTC (permalink / raw)
  To: syzbot+1aec08e752387f55c449; +Cc: syzkaller-bugs, linux-kernel-mentees

#syz fix: drm: fix oops in drm_atomic_set_crtc_for_connector

At the time of the bug report [1], there was the following call in 
update_output_state:
> 			ret = drm_atomic_set_crtc_for_connector(new_conn_state,
> 								NULL);

This was followed by
> 	if (crtc) {
> 		crtc_state = drm_atomic_get_crtc_state(conn_state->state, crtc);
> 		if (IS_ERR(crtc_state))
> 			return PTR_ERR(crtc_state);
> 
> 		crtc_state->connector_mask |=
> 			drm_connector_mask(conn_state->connector);
> 
> 		drm_connector_get(conn_state->connector);
> 		conn_state->crtc = crtc;
> 
> 		drm_dbg_atomic(crtc->dev,
> 			       "Link [CONNECTOR:%d:%s] state %p to [CRTC:%d:%s]\n",
> 			       connector->base.id, connector->name,
> 			       conn_state, crtc->base.id, crtc->name);
> 	} else {
> 		drm_dbg_atomic(crtc->dev,
> 			       "Link [CONNECTOR:%d:%s] state %p to [NOCRTC]\n",
> 			       connector->base.id, connector->name,
> 			       conn_state);
> 	}

in drm_atomic_set_crtc_for_connector, which clearly dereferences a null 
pointer in the else block. This led to the reported general protection 
fault.

commit 0003b687ee6d("drm: fix oops in 
drm_atomic_set_crtc_for_connector") fixes this by getting the device 
from connector, which can't be NULL.

Link: 
https://syzkaller.appspot.com/bug?id=768a24e51bd111e0c1d6b6f4e1f09fac3c54c05d 
[1]

Best wishes,
Desmond
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] only message in thread