* Re: general protection fault in drm_atomic_set_crtc_for_connector
@ 2021-08-18 9:35 Desmond Cheong Zhi Xi
0 siblings, 0 replies; only message in thread
From: Desmond Cheong Zhi Xi @ 2021-08-18 9:35 UTC (permalink / raw)
To: syzbot+1aec08e752387f55c449; +Cc: syzkaller-bugs, linux-kernel-mentees
#syz fix: drm: fix oops in drm_atomic_set_crtc_for_connector
At the time of the bug report [1], there was the following call in
update_output_state:
> ret = drm_atomic_set_crtc_for_connector(new_conn_state,
> NULL);
This was followed by
> if (crtc) {
> crtc_state = drm_atomic_get_crtc_state(conn_state->state, crtc);
> if (IS_ERR(crtc_state))
> return PTR_ERR(crtc_state);
>
> crtc_state->connector_mask |=
> drm_connector_mask(conn_state->connector);
>
> drm_connector_get(conn_state->connector);
> conn_state->crtc = crtc;
>
> drm_dbg_atomic(crtc->dev,
> "Link [CONNECTOR:%d:%s] state %p to [CRTC:%d:%s]\n",
> connector->base.id, connector->name,
> conn_state, crtc->base.id, crtc->name);
> } else {
> drm_dbg_atomic(crtc->dev,
> "Link [CONNECTOR:%d:%s] state %p to [NOCRTC]\n",
> connector->base.id, connector->name,
> conn_state);
> }
in drm_atomic_set_crtc_for_connector, which clearly dereferences a null
pointer in the else block. This led to the reported general protection
fault.
commit 0003b687ee6d("drm: fix oops in
drm_atomic_set_crtc_for_connector") fixes this by getting the device
from connector, which can't be NULL.
Link:
https://syzkaller.appspot.com/bug?id=768a24e51bd111e0c1d6b6f4e1f09fac3c54c05d
[1]
Best wishes,
Desmond
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-18 9:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-18 9:35 general protection fault in drm_atomic_set_crtc_for_connector Desmond Cheong Zhi Xi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).