drm/dp_mst: Fix NULL deref in drm_dp_get_one_sb_msg()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

While we don't need this function to store an mstb anywhere for UP
requests since we process them asynchronously, we do need to make sure
that we don't try to write to **mstb for UP requests otherwise we'll
cause a NULL pointer deref:

RIP: 0010:drm_dp_get_one_sb_msg+0x4b/0x460 [drm_kms_helper]
Call Trace:
? vprintk_emit+0x16a/0x230
? drm_dp_mst_hpd_irq+0x133/0x1010 [drm_kms_helper]
drm_dp_mst_hpd_irq+0x133/0x1010 [drm_kms_helper]
? __drm_dbg+0x87/0x90 [drm]
? intel_dp_hpd_pulse+0x24b/0x400 [i915]
intel_dp_hpd_pulse+0x24b/0x400 [i915]
i915_digport_work_func+0xd6/0x160 [i915]
process_one_work+0x1a9/0x370
worker_thread+0x4d/0x3a0
kthread+0xf9/0x130
? process_one_work+0x370/0x370
? kthread_park+0x90/0x90
ret_from_fork+0x35/0x40

So, fix this.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Fixes: fbc821c4a506 ("drm/mst: Support simultaneous down replies")
Cc: Wayne Lin <Wayne.Lin@amd.com>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Wayne Lin <waynelin@amd.com>
Cc: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20200406193352.1245985-1-lyude@redhat.com
Reviewed-by: Sean Paul <sean@poorly.run>

Lyude Paul 6 years ago cbfb1b74 ed7cca1f

+2 -1

1 changed file

expand all

drivers

gpu

drm

drm_dp_mst_topology.c

+2 -1

drivers/gpu/drm/drm_dp_mst_topology.c

··· 3702 3702 int basereg = up ? DP_SIDEBAND_MSG_UP_REQ_BASE : 3703 3703 DP_SIDEBAND_MSG_DOWN_REP_BASE; 3704 3704 3705 - *mstb = NULL; 3705 + if (!up) 3706 + *mstb = NULL; 3706 3707 *seqno = -1; 3707 3708 3708 3709 len = min(mgr->max_dpcd_transaction_bytes, 16);