drm/dp_mst: Fix NULL deref in drm_dp_get_one_sb_msg() (cbfb1b74) · Commits · linux-arm / linux-anshuman

Commit cbfb1b74 authored Apr 06, 2020 by Lyude Paul

drm/dp_mst: Fix NULL deref in drm_dp_get_one_sb_msg()



While we don't need this function to store an mstb anywhere for UP
requests since we process them asynchronously, we do need to make sure
that we don't try to write to **mstb for UP requests otherwise we'll
cause a NULL pointer deref:

    RIP: 0010:drm_dp_get_one_sb_msg+0x4b/0x460 [drm_kms_helper]
    Call Trace:
     ? vprintk_emit+0x16a/0x230
     ? drm_dp_mst_hpd_irq+0x133/0x1010 [drm_kms_helper]
     drm_dp_mst_hpd_irq+0x133/0x1010 [drm_kms_helper]
     ? __drm_dbg+0x87/0x90 [drm]
     ? intel_dp_hpd_pulse+0x24b/0x400 [i915]
     intel_dp_hpd_pulse+0x24b/0x400 [i915]
     i915_digport_work_func+0xd6/0x160 [i915]
     process_one_work+0x1a9/0x370
     worker_thread+0x4d/0x3a0
     kthread+0xf9/0x130
     ? process_one_work+0x370/0x370
     ? kthread_park+0x90/0x90
     ret_from_fork+0x35/0x40

So, fix this.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Fixes: fbc821c4 ("drm/mst: Support simultaneous down replies")
Cc: Wayne Lin <Wayne.Lin@amd.com>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Wayne Lin <waynelin@amd.com>
Cc: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20200406193352.1245985-1-lyude@redhat.com


Reviewed-by: Sean Paul <sean@poorly.run>

parent ed7cca1f

Hide whitespace changes

Inline Side-by-side

Please register or to comment

Admin message

drm/dp_mst: Fix NULL deref in drm_dp_get_one_sb_msg()