github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-13 09:17:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
2bdb34c61e
linux/drivers/gpu/drm
History
Zwane Mwaikambo 031ac02811 drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() 
commit 73b62cdb93 upstream.

I observed this when unplugging a DP monitor whilst a computer is asleep
and then waking it up. This left DP chardev nodes still being present on
the filesystem and accessing these device nodes caused an oops because
drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened.
This can also be reproduced by creating a device node with mknod(1) and
issuing an open(2)

[166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018
[166164.933202] #PF: supervisor read access in kernel mode
[166164.933204] #PF: error_code(0x0000) - not-present page
[166164.933205] PGD 0 P4D 0
[166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI
[166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G        W
5.8.0-rc6+ #1
[166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W
(1.11 ) 04/21/2020
[166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70
[drm_kms_helper]
[166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7
c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6
<8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1
[166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246
[166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000
[166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180
[166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0
[166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003
[166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000
[166164.933244] FS:  00007f7fb041eb00(0000) GS:ffff8a9411500000(0000)
knlGS:0000000000000000
[166164.933245] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0
[166164.933247] Call Trace:
[166164.933264]  auxdev_open+0x1b/0x40 [drm_kms_helper]
[166164.933278]  chrdev_open+0xa7/0x1c0
[166164.933282]  ? cdev_put.part.0+0x20/0x20
[166164.933287]  do_dentry_open+0x161/0x3c0
[166164.933291]  vfs_open+0x2d/0x30
[166164.933297]  path_openat+0xb27/0x10e0
[166164.933306]  ? atime_needs_update+0x73/0xd0
[166164.933309]  do_filp_open+0x91/0x100
[166164.933313]  ? __alloc_fd+0xb2/0x150
[166164.933316]  do_sys_openat2+0x210/0x2d0
[166164.933318]  do_sys_open+0x46/0x80
[166164.933320]  __x64_sys_openat+0x20/0x30
[166164.933328]  do_syscall_64+0x52/0xc0
[166164.933336]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

(gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29
Dump of assembler code for function drm_dp_aux_dev_get_by_minor:
   0x0000000000017b10 <+0>:     callq  0x17b15 <drm_dp_aux_dev_get_by_minor+5>
   0x0000000000017b15 <+5>:     push   %rbp
   0x0000000000017b16 <+6>:     mov    %rsp,%rbp
   0x0000000000017b19 <+9>:     push   %r12
   0x0000000000017b1b <+11>:    mov    %edi,%r12d
   0x0000000000017b1e <+14>:    mov    $0x0,%rdi
   0x0000000000017b25 <+21>:    callq  0x17b2a <drm_dp_aux_dev_get_by_minor+26>
   0x0000000000017b2a <+26>:    mov    %r12d,%esi
   0x0000000000017b2d <+29>:    mov    $0x0,%rdi
   0x0000000000017b34 <+36>:    callq  0x17b39 <drm_dp_aux_dev_get_by_minor+41>
   0x0000000000017b39 <+41>:    mov    0x18(%rax),%edx <=========
   0x0000000000017b3c <+44>:    mov    %rax,%r12
   0x0000000000017b3f <+47>:    lea    0x18(%rax),%rdi
   0x0000000000017b43 <+51>:    test   %edx,%edx
   0x0000000000017b45 <+53>:    je     0x17b7a <drm_dp_aux_dev_get_by_minor+106>
   0x0000000000017b47 <+55>:    lea    0x1(%rdx),%ecx
   0x0000000000017b4a <+58>:    mov    %edx,%eax
   0x0000000000017b4c <+60>:    lock cmpxchg %ecx,(%rdi)
   0x0000000000017b50 <+64>:    jne    0x17b76 <drm_dp_aux_dev_get_by_minor+102>
   0x0000000000017b52 <+66>:    test   %edx,%edx
   0x0000000000017b54 <+68>:    js     0x17b6d <drm_dp_aux_dev_get_by_minor+93>
   0x0000000000017b56 <+70>:    test   %ecx,%ecx
   0x0000000000017b58 <+72>:    js     0x17b6d <drm_dp_aux_dev_get_by_minor+93>
   0x0000000000017b5a <+74>:    mov    $0x0,%rdi
   0x0000000000017b61 <+81>:    callq  0x17b66 <drm_dp_aux_dev_get_by_minor+86>
   0x0000000000017b66 <+86>:    mov    %r12,%rax
   0x0000000000017b69 <+89>:    pop    %r12
   0x0000000000017b6b <+91>:    pop    %rbp
   0x0000000000017b6c <+92>:    retq
   0x0000000000017b6d <+93>:    xor    %esi,%esi
   0x0000000000017b6f <+95>:    callq  0x17b74 <drm_dp_aux_dev_get_by_minor+100>
   0x0000000000017b74 <+100>:   jmp    0x17b5a <drm_dp_aux_dev_get_by_minor+74>
   0x0000000000017b76 <+102>:   mov    %eax,%edx
   0x0000000000017b78 <+104>:   jmp    0x17b43 <drm_dp_aux_dev_get_by_minor+51>
   0x0000000000017b7a <+106>:   xor    %r12d,%r12d
   0x0000000000017b7d <+109>:   jmp    0x17b5a <drm_dp_aux_dev_get_by_minor+74>
End of assembler dump.

(gdb) list *drm_dp_aux_dev_get_by_minor+0x29
0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65).
60      static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index)
61      {
62              struct drm_dp_aux_dev *aux_dev = NULL;
63
64              mutex_lock(&aux_idr_mutex);
65              aux_dev = idr_find(&aux_idr, index);
66              if (!kref_get_unless_zero(&aux_dev->refcount))
67                      aux_dev = NULL;
68              mutex_unlock(&aux_idr_mutex);
69
(gdb) p/x &((struct drm_dp_aux_dev *)(0x0))->refcount
$8 = 0x18

Looking at the caller, checks on the minor are pushed down to
drm_dp_aux_dev_get_by_minor()

static int auxdev_open(struct inode *inode, struct file *file)
{
    unsigned int minor = iminor(inode);
    struct drm_dp_aux_dev *aux_dev;

    aux_dev = drm_dp_aux_dev_get_by_minor(minor); <====
    if (!aux_dev)
        return -ENODEV;

    file->private_data = aux_dev;
    return 0;
}

Fixes: e94cb37b34 ("drm/dp: Add a drm_aux-dev module for reading/writing dpcd registers.")
Cc: <stable@vger.kernel.org> # v4.6+
Signed-off-by: Zwane Mwaikambo <zwane@yosper.io>
Reviewed-by: Lyude Paul <lyude@redhat.com>
[added Cc to stable]
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/alpine.DEB.2.21.2010122231070.38717@montezuma.home
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-12-30 11:26:13 +01:00
..
amd drm/amd/pm: do not use ixFEATURE_STATUS for checking smc running 2020-11-18 19:18:45 +01:00
arc drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
arm drm/arm: fix unintentional integer overflow on left shift 2020-08-19 08:14:54 +02:00
armada drm/armada: remove obsolete fb unreferencing kfifo and workqueue 2018-07-30 11:53:06 +01:00
ast drm/ast: Fixed reboot test may cause system hanged 2019-09-06 10:21:59 +02:00
atmel-hlcdc drm: atmel-hlcdc: enable clock before configuring timing engine 2020-02-11 04:34:16 -08:00
bochs drm/bochs: downgrade pci_request_region failure from error to warning 2020-04-13 10:44:59 +02:00
bridge drm/bridge/synopsys: dsi: add support for non-continuous HS clock 2020-11-05 11:08:41 +01:00
cirrus drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up 2019-04-20 09:16:00 +02:00
etnaviv drm/etnaviv: Fix error path on failure to enable bus clk 2020-08-19 08:14:54 +02:00
exynos drm/exynos: fix ref count leak in mic_pre_enable 2020-07-22 09:32:01 +02:00
fsl-dcu drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
gma500 drm/gma500: fix double free of gma_connector 2020-12-30 11:25:49 +01:00
hisilicon drm/hisilicon: hibmc: Don't overwrite fb helper surface depth 2020-01-27 14:49:55 +01:00
i2c Merge branch 'drm-tda9950-fixes' of git://git.armlinux.org.uk/~rmk/linux-arm into drm-fixes 2018-10-04 10:32:14 +10:00
i810 drm/i810: Prevent underflow in ioctl 2019-12-13 08:52:44 +01:00
i915 drm/atomic_helper: Stop modesets on unregistered connectors harder 2020-12-02 08:48:08 +01:00
imx drm/imx: imx-ldb: Disable both channels for split mode in enc->disable() 2020-08-21 11:05:34 +02:00
lib
mediatek drm/mediatek: Add missing put_device() call in mtk_hdmi_dt_parse_pdata() 2020-09-23 12:11:00 +02:00
meson drm: meson: venc: cvbs: fix CVBS mode matching 2019-12-21 10:57:39 +01:00
mga
mgag200 drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
msm drm/msm/dsi_pll_10nm: restore VCO rate during restore_state 2020-12-30 11:25:51 +01:00
mxsfb
nouveau drm/nouveau/mem: guard against NULL pointer access in mem_del 2020-10-14 10:31:21 +02:00
omapdrm drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() 2020-12-30 11:25:54 +01:00
panel drm: panel: simple: Fix bpc for LG LB070WV8 panel 2020-08-19 08:14:57 +02:00
pl111 drm/pl111: Initialize clock spinlock early 2019-06-15 11:54:00 +02:00
qxl drm/qxl: Use correct notify port address when creating cursor ring 2020-06-25 15:33:06 +02:00
r128
radeon PCI: Use ioremap(), not phys_to_virt() for platform ROM 2020-10-01 13:14:40 +02:00
rcar-du drm: rcar-du: Fix build error 2020-06-30 23:17:17 -04:00
rockchip drm/rockchip: Suspend DP late 2019-08-29 08:28:40 +02:00
savage drm/savage: off by one in savage_bci_cmdbuf() 2018-07-04 14:27:01 +02:00
scheduler drm/scheduler: fix param documentation 2018-08-09 11:57:39 -05:00
selftests drm-misc-next for 4.19: 2018-06-22 12:58:08 +10:00
shmobile drm/shmob: Fix return value check in shmob_drm_probe 2020-01-27 14:50:12 +01:00
sis
sti drm/sti: do not remove the drm_bridge that was never added 2020-01-27 14:49:53 +01:00
stm drm/stm: attach gem fence to atomic state 2019-10-07 18:56:31 +02:00
sun4i drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() 2020-11-24 13:27:22 +01:00
tdfx
tegra drm/tegra: sor: Disable clocks on error in tegra_sor_init() 2020-12-30 11:25:46 +01:00
tilcdc drm/tilcdc: fix leak & null ref in panel_connector_get_modes 2020-08-19 08:14:50 +02:00
tinydrm tinydrm/mipi-dbi: Use dma-safe buffers for all SPI transfers 2019-05-31 06:46:32 -07:00
ttm drm/ttm: fix eviction valuable range check. 2020-11-05 11:08:54 +01:00
tve200 drm/tve200: Fix handling of platform_get_irq() error 2020-12-30 11:25:49 +01:00
udl drm/udl: move to embedding drm device inside udl device. 2019-07-21 09:03:18 +02:00
v3d drm/v3d: Handle errors from IRQ setup. 2019-05-31 06:46:34 -07:00
vc4 drm/vc4: drv: Add error handding for bind 2020-11-10 12:36:00 +01:00
vgem drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() 2020-08-26 10:30:58 +02:00
via treewide: Use array_size() in vzalloc() 2018-06-12 16:19:22 -07:00
virtio Fix use after free in get_capset_info callback. 2020-10-30 10:38:31 +01:00
vkms drm/vkms: Hold gem object while still in-use 2020-06-22 09:05:08 +02:00
vmwgfx drm/vmwgfx: Fix two list_for_each loop exit tests 2020-08-21 11:05:37 +02:00
xen drm/xen-front: Fix misused IS_ERR_OR_NULL checks 2020-12-30 11:25:43 +01:00
zte drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic_helper.c drm/atomic_helper: Stop modesets on unregistered connectors harder 2020-12-02 08:48:08 +01:00
drm_atomic.c drm/atomic_helper: Stop modesets on unregistered connectors harder 2020-12-02 08:48:08 +01:00
drm_auth.c drm: set is_master to 0 upon drm_new_set_master() failure 2018-12-08 12:59:07 +01:00
drm_blend.c
drm_bridge.c
drm_bufs.c drm: return -EFAULT if copy_to_user() fails 2019-07-14 08:11:14 +02:00
drm_cache.c
drm_client.c drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
drm_color_mgmt.c
drm_connector.c drm/atomic_helper: Stop modesets on unregistered connectors harder 2020-12-02 08:48:08 +01:00
drm_context.c drm: Fix error handling in drm_legacy_addctx 2020-01-27 14:50:10 +01:00
drm_crtc_helper_internal.h
drm_crtc_helper.c
drm_crtc_internal.h drm: drop _mode_ from remaining connector functions 2018-07-13 18:40:27 +02:00
drm_crtc.c drm/lease: Make sure implicit planes are leased 2019-06-09 09:17:23 +02:00
drm_debugfs_crc.c drm: remove the newline for CRC source name. 2020-02-24 08:34:45 +01:00
drm_debugfs.c drm/debugfs: fix plain echo to connector "force" attribute 2020-08-19 08:14:52 +02:00
drm_dma.c
drm_dp_aux_dev.c drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() 2020-12-30 11:26:13 +01:00
drm_dp_cec.c drm_dp_cec.c: fix formatting typo: %pdH -> %phD 2018-07-28 15:50:40 -03:00
drm_dp_dual_mode_helper.c
drm_dp_helper.c drm/dp_helper: Add DP aux channel tracing 2018-07-16 11:47:53 -04:00
drm_dp_mst_topology.c drm: fix drm_dp_mst_port refcount leaks in drm_dp_mst_allocate_vcpi 2020-12-30 11:25:43 +01:00
drm_drv.c drm/drv: Hold ref on parent device during drm_device lifetime 2019-05-31 06:46:34 -07:00
drm_dumb_buffers.c drm-misc-next for 4.19: 2018-06-28 13:29:07 +10:00
drm_edid_load.c drm/edid: Fix a missing-check bug in drm_load_edid_firmware() 2019-07-31 07:26:58 +02:00
drm_edid.c drm/edid: Add Oculus Rift S to non-desktop list 2020-06-07 13:17:56 +02:00
drm_encoder_slave.c drm: encoder_slave: fix refcouting error for modules 2020-06-25 15:33:06 +02:00
drm_encoder.c
drm_fb_cma_helper.c drm/cma-helper: Fix crash in fbdev error path 2018-10-02 13:03:34 +02:00
drm_fb_helper.c drm/fb-helper: generic: Call drm_client_add() after setup is done 2020-01-27 14:50:36 +01:00
drm_file.c drm: Wake up next in drm_read() chain if we are forced to putback the event 2019-05-31 06:46:34 -07:00
drm_flip_work.c
drm_fourcc.c drm/fourcc: Add is_yuv field to drm_format_info to denote if the format is yuv 2018-07-18 16:56:45 +01:00
drm_framebuffer.c drm: silence variable 'conn' set but not used 2019-08-16 10:12:46 +02:00
drm_gem_cma_helper.c
drm_gem_framebuffer_helper.c drm/gem-fb-helper: Always do implicit sync 2018-06-20 14:43:13 +02:00
drm_gem.c drm: hold gem reference until object is no longer accessed 2020-08-05 10:06:01 +02:00
drm_global.c drm: add SPDX identifier and clarify license 2018-06-29 15:28:47 -05:00
drm_hashtab.c treewide: Use array_size() in vzalloc() 2018-06-12 16:19:22 -07:00
drm_info.c
drm_internal.h drm/lease: Send a distinct uevent 2018-12-13 09:16:21 +01:00
drm_ioc32.c drm: add __user attribute to ptr_to_compat() 2019-09-16 08:22:08 +02:00
drm_ioctl.c drm/atomic: Take the atomic toys away from X 2020-05-10 10:30:12 +02:00
drm_irq.c
drm_kms_helper_common.c
drm_lease.c drm/lease: fix WARNING in idr_destroy 2020-03-25 08:06:12 +01:00
drm_legacy.h
drm_lock.c
drm_memory.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
drm_mipi_dsi.c drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline 2020-08-19 08:14:55 +02:00
drm_mm.c drm/mm: Add a search-by-address variant to only inspect a single hole 2018-05-24 15:04:30 +01:00
drm_mode_config.c drm: writeback: Add client capability for exposing writeback connectors 2018-06-20 15:30:20 +01:00
drm_mode_object.c drm: Reorder set_property_atomic to avoid returning with an active ww_ctx 2019-03-27 14:14:42 +09:00
drm_modes.c drm/modes: Prevent division by zero htotal 2019-02-15 08:10:12 +01:00
drm_modeset_helper.c
drm_modeset_lock.c drm: Change deadlock-avoidance algorithm for the modeset locks. 2018-07-03 09:46:05 +02:00
drm_of.c drm/doc: Include drm_of.c helpers 2018-07-13 18:40:28 +02:00
drm_panel_orientation_quirks.c drm: Added orientation quirk for ASUS tablet model T103HAF 2020-08-21 11:05:39 +02:00
drm_panel.c Revert "drm/panel: Add device_link from panel device to DRM device" 2018-09-27 11:00:42 -04:00
drm_pci.c drm: Remove PageReserved manipulation from drm_pci_alloc 2020-04-17 10:48:55 +02:00
drm_plane_helper.c drm: add missing ctx argument to plane transitional helpers 2018-07-03 09:30:19 +02:00
drm_plane.c drm/lease: Make sure implicit planes are leased 2019-06-09 09:17:23 +02:00
drm_prime.c dma-buf: remove kmap_atomic interface 2018-06-20 15:59:34 +02:00
drm_print.c drm: Add puts callback for the coredump printer 2018-07-30 08:49:41 -04:00
drm_probe_helper.c drm: Flush output polling on shutdown 2019-10-01 08:26:11 +02:00
drm_property.c drm: limit to INT_MAX in create_blob ioctl 2020-01-09 10:18:59 +01:00
drm_rect.c drm/rect: Avoid division by zero 2020-02-11 04:34:07 -08:00
drm_scatter.c
drm_scdc_helper.c
drm_simple_kms_helper.c drm: drop _mode_ from drm_mode_connector_attach_encoder 2018-07-13 18:40:27 +02:00
drm_syncobj.c drm/syncobj: Don't leak fences when WAIT_FOR_SUBMIT is set 2018-09-26 10:39:14 -04:00
drm_sysfs.c drm/lease: Send a distinct uevent 2018-12-13 09:16:21 +01:00
drm_trace_points.c
drm_trace.h
drm_vblank.c drm/drm_vblank: Change EINVAL by the correct errno 2019-12-31 16:35:01 +01:00
drm_vm.c gpu: drm: drm_vm: Adding new typedef vm_fault_t 2018-05-29 08:58:46 +02:00
drm_vma_manager.c drm: add SPDX idenitifier and clarify license 2018-06-29 15:28:47 -05:00
drm_writeback.c drm: writeback: Fix doc that says connector should be disconnected 2018-07-16 16:35:27 +01:00
Kconfig drm/fb_helper: Allow leaking fbdev smem_start 2019-01-16 22:04:35 +01:00
Makefile drm: add support for DisplayPort CEC-Tunneling-over-AUX 2018-07-13 17:58:19 +03:00