[next] drm/atomic: NULL pointer dereference

[Sergey Senozhatsky]

Hello,

after commit 669c9215afea4e ("drm/atomic: Make async plane update
checks work as intended") drm_atomic_helper_async_check() can NULL
deference the `new_plane_state' pointer and crashe the kernel at
'new_plane_state->crtc':

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: drm_atomic_helper_async_check+0x70/0xcb
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
[..]
task: ffff880131ac2280 task.stack: ffffc90000464000
RIP: 0010:drm_atomic_helper_async_check+0x70/0xcb
RSP: 0018:ffffc90000467a48 EFLAGS: 00010246
RAX: ffff880131917b60 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffff880131753480 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000010000
R10: ffff880130d3255c R11: ffff880130e56e18 R12: ffff880131670000
R13: 0000000000000000 R14: ffff880131670000 R15: 0000000000000004
FS:  00007fc218f6e940(0000) GS:ffff880137d80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000132aca000 CR4: 00000000000006e0
Call Trace:
 drm_atomic_helper_check+0x3c/0x5a
 nv50_disp_atomic_check+0x15/0x10b
 drm_atomic_check_only+0x2c0/0x42a
 drm_atomic_commit+0x13/0x4d
 drm_atomic_helper_update_plane+0xc9/0xe6
 __setplane_internal+0x1c8/0x229
 ? drm_internal_framebuffer_create+0x314/0x35a
 drm_mode_cursor_universal+0x130/0x15f
 drm_mode_cursor_common+0xcc/0x184
 ? drm_mode_setplane+0x183/0x183
 drm_mode_cursor_ioctl+0x2f/0x34
 drm_ioctl_kernel+0x61/0x9a
 drm_ioctl+0x1d6/0x2a8
 ? drm_mode_setplane+0x183/0x183
 ? _raw_spin_unlock+0x12/0x23
 ? do_wp_page+0x159/0x22e
 ? _raw_spin_unlock_irqrestore+0x14/0x25
 nouveau_drm_ioctl+0x71/0xa4
 vfs_ioctl+0x1b/0x28
 do_vfs_ioctl+0x5a9/0x5bc
 ? handle_mm_fault+0x98/0x9e
 ? __fget+0x5d/0x67
 SyS_ioctl+0x3e/0x5a
 entry_SYSCALL_64_fastpath+0x13/0x94


the below patch fixes the issues for me.

---
 drivers/gpu/drm/drm_atomic_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_atomic_helper.c 
b/drivers/gpu/drm/drm_atomic_helper.c
index 01c34bc5b5b0..922f4d3b17aa 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1405,7 +1405,7 @@ int drm_atomic_helper_async_check(struct drm_device *dev,
        if (n_planes != 1)
                return -EINVAL;
 
-       if (!new_plane_state->crtc)
+       if (!new_plane_state || !new_plane_state->crtc)
                return -EINVAL;
 
        funcs = plane->helper_private;
-- 
2.14.1

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel