[v2] drm/mediatek: dp: Only trigger DRM HPD events if bridge is attached

Message ID 20230202045734.2773503-1-wenst@chromium.org
State New
Headers
Series [v2] drm/mediatek: dp: Only trigger DRM HPD events if bridge is attached |

Commit Message

Chen-Yu Tsai Feb. 2, 2023, 4:57 a.m. UTC
  The MediaTek DisplayPort interface bridge driver starts its interrupts
as soon as its probed. However when the interrupts trigger the bridge
might not have been attached to a DRM device. As drm_helper_hpd_irq_event()
does not check whether the passed in drm_device is valid or not, a NULL
pointer passed in results in a kernel NULL pointer dereference in it.

Check whether the bridge is attached and only trigger an HPD event if
it is.

Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: Guillaume Ranquet <granquet@baylibre.com>
---
Changes since v1
- Dropped prerequisite-patch-ids
- Added Guillaume's Reviewed-by

This applies on top of mediatek-drm-next.

 drivers/gpu/drm/mediatek/mtk_dp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
  

Comments

AngeloGioacchino Del Regno Feb. 2, 2023, 9:14 a.m. UTC | #1
Il 02/02/23 05:57, Chen-Yu Tsai ha scritto:
> The MediaTek DisplayPort interface bridge driver starts its interrupts
> as soon as its probed. However when the interrupts trigger the bridge
> might not have been attached to a DRM device. As drm_helper_hpd_irq_event()
> does not check whether the passed in drm_device is valid or not, a NULL
> pointer passed in results in a kernel NULL pointer dereference in it.
> 
> Check whether the bridge is attached and only trigger an HPD event if
> it is.
> 
> Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver")
> Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
> Reviewed-by: Guillaume Ranquet <granquet@baylibre.com>

Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
  
Matthias Brugger Feb. 2, 2023, 9:56 a.m. UTC | #2
On 02/02/2023 05:57, Chen-Yu Tsai wrote:
> The MediaTek DisplayPort interface bridge driver starts its interrupts
> as soon as its probed. However when the interrupts trigger the bridge
> might not have been attached to a DRM device. As drm_helper_hpd_irq_event()
> does not check whether the passed in drm_device is valid or not, a NULL
> pointer passed in results in a kernel NULL pointer dereference in it.
> 
> Check whether the bridge is attached and only trigger an HPD event if
> it is.
> 
> Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver")
> Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
> Reviewed-by: Guillaume Ranquet <granquet@baylibre.com>

Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>

> ---
> Changes since v1
> - Dropped prerequisite-patch-ids
> - Added Guillaume's Reviewed-by
> 
> This applies on top of mediatek-drm-next.
> 
>   drivers/gpu/drm/mediatek/mtk_dp.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_dp.c b/drivers/gpu/drm/mediatek/mtk_dp.c
> index 1f94fcc144d3..a82f53e1a146 100644
> --- a/drivers/gpu/drm/mediatek/mtk_dp.c
> +++ b/drivers/gpu/drm/mediatek/mtk_dp.c
> @@ -1823,7 +1823,8 @@ static irqreturn_t mtk_dp_hpd_event_thread(int hpd, void *dev)
>   	spin_unlock_irqrestore(&mtk_dp->irq_thread_lock, flags);
>   
>   	if (status & MTK_DP_THREAD_CABLE_STATE_CHG) {
> -		drm_helper_hpd_irq_event(mtk_dp->bridge.dev);
> +		if (mtk_dp->bridge.dev)
> +			drm_helper_hpd_irq_event(mtk_dp->bridge.dev);
>   
>   		if (!mtk_dp->train_info.cable_plugged_in) {
>   			mtk_dp_disable_sdp_aui(mtk_dp);
  
Chun-Kuang Hu March 12, 2023, 3:41 p.m. UTC | #3
Hi, Chen-Yu:

Chen-Yu Tsai <wenst@chromium.org> 於 2023年2月2日 週四 下午12:57寫道:
>
> The MediaTek DisplayPort interface bridge driver starts its interrupts
> as soon as its probed. However when the interrupts trigger the bridge
> might not have been attached to a DRM device. As drm_helper_hpd_irq_event()
> does not check whether the passed in drm_device is valid or not, a NULL
> pointer passed in results in a kernel NULL pointer dereference in it.
>
> Check whether the bridge is attached and only trigger an HPD event if
> it is.

Applied to mediatek-drm-next [1], thanks.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/chunkuang.hu/linux.git/log/?h=mediatek-drm-next

Regards,
Chun-Kuang.

>
> Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver")
> Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
> Reviewed-by: Guillaume Ranquet <granquet@baylibre.com>
> ---
> Changes since v1
> - Dropped prerequisite-patch-ids
> - Added Guillaume's Reviewed-by
>
> This applies on top of mediatek-drm-next.
>
>  drivers/gpu/drm/mediatek/mtk_dp.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/mediatek/mtk_dp.c b/drivers/gpu/drm/mediatek/mtk_dp.c
> index 1f94fcc144d3..a82f53e1a146 100644
> --- a/drivers/gpu/drm/mediatek/mtk_dp.c
> +++ b/drivers/gpu/drm/mediatek/mtk_dp.c
> @@ -1823,7 +1823,8 @@ static irqreturn_t mtk_dp_hpd_event_thread(int hpd, void *dev)
>         spin_unlock_irqrestore(&mtk_dp->irq_thread_lock, flags);
>
>         if (status & MTK_DP_THREAD_CABLE_STATE_CHG) {
> -               drm_helper_hpd_irq_event(mtk_dp->bridge.dev);
> +               if (mtk_dp->bridge.dev)
> +                       drm_helper_hpd_irq_event(mtk_dp->bridge.dev);
>
>                 if (!mtk_dp->train_info.cable_plugged_in) {
>                         mtk_dp_disable_sdp_aui(mtk_dp);
> --
> 2.39.1.456.gfc5497dd1b-goog
>
  

Patch

diff --git a/drivers/gpu/drm/mediatek/mtk_dp.c b/drivers/gpu/drm/mediatek/mtk_dp.c
index 1f94fcc144d3..a82f53e1a146 100644
--- a/drivers/gpu/drm/mediatek/mtk_dp.c
+++ b/drivers/gpu/drm/mediatek/mtk_dp.c
@@ -1823,7 +1823,8 @@  static irqreturn_t mtk_dp_hpd_event_thread(int hpd, void *dev)
 	spin_unlock_irqrestore(&mtk_dp->irq_thread_lock, flags);
 
 	if (status & MTK_DP_THREAD_CABLE_STATE_CHG) {
-		drm_helper_hpd_irq_event(mtk_dp->bridge.dev);
+		if (mtk_dp->bridge.dev)
+			drm_helper_hpd_irq_event(mtk_dp->bridge.dev);
 
 		if (!mtk_dp->train_info.cable_plugged_in) {
 			mtk_dp_disable_sdp_aui(mtk_dp);