| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Dec 2019 13:54:56 +0200
From: Stefan Mavrodiev <stefan@...mex.com>
To: Maxime Ripard <mripard@...nel.org>
Cc: Stefan Mavrodiev <stefan@...mex.com>, Chen-Yu Tsai <wens@...e.org>,
David Airlie <airlied@...ux.ie>,
Daniel Vetter <daniel@...ll.ch>,
"open list:DRM DRIVERS FOR ALLWINNER A10"
<dri-devel@...ts.freedesktop.org>,
"moderated list:ARM/Allwinner sunXi SoC support"
<linux-arm-kernel@...ts.infradead.org>,
open list <linux-kernel@...r.kernel.org>,
linux-sunxi@...glegroups.com
Subject: Re: [PATCH 1/1] drm/sun4i: hdmi: Check for null pointer before
cleanup
Hi,
On 12/17/19 1:49 PM, Maxime Ripard wrote:
> On Tue, Dec 17, 2019 at 12:46:03PM +0100, Maxime Ripard wrote:
>> On Tue, Dec 17, 2019 at 08:45:07AM +0200, Stefan Mavrodiev wrote:
>>> Hi,
>>>
>>> On 12/16/19 6:12 PM, Maxime Ripard wrote:
>>>> Hi,
>>>>
>>>> On Mon, Dec 16, 2019 at 04:43:48PM +0200, Stefan Mavrodiev wrote:
>>>>> It's possible hdmi->connector and hdmi->encoder divices to be NULL.
>>>>> This can happen when building as kernel module and you try to remove
>>>>> the module.
>>>>>
>>>>> This patch make simple null check, before calling the cleanup functions.
>>>>>
>>>>> Signed-off-by: Stefan Mavrodiev <stefan@...mex.com>
>>>>> ---
>>>>> drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c | 6 ++++--
>>>>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c b/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c
>>>>> index a7c4654445c7..b61e00f2ecb8 100644
>>>>> --- a/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c
>>>>> +++ b/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c
>>>>> @@ -685,8 +685,10 @@ static void sun4i_hdmi_unbind(struct device *dev, struct device *master,
>>>>> struct sun4i_hdmi *hdmi = dev_get_drvdata(dev);
>>>>>
>>>>> cec_unregister_adapter(hdmi->cec_adap);
>>>>> - drm_connector_cleanup(&hdmi->connector);
>>>>> - drm_encoder_cleanup(&hdmi->encoder);
>>>>> + if (hdmi->connector.dev)
>>>>> + drm_connector_cleanup(&hdmi->connector);
>>>>> + if (hdmi->encoder.dev)
>>>>> + drm_encoder_cleanup(&hdmi->encoder);
>>>> Hmmm, this doesn't look right. Do you have more information on how you
>>>> can reproduce it?
>>> Just build sun4i_drm_hdmi as module (CONFIG_DRM_SUN4I_HDMI=m). Then try to
>>> unload the module:
>>>
>>> # rmmod sun4i_drm_hdmi
>>>
>>> And you get this:
>>>
>>> Unable to handle kernel NULL pointer dereference at virtual address 00000000
>>> pgd = 6b032436
>>> [00000000] *pgd=00000000
>>> Internal error: Oops: 5 [#1] SMP ARM
>>> Modules linked in: sun4i_drm_hdmi(-)
>>> CPU: 0 PID: 1081 Comm: rmmod Not tainted 5.5.0-rc1-00030-g6ec417030d93 #33
>>> Hardware name: Allwinner sun7i (A20) Family
>>> PC is at drm_connector_cleanup+0x40/0x208
>>> LR is at sun4i_hdmi_unbind+0x10/0x54 [sun4i_drm_hdmi]
>>> ...
>>>
>>>
>>> I've tested that with sunxi/for-next branch on A20-OLinuXino board.
>> Yeah, you detailed the symptoms nicely in the commit log, but my point
>> was that we shouldn't end up in that situation in the first place.
>>
>> Your patch works around it, but it doesn't fix the underlying
>> issue. Is drm_connector_cleanup (or the encoder variant) called twice?
> Answering myself, yes it is. It's both the destroy call back and
> called in unbind. We should just remove the one in the unbind then.
Should I do this or leave it to you?
Stefan
>
> Maxime
Powered by blists - more mailing lists