| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250728024718.24725-1-jason-jh.lin@mediatek.com>
Date: Mon, 28 Jul 2025 10:47:02 +0800
From: Jason-JH Lin <jason-jh.lin@...iatek.com>
To: Chun-Kuang Hu <chunkuang.hu@...nel.org>, AngeloGioacchino Del Regno
<angelogioacchino.delregno@...labora.com>, David Airlie <airlied@...il.com>
CC: Philipp Zabel <p.zabel@...gutronix.de>, Daniel Vetter <daniel@...ll.ch>,
Matthias Brugger <matthias.bgg@...il.com>, Jason-JH Lin
<jason-jh.lin@...iatek.com>, Nancy Lin <nancy.lin@...iatek.com>, Singo Chang
<singo.chang@...iatek.com>, Paul-PL Chen <paul-pl.chen@...iatek.com>,
Yongqiang Niu <yongqiang.niu@...iatek.com>, Zhenxing Qin
<zhenxing.qin@...iatek.com>, Xiandong Wang <xiandong.wang@...iatek.com>,
Sirius Wang <sirius.wang@...iatek.com>, Xavier Chang
<xavier.chang@...iatek.com>, Jarried Lin <jarried.lin@...iatek.com>, Fei Shao
<fshao@...omium.org>, Chen-yu Tsai <wenst@...omium.org>,
<linux-kernel@...r.kernel.org>, <linux-mediatek@...ts.infradead.org>,
<linux-arm-kernel@...ts.infradead.org>,
<Project_Global_Chrome_Upstream_Group@...iatek.com>, Jason-jh Lin
<jason-jh.lin@...iatek.corp-partner.google.com>
Subject: [PATCH] drm/mediatek: Add error handling for old state CRTC in atomic_disable
From: Jason-jh Lin <jason-jh.lin@...iatek.corp-partner.google.com>
Introduce error handling to address an issue where, after a hotplug
event, the cursor continues to update. This situation can lead to a
kernel panic due to accessing the NULL `old_state->crtc`.
E,g.
Unable to handle kernel NULL pointer dereference at virtual address
Call trace:
mtk_crtc_plane_disable+0x24/0x140
mtk_plane_atomic_update+0x8c/0xa8
drm_atomic_helper_commit_planes+0x114/0x2c8
drm_atomic_helper_commit_tail_rpm+0x4c/0x158
commit_tail+0xa0/0x168
drm_atomic_helper_commit+0x110/0x120
drm_atomic_commit+0x8c/0xe0
drm_atomic_helper_update_plane+0xd4/0x128
__setplane_atomic+0xcc/0x110
drm_mode_cursor_common+0x250/0x440
drm_mode_cursor_ioctl+0x44/0x70
drm_ioctl+0x264/0x5d8
__arm64_sys_ioctl+0xd8/0x510
invoke_syscall+0x6c/0xe0
do_el0_svc+0x68/0xe8
el0_svc+0x34/0x60
el0t_64_sync_handler+0x1c/0xf8
el0t_64_sync+0x180/0x188
Adding NULL pointer checks to ensure stability by preventing operations
on an invalid CRTC state.
Fixes: d208261e9f7c ("drm/mediatek: Add wait_event_timeout when disabling plane")
Signed-off-by: Jason-jh Lin <jason-jh.lin@...iatek.corp-partner.google.com>
---
drivers/gpu/drm/mediatek/mtk_plane.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_plane.c b/drivers/gpu/drm/mediatek/mtk_plane.c
index cbc4f37da8ba..02349bd44001 100644
--- a/drivers/gpu/drm/mediatek/mtk_plane.c
+++ b/drivers/gpu/drm/mediatek/mtk_plane.c
@@ -292,7 +292,8 @@ static void mtk_plane_atomic_disable(struct drm_plane *plane,
wmb(); /* Make sure the above parameter is set before update */
mtk_plane_state->pending.dirty = true;
- mtk_crtc_plane_disable(old_state->crtc, plane);
+ if (old_state && old_state->crtc)
+ mtk_crtc_plane_disable(old_state->crtc, plane);
}
static void mtk_plane_atomic_update(struct drm_plane *plane,
--
2.43.0
Powered by blists - more mailing lists