Ilia Mirkin
2014-Jan-19 15:30 UTC
[Nouveau] [PATCH] drm/nouveau/mxm: fix null deref on load
Since commit 61b365a50 (drm/nouveau: populate master subdev pointer only
when fully constructed), the nouveau_mxm(bios) call will return NULL,
since it's still being called from the constructor. Instead, pass the
mxm pointer via the unused data field.
See https://bugs.freedesktop.org/show_bug.cgi?id=73791
Reported-by: Andreas Reis <andreas.reis at gmail.com>
Tested-by: Andreas Reis <andreas.reis at gmail.com>
Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
---
3.13 release time is approaching, so I'm expanding the To list, as this is a
crashing bug for potentially a lot of people (not sure how common the MXM
stuff is) and it'd be silly not to include the fix because someone along the
chain wasn't around. Hope I'm not stepping on any toes by sending to the
full
upstream path...
drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c
b/drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c
index af129c2..0bd3774 100644
--- a/drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c
+++ b/drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c
@@ -100,7 +100,7 @@ mxm_match_dcb(struct nouveau_mxm *mxm, u8 *data, void *info)
static int
mxm_dcb_sanitise_entry(struct nouveau_bios *bios, void *data, int idx, u16
pdcb)
{
- struct nouveau_mxm *mxm = nouveau_mxm(bios);
+ struct nouveau_mxm *mxm = data;
struct context ctx = { .outp = (u32 *)(bios->data + pdcb) };
u8 type, i2cidx, link, ver, len;
u8 *conn;
@@ -199,7 +199,7 @@ mxm_dcb_sanitise(struct nouveau_mxm *mxm)
return;
}
- dcb_outp_foreach(bios, NULL, mxm_dcb_sanitise_entry);
+ dcb_outp_foreach(bios, mxm, mxm_dcb_sanitise_entry);
mxms_foreach(mxm, 0x01, mxm_show_unmatched, NULL);
}
--
1.8.3.2
Linus Torvalds
2014-Jan-20 03:06 UTC
[Nouveau] [PATCH] drm/nouveau/mxm: fix null deref on load
Ok, I applied this, even though I hate the timing.
I also suspect that that whole commit 61b365a50 ("drm/nouveau:
populate master subdev pointer only when fully constructed") is just
completely buggered and the wrong thing to do. It also caused another
nasty change (fdd239ac99a0 "drm/nouveau: fix null ptr dereferences on
some boards") because it wasn't just the mxm data that was missing.
Whatever. It is what it is.
Linus
On Sun, Jan 19, 2014 at 7:30 AM, Ilia Mirkin <imirkin at alum.mit.edu>
wrote:> Since commit 61b365a50 (drm/nouveau: populate master subdev pointer only
> when fully constructed), the nouveau_mxm(bios) call will return NULL,
> since it's still being called from the constructor. Instead, pass the
> mxm pointer via the unused data field.
>
> See https://bugs.freedesktop.org/show_bug.cgi?id=73791
>
> Reported-by: Andreas Reis <andreas.reis at gmail.com>
> Tested-by: Andreas Reis <andreas.reis at gmail.com>
> Signed-off-by: Ilia Mirkin <imirkin at alum.mit.edu>
> ---
>
> 3.13 release time is approaching, so I'm expanding the To list, as this
is a
> crashing bug for potentially a lot of people (not sure how common the MXM
> stuff is) and it'd be silly not to include the fix because someone
along the
> chain wasn't around. Hope I'm not stepping on any toes by sending
to the full
> upstream path...
>
> drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c
b/drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c
> index af129c2..0bd3774 100644
> --- a/drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c
> +++ b/drivers/gpu/drm/nouveau/core/subdev/mxm/nv50.c
> @@ -100,7 +100,7 @@ mxm_match_dcb(struct nouveau_mxm *mxm, u8 *data, void
*info)
> static int
> mxm_dcb_sanitise_entry(struct nouveau_bios *bios, void *data, int idx, u16
pdcb)
> {
> - struct nouveau_mxm *mxm = nouveau_mxm(bios);
> + struct nouveau_mxm *mxm = data;
> struct context ctx = { .outp = (u32 *)(bios->data + pdcb) };
> u8 type, i2cidx, link, ver, len;
> u8 *conn;
> @@ -199,7 +199,7 @@ mxm_dcb_sanitise(struct nouveau_mxm *mxm)
> return;
> }
>
> - dcb_outp_foreach(bios, NULL, mxm_dcb_sanitise_entry);
> + dcb_outp_foreach(bios, mxm, mxm_dcb_sanitise_entry);
> mxms_foreach(mxm, 0x01, mxm_show_unmatched, NULL);
> }
>
> --
> 1.8.3.2
>
Seemingly Similar Threads
- [PATCH] drm/nouveau/nvkm: mark expected switch fall-throughs
- Can change password but cannot force password change
- [PATCH][next] drm/nouveau: Use fallthrough pseudo-keyword
- [PATCH] drm/nouveau/nvkm: mark expected switch fall-throughs
- [PATCH] drm/nouveau/nvkm: mark expected switch fall-throughs