general protection fault in drm_atomic_set_crtc_for_connector

Desmond Cheong Zhi Xi desmondcheongzx at gmail.com
Wed Aug 18 09:35:31 UTC 2021


#syz fix: drm: fix oops in drm_atomic_set_crtc_for_connector

At the time of the bug report [1], there was the following call in 
update_output_state:
> 			ret = drm_atomic_set_crtc_for_connector(new_conn_state,
> 								NULL);

This was followed by
> 	if (crtc) {
> 		crtc_state = drm_atomic_get_crtc_state(conn_state->state, crtc);
> 		if (IS_ERR(crtc_state))
> 			return PTR_ERR(crtc_state);
> 
> 		crtc_state->connector_mask |=
> 			drm_connector_mask(conn_state->connector);
> 
> 		drm_connector_get(conn_state->connector);
> 		conn_state->crtc = crtc;
> 
> 		drm_dbg_atomic(crtc->dev,
> 			       "Link [CONNECTOR:%d:%s] state %p to [CRTC:%d:%s]\n",
> 			       connector->base.id, connector->name,
> 			       conn_state, crtc->base.id, crtc->name);
> 	} else {
> 		drm_dbg_atomic(crtc->dev,
> 			       "Link [CONNECTOR:%d:%s] state %p to [NOCRTC]\n",
> 			       connector->base.id, connector->name,
> 			       conn_state);
> 	}

in drm_atomic_set_crtc_for_connector, which clearly dereferences a null 
pointer in the else block. This led to the reported general protection 
fault.

commit 0003b687ee6d("drm: fix oops in 
drm_atomic_set_crtc_for_connector") fixes this by getting the device 
from connector, which can't be NULL.

Link: 
https://syzkaller.appspot.com/bug?id=768a24e51bd111e0c1d6b6f4e1f09fac3c54c05d 
[1]

Best wishes,
Desmond


More information about the Linux-kernel-mentees mailing list