general protection fault in drm_atomic_set_crtc_for_connector
Desmond Cheong Zhi Xi
desmondcheongzx at gmail.com
Wed Aug 18 09:35:31 UTC 2021
#syz fix: drm: fix oops in drm_atomic_set_crtc_for_connector
At the time of the bug report [1], there was the following call in
update_output_state:
> ret = drm_atomic_set_crtc_for_connector(new_conn_state,
> NULL);
This was followed by
> if (crtc) {
> crtc_state = drm_atomic_get_crtc_state(conn_state->state, crtc);
> if (IS_ERR(crtc_state))
> return PTR_ERR(crtc_state);
>
> crtc_state->connector_mask |=
> drm_connector_mask(conn_state->connector);
>
> drm_connector_get(conn_state->connector);
> conn_state->crtc = crtc;
>
> drm_dbg_atomic(crtc->dev,
> "Link [CONNECTOR:%d:%s] state %p to [CRTC:%d:%s]\n",
> connector->base.id, connector->name,
> conn_state, crtc->base.id, crtc->name);
> } else {
> drm_dbg_atomic(crtc->dev,
> "Link [CONNECTOR:%d:%s] state %p to [NOCRTC]\n",
> connector->base.id, connector->name,
> conn_state);
> }
in drm_atomic_set_crtc_for_connector, which clearly dereferences a null
pointer in the else block. This led to the reported general protection
fault.
commit 0003b687ee6d("drm: fix oops in
drm_atomic_set_crtc_for_connector") fixes this by getting the device
from connector, which can't be NULL.
Link:
https://syzkaller.appspot.com/bug?id=768a24e51bd111e0c1d6b6f4e1f09fac3c54c05d
[1]
Best wishes,
Desmond
More information about the Linux-kernel-mentees
mailing list