[Intel-gfx] [PATCH] drm/i915: Fix NULL pointer deference when out of PLLs in IVB

Ville Syrjälä ville.syrjala at linux.intel.com
Fri May 20 17:13:35 UTC 2016 

On Fri, May 20, 2016 at 03:47:06PM +0300, Ander Conselvan de Oliveira wrote:
> In commit f9476a6c6d0c ("drm/i915: Refactor platform specifics out of
> intel_get_shared_dpll()"), the ibx_get_dpll() function lacked an error
> check, that can lead to a NULL pointer dereference when trying to enable
> pipe C.

s/pipe C/three pipes/

> 
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
> IP: [<ffffffffa0482275>] intel_reference_shared_dpll+0x15/0x100 [i915]
> PGD cec87067 PUD d30ce067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP
> Modules linked in: snd_hda_intel i915 drm_kms_helper drm intel_gtt sch_fq_codel cfg80211 binfmt_misc i2c_algo_bit cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea intel_rapl iosf_mbi x86_pkg_temp_thermal coretemp agpgart kvm_intel snd_hda_codec_hdmi kvm iTCO_wdt snd_hda_codec_realtek snd_hda_codec_generic irqbypass aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd psmouse pcspkr snd_hda_codec i2c_i801 snd_hwdep snd_hda_core snd_pcm snd_timer lpc_ich mfd_core snd soundcore wmi evdev tpm_tis tpm [last unloaded: drm]
> CPU: 3 PID: 5810 Comm: kms_flip Tainted: G     U  W       4.6.0-test+ #3
> Hardware name:                  /DZ77BH-55K, BIOS BHZ7710H.86A.0100.2013.0517.0942 05/17/2013
> task: ffff8800d3908040 ti: ffff8801166c8000 task.ti: ffff8801166c8000
> RIP: 0010:[<ffffffffa0482275>]  [<ffffffffa0482275>] intel_reference_shared_dpll+0x15/0x100 [i915]
> RSP: 0018:ffff8801166cba60  EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000002
> RDX: 0000000000000001 RSI: ffff8800d07f1bf8 RDI: 0000000000000000
> RBP: ffff8801166cba88 R08: 0000000000000002 R09: ffff8800d32e5698
> R10: 0000000000000001 R11: ffff8800cc89ac88 R12: ffff8800d07f1bf8
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> FS:  00007f4c3fc8d8c0(0000) GS:ffff88011bcc0000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000068 CR3: 00000000d3b4c000 CR4: 00000000001406e0
> Stack:
>  0000000000000000 ffff8800d07f1bf8 0000000000000000 ffff8800d04c0000
>  0000000000000000 ffff8801166cbaa8 ffffffffa04823a7 ffff8800d07f1bf8
>  ffff8800d32e5698 ffff8801166cbab8 ffffffffa04840cf ffff8801166cbaf0
> Call Trace:
>  [<ffffffffa04823a7>] ibx_get_dpll+0x47/0xa0 [i915]
>  [<ffffffffa04840cf>] intel_get_shared_dpll+0x1f/0x50 [i915]
>  [<ffffffffa046d080>] ironlake_crtc_compute_clock+0x280/0x430 [i915]
>  [<ffffffffa0472ac0>] intel_crtc_atomic_check+0x240/0x320 [i915]
>  [<ffffffffa03da18e>] drm_atomic_helper_check_planes+0x14e/0x1d0 [drm_kms_helper]
>  [<ffffffffa0474a0c>] intel_atomic_check+0x5dc/0x1110 [i915]
>  [<ffffffffa029d3aa>] drm_atomic_check_only+0x14a/0x660 [drm]
>  [<ffffffffa029d086>] ? drm_atomic_set_crtc_for_connector+0x96/0x100 [drm]
>  [<ffffffffa029d8d7>] drm_atomic_commit+0x17/0x60 [drm]
>  [<ffffffffa03dc3b7>] restore_fbdev_mode+0x237/0x260 [drm_kms_helper]
>  [<ffffffffa029c65a>] ? drm_modeset_lock_all_ctx+0x9a/0xb0 [drm]
>  [<ffffffffa03de9b3>] drm_fb_helper_restore_fbdev_mode_unlocked+0x33/0x80 [drm_kms_helper]
>  [<ffffffffa03dea2d>] drm_fb_helper_set_par+0x2d/0x50 [drm_kms_helper]
>  [<ffffffffa03de93a>] drm_fb_helper_hotplug_event+0xaa/0xf0 [drm_kms_helper]
>  [<ffffffffa03de9d6>] drm_fb_helper_restore_fbdev_mode_unlocked+0x56/0x80 [drm_kms_helper]
>  [<ffffffffa0490f72>] intel_fbdev_restore_mode+0x22/0x80 [i915]
>  [<ffffffffa04ba45e>] i915_driver_lastclose+0xe/0x20 [i915]
>  [<ffffffffa02810de>] drm_lastclose+0x2e/0x130 [drm]
>  [<ffffffffa028148c>] drm_release+0x2ac/0x4b0 [drm]
>  [<ffffffff811a6b2d>] __fput+0xed/0x1f0
>  [<ffffffff811a6c6e>] ____fput+0xe/0x10
>  [<ffffffff81079156>] task_work_run+0x76/0xb0
>  [<ffffffff8105aaab>] do_exit+0x3ab/0xc60
>  [<ffffffff810a145f>] ? trace_hardirqs_on_caller+0x12f/0x1c0
>  [<ffffffff8105c67e>] do_group_exit+0x4e/0xc0
>  [<ffffffff8105c704>] SyS_exit_group+0x14/0x20
>  [<ffffffff8158bb25>] entry_SYSCALL_64_fastpath+0x18/0xa8
> Code: 14 80 48 8d 34 90 b8 01 00 00 00 d3 e0 09 04 b3 5b 41 5c 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 49 89 fe 41 55 41 54 53 <44> 8b 67 68 48 89 f3 48 8b be 08 02 00 00 4c 8b 2e e8 15 9d fd
> RIP  [<ffffffffa0482275>] intel_reference_shared_dpll+0x15/0x100 [i915]
>  RSP <ffff8801166cba60>
> CR2: 0000000000000068
> 
> Cc: Ville Syrjälä <ville.syrjala at linux.intel.com>
> Reported-by: Ville Syrjälä <ville.syrjala at linux.intel.com>
> Fixes: f9476a6c6d0c ("drm/i915: Refactor platform specifics out of intel_get_shared_dpll()")
> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira at intel.com>

Reviewed-by: Ville Syrjälä <ville.syrjala at linux.intel.com>
Tested-by: Ville Syrjälä <ville.syrjala at linux.intel.com>

> ---
>  drivers/gpu/drm/i915/intel_dpll_mgr.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/intel_dpll_mgr.c b/drivers/gpu/drm/i915/intel_dpll_mgr.c
> index f988adb..1e3d091 100644
> --- a/drivers/gpu/drm/i915/intel_dpll_mgr.c
> +++ b/drivers/gpu/drm/i915/intel_dpll_mgr.c
> @@ -366,6 +366,9 @@ ibx_get_dpll(struct intel_crtc *crtc, struct intel_crtc_state *crtc_state,
>  					     DPLL_ID_PCH_PLL_B);
>  	}
>  
> +	if (!pll)
> +		return NULL;
> +
>  	/* reference the pll */
>  	intel_reference_shared_dpll(pll, crtc_state);
>  
> -- 
> 2.5.5

-- 
Ville Syrjälä
Intel OTC

More information about the Intel-gfx mailing list