On Thu, Jun 02, 2022 at 04:17:56PM -0400, Lyude Paul wrote:
> I noticed a rather surprising issue here while working on removing all of
> the non-atomic MST code: drm_atomic_get_mst_topology_state() doesn't check
> the return value of drm_atomic_get_private_obj_state() and instead just
> passes it directly to to_dp_mst_topology_state(). This means that if we
> hit a deadlock or something else which would return an error code pointer,
> we'll likely segfault the kernel.
>
> This is definitely another one of those fixes where I'm astonished we
> somehow managed never to discover this issue until now…
It has been discussed before.
struct drm_dp_mst_topology_state {
struct drm_private_state base;
...
}
so offsetof(base)==0.
>
> Signed-off-by: Lyude Paul <lyude@xxxxxxxxxx>
> Fixes: a4370c777406 ("drm/atomic: Make private objs proper objects")
> Cc: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.14+
> ---
> drivers/gpu/drm/display/drm_dp_mst_topology.c | 2 +-
> include/drm/display/drm_dp_mst_helper.h | 2 ++
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
> index d84673b3294b..d6e595b95f07 100644
> --- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
> +++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
> @@ -5468,7 +5468,7 @@ EXPORT_SYMBOL(drm_dp_mst_topology_state_funcs);
> struct drm_dp_mst_topology_state *drm_atomic_get_mst_topology_state(struct drm_atomic_state *state,
> struct drm_dp_mst_topology_mgr *mgr)
> {
> - return to_dp_mst_topology_state(drm_atomic_get_private_obj_state(state, &mgr->base));
> + return to_dp_mst_topology_state_safe(drm_atomic_get_private_obj_state(state, &mgr->base));
> }
> EXPORT_SYMBOL(drm_atomic_get_mst_topology_state);
>
> diff --git a/include/drm/display/drm_dp_mst_helper.h b/include/drm/display/drm_dp_mst_helper.h
> index 10adec068b7f..fe7577e7f305 100644
> --- a/include/drm/display/drm_dp_mst_helper.h
> +++ b/include/drm/display/drm_dp_mst_helper.h
> @@ -541,6 +541,8 @@ struct drm_dp_payload {
> };
>
> #define to_dp_mst_topology_state(x) container_of(x, struct drm_dp_mst_topology_state, base)
> +#define to_dp_mst_topology_state_safe(x) \
> + container_of_safe(x, struct drm_dp_mst_topology_state, base)
Wasn't aware of container_of_safe(). I suppose no real harm
in using it. Not sure why we'd even keep the non-safe version
around?
Though the use of container_of_safe() everywhere won't help
when "casting" the other way (&foo->base, when foo==NULL/errptr).
In order to make that work for non-zero offsets we'd have to
introduce a casting macro for that direction as well.
>
> struct drm_dp_vcpi_allocation {
> struct drm_dp_mst_port *port;
> --
> 2.35.3
--
Ville Syrjälä
Intel
