Invoking drm_bridge_hpd_notify() on a drm_bridge with a HPD-enabled
bridge_connector ends up in drm_bridge_connector_hpd_cb() calling
drm_kms_helper_hotplug_event(), which assumes that the associated
drm_device's mode_config.funcs is a valid pointer.
But in the MSM DisplayPort driver the HPD enablement happens at bind
time and mode_config.funcs is initialized late in msm_drm_init(). This
means that there's a window for hot plug events to dereference a NULL
mode_config.funcs.
Move the assignment of mode_config.funcs before the bind, to avoid this
scenario.
Reported-by: Johan Hovold <johan@xxxxxxxxxx>
Signed-off-by: Bjorn Andersson <quic_bjorande@xxxxxxxxxxx>
---
drivers/gpu/drm/msm/msm_drv.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
index ee2f60b6f09b..7ac670f3e6ab 100644
--- a/drivers/gpu/drm/msm/msm_drv.c
+++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -438,6 +438,9 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv)
drm_mode_config_init(ddev);
+ ddev->mode_config.funcs = &mode_config_funcs;
+ ddev->mode_config.helper_private = &mode_config_helper_funcs;
+
ret = msm_init_vram(ddev);
if (ret)
return ret;
@@ -479,9 +482,6 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv)
drm_helper_move_panel_connectors_to_head(ddev);
- ddev->mode_config.funcs = &mode_config_funcs;
- ddev->mode_config.helper_private = &mode_config_helper_funcs;
-
for (i = 0; i < priv->num_crtcs; i++) {
/* initialize event thread */
priv->event_thread[i].crtc_id = priv->crtcs[i]->base.id;
--
2.37.3
