From: Mads Bligaard Nielsen <bli@xxxxxxxxxxxxxxx>
[ Upstream commit aeedaee5ef5468caf59e2bb1265c2116e0c9a924 ]
Moved IRQ registration down to end of adv7511_probe().
If an IRQ already is pending during adv7511_probe
(before adv7511_cec_init) then cec_received_msg_ts
could crash using uninitialized data:
Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5
Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
Call trace:
cec_received_msg_ts+0x48/0x990 [cec]
adv7511_cec_irq_process+0x1cc/0x308 [adv7511]
adv7511_irq_process+0xd8/0x120 [adv7511]
adv7511_irq_handler+0x1c/0x30 [adv7511]
irq_thread_fn+0x30/0xa0
irq_thread+0x14c/0x238
kthread+0x190/0x1a8
Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support")
Signed-off-by: Mads Bligaard Nielsen <bli@xxxxxxxxxxxxxxx>
Signed-off-by: Alvin Å ipraga <alsi@xxxxxxxxxxxxxxx>
Reviewed-by: Robert Foss <rfoss@xxxxxxxxxx>
Signed-off-by: Robert Foss <rfoss@xxxxxxxxxx>
Link: https://patchwork.freedesktop.org/patch/msgid/20240219-adv7511-cec-irq-crash-fix-v2-1-245e53c4b96f@xxxxxxxxxxxxxxx
(cherry picked from commit aeedaee5ef5468caf59e2bb1265c2116e0c9a924)
[Harshit: CVE-2024-26876; Resolve conflicts due to missing commit:
c75551214858 ("drm: adv7511: Add has_dsi variable to struct
adv7511_chip_info") in 6.6.y and adv7511_chip_info struct is also not
defined]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -1291,17 +1291,6 @@ static int adv7511_probe(struct i2c_clie
INIT_WORK(&adv7511->hpd_work, adv7511_hpd_work);
- if (i2c->irq) {
- init_waitqueue_head(&adv7511->wq);
-
- ret = devm_request_threaded_irq(dev, i2c->irq, NULL,
- adv7511_irq_handler,
- IRQF_ONESHOT, dev_name(dev),
- adv7511);
- if (ret)
- goto err_unregister_cec;
- }
-
adv7511_power_off(adv7511);
i2c_set_clientdata(i2c, adv7511);
@@ -1325,6 +1314,17 @@ static int adv7511_probe(struct i2c_clie
adv7511_audio_init(dev, adv7511);
+ if (i2c->irq) {
+ init_waitqueue_head(&adv7511->wq);
+
+ ret = devm_request_threaded_irq(dev, i2c->irq, NULL,
+ adv7511_irq_handler,
+ IRQF_ONESHOT, dev_name(dev),
+ adv7511);
+ if (ret)
+ goto err_unregister_audio;
+ }
+
if (adv7511->type == ADV7533 || adv7511->type == ADV7535) {
ret = adv7533_attach_dsi(adv7511);
if (ret)
Patches currently in stable-queue which might be from vegard.nossum@xxxxxxxxxx are
queue-6.6/drm-bridge-adv7511-fix-crash-on-irq-during-probe.patch
queue-6.6/null_blk-fix-null-ptr-dereference-while-configuring-power-and-submit_queues.patch
queue-6.6/netfilter-nf_tables-restore-set-elements-when-delete-set-fails.patch
queue-6.6/iommufd-fix-protection-fault-in-iommufd_test_syz_conv_iova.patch
queue-6.6/netfilter-nf_tables-fix-memleak-in-map-from-abort-path.patch
queue-6.6/platform-x86-think-lmi-fix-password-opcode-ordering-for-workstations.patch
queue-6.6/net-dsa-fix-netdev_priv-dereference-before-check-on-non-dsa-netdevice-events.patch
queue-6.6/net-stmmac-move-the-est-lock-to-struct-stmmac_priv.patch
queue-6.6/null_blk-remove-usage-of-the-deprecated-ida_simple_xx-api.patch
queue-6.6/ubifs-ubifs_symlink-fix-memleak-of-inode-i_link-in-error-path.patch
queue-6.6/efi-unaccepted-touch-soft-lockup-during-memory-accept.patch
