Patch "drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()" has been added to the 6.11-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 2 Nov 2024 18:27:13 -0400

This is a note to let you know that I've just added the patch titled

    drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()

to the 6.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-mediatek-fix-potential-null-dereference-in-mtk_c.patch
and it can be found in the queue-6.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ad86bde3b9ac7bce5416c573ba8f0bff633a4d84
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Thu Sep 12 11:44:59 2024 +0300

    drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()
    
    [ Upstream commit 4018651ba5c409034149f297d3dd3328b91561fd ]
    
    In mtk_crtc_create(), if the call to mbox_request_channel() fails then we
    set the "mtk_crtc->cmdq_client.chan" pointer to NULL.  In that situation,
    we do not call cmdq_pkt_create().
    
    During the cleanup, we need to check if the "mtk_crtc->cmdq_client.chan"
    is NULL first before calling cmdq_pkt_destroy().  Calling
    cmdq_pkt_destroy() is unnecessary if we didn't call cmdq_pkt_create() and
    it will result in a NULL pointer dereference.
    
    Fixes: 7627122fd1c0 ("drm/mediatek: Add cmdq_handle in mtk_crtc")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@xxxxxxxxxxxxx>
    Reviewed-by: CK Hu <ck.hu@xxxxxxxxxxxx>
    Link: https://patchwork.kernel.org/project/dri-devel/patch/cc537bd6-837f-4c85-a37b-1a007e268310@stanley.mountain/
    Signed-off-by: Chun-Kuang Hu <chunkuang.hu@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/mediatek/mtk_crtc.c b/drivers/gpu/drm/mediatek/mtk_crtc.c
index 4bee0328bdbee..e5d412b2d61b6 100644
--- a/drivers/gpu/drm/mediatek/mtk_crtc.c
+++ b/drivers/gpu/drm/mediatek/mtk_crtc.c
@@ -127,9 +127,8 @@ static void mtk_crtc_destroy(struct drm_crtc *crtc)
 
 	mtk_mutex_put(mtk_crtc->mutex);
 #if IS_REACHABLE(CONFIG_MTK_CMDQ)
-	cmdq_pkt_destroy(&mtk_crtc->cmdq_client, &mtk_crtc->cmdq_handle);
-
 	if (mtk_crtc->cmdq_client.chan) {
+		cmdq_pkt_destroy(&mtk_crtc->cmdq_client, &mtk_crtc->cmdq_handle);
 		mbox_free_channel(mtk_crtc->cmdq_client.chan);
 		mtk_crtc->cmdq_client.chan = NULL;
 	}







