From: Mads Bligaard Nielsen bli@bang-olufsen.dk
mainline inclusion from mainline-v6.9-rc1 commit aeedaee5ef5468caf59e2bb1265c2116e0c9a924 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HKEE CVE: CVE-2024-26876
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
Moved IRQ registration down to end of adv7511_probe().
If an IRQ already is pending during adv7511_probe (before adv7511_cec_init) then cec_received_msg_ts could crash using uninitialized data:
Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5 Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP Call trace: cec_received_msg_ts+0x48/0x990 [cec] adv7511_cec_irq_process+0x1cc/0x308 [adv7511] adv7511_irq_process+0xd8/0x120 [adv7511] adv7511_irq_handler+0x1c/0x30 [adv7511] irq_thread_fn+0x30/0xa0 irq_thread+0x14c/0x238 kthread+0x190/0x1a8
Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support") Signed-off-by: Mads Bligaard Nielsen bli@bang-olufsen.dk Signed-off-by: Alvin Šipraga alsi@bang-olufsen.dk Reviewed-by: Robert Foss rfoss@kernel.org Signed-off-by: Robert Foss rfoss@kernel.org Link: https://patchwork.freedesktop.org/patch/msgid/20240219-adv7511-cec-irq-crash...
Conflicts: drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
Signed-off-by: Zhao Wenhui zhaowenhui8@huawei.com --- drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 23 ++++++++++---------- 1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index e7ddd3e3db92..31bce3a37b20 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1194,17 +1194,6 @@ static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id)
INIT_WORK(&adv7511->hpd_work, adv7511_hpd_work);
- if (i2c->irq) { - init_waitqueue_head(&adv7511->wq); - - ret = devm_request_threaded_irq(dev, i2c->irq, NULL, - adv7511_irq_handler, - IRQF_ONESHOT, dev_name(dev), - adv7511); - if (ret) - goto err_unregister_cec; - } - adv7511_power_off(adv7511);
i2c_set_clientdata(i2c, adv7511); @@ -1222,6 +1211,18 @@ static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id) drm_bridge_add(&adv7511->bridge);
adv7511_audio_init(dev, adv7511); + + if (i2c->irq) { + init_waitqueue_head(&adv7511->wq); + + ret = devm_request_threaded_irq(dev, i2c->irq, NULL, + adv7511_irq_handler, + IRQF_ONESHOT, dev_name(dev), + adv7511); + if (ret) + goto err_unregister_cec; + } + return 0;
err_unregister_cec: