drm/i915: Fix NULL pointer deference when out of PLLs in IVB

In commit f9476a6c6d0c ("drm/i915: Refactor platform specifics out of
intel_get_shared_dpll()"), the ibx_get_dpll() function lacked an error
check, that can lead to a NULL pointer dereference when trying to enable
three pipes.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
IP: [<ffffffffa0482275>] intel_reference_shared_dpll+0x15/0x100 [i915]
PGD cec87067 PUD d30ce067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: snd_hda_intel i915 drm_kms_helper drm intel_gtt sch_fq_codel cfg80211 binfmt_misc i2c_algo_bit cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea intel_rapl iosf_mbi x86_pkg_temp_thermal coretemp agpgart kvm_intel snd_hda_codec_hdmi kvm iTCO_wdt snd_hda_codec_realtek snd_hda_codec_generic irqbypass aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd psmouse pcspkr snd_hda_codec i2c_i801 snd_hwdep snd_hda_core snd_pcm snd_timer lpc_ich mfd_core snd soundcore wmi evdev tpm_tis tpm [last unloaded: drm]
CPU: 3 PID: 5810 Comm: kms_flip Tainted: G     U  W       4.6.0-test+ #3
Hardware name:                  /DZ77BH-55K, BIOS BHZ7710H.86A.0100.2013.0517.0942 05/17/2013
task: ffff8800d3908040 ti: ffff8801166c8000 task.ti: ffff8801166c8000
RIP: 0010:[<ffffffffa0482275>]  [<ffffffffa0482275>] intel_reference_shared_dpll+0x15/0x100 [i915]
RSP: 0018:ffff8801166cba60  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 0000000000000001 RSI: ffff8800d07f1bf8 RDI: 0000000000000000
RBP: ffff8801166cba88 R08: 0000000000000002 R09: ffff8800d32e5698
R10: 0000000000000001 R11: ffff8800cc89ac88 R12: ffff8800d07f1bf8
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f4c3fc8d8c0(0000) GS:ffff88011bcc0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000068 CR3: 00000000d3b4c000 CR4: 00000000001406e0
Stack:
 0000000000000000 ffff8800d07f1bf8 0000000000000000 ffff8800d04c0000
 0000000000000000 ffff8801166cbaa8 ffffffffa04823a7 ffff8800d07f1bf8
 ffff8800d32e5698 ffff8801166cbab8 ffffffffa04840cf ffff8801166cbaf0
Call Trace:
 [<ffffffffa04823a7>] ibx_get_dpll+0x47/0xa0 [i915]
 [<ffffffffa04840cf>] intel_get_shared_dpll+0x1f/0x50 [i915]
 [<ffffffffa046d080>] ironlake_crtc_compute_clock+0x280/0x430 [i915]
 [<ffffffffa0472ac0>] intel_crtc_atomic_check+0x240/0x320 [i915]
 [<ffffffffa03da18e>] drm_atomic_helper_check_planes+0x14e/0x1d0 [drm_kms_helper]
 [<ffffffffa0474a0c>] intel_atomic_check+0x5dc/0x1110 [i915]
 [<ffffffffa029d3aa>] drm_atomic_check_only+0x14a/0x660 [drm]
 [<ffffffffa029d086>] ? drm_atomic_set_crtc_for_connector+0x96/0x100 [drm]
 [<ffffffffa029d8d7>] drm_atomic_commit+0x17/0x60 [drm]
 [<ffffffffa03dc3b7>] restore_fbdev_mode+0x237/0x260 [drm_kms_helper]
 [<ffffffffa029c65a>] ? drm_modeset_lock_all_ctx+0x9a/0xb0 [drm]
 [<ffffffffa03de9b3>] drm_fb_helper_restore_fbdev_mode_unlocked+0x33/0x80 [drm_kms_helper]
 [<ffffffffa03dea2d>] drm_fb_helper_set_par+0x2d/0x50 [drm_kms_helper]
 [<ffffffffa03de93a>] drm_fb_helper_hotplug_event+0xaa/0xf0 [drm_kms_helper]
 [<ffffffffa03de9d6>] drm_fb_helper_restore_fbdev_mode_unlocked+0x56/0x80 [drm_kms_helper]
 [<ffffffffa0490f72>] intel_fbdev_restore_mode+0x22/0x80 [i915]
 [<ffffffffa04ba45e>] i915_driver_lastclose+0xe/0x20 [i915]
 [<ffffffffa02810de>] drm_lastclose+0x2e/0x130 [drm]
 [<ffffffffa028148c>] drm_release+0x2ac/0x4b0 [drm]
 [<ffffffff811a6b2d>] __fput+0xed/0x1f0
 [<ffffffff811a6c6e>] ____fput+0xe/0x10
 [<ffffffff81079156>] task_work_run+0x76/0xb0
 [<ffffffff8105aaab>] do_exit+0x3ab/0xc60
 [<ffffffff810a145f>] ? trace_hardirqs_on_caller+0x12f/0x1c0
 [<ffffffff8105c67e>] do_group_exit+0x4e/0xc0
 [<ffffffff8105c704>] SyS_exit_group+0x14/0x20
 [<ffffffff8158bb25>] entry_SYSCALL_64_fastpath+0x18/0xa8
Code: 14 80 48 8d 34 90 b8 01 00 00 00 d3 e0 09 04 b3 5b 41 5c 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 49 89 fe 41 55 41 54 53 <44> 8b 67 68 48 89 f3 48 8b be 08 02 00 00 4c 8b 2e e8 15 9d fd
RIP  [<ffffffffa0482275>] intel_reference_shared_dpll+0x15/0x100 [i915]
 RSP <ffff8801166cba60>
CR2: 0000000000000068

Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: drm-intel-fixes@lists.freedesktop.org
Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Fixes: f9476a6c6d0c ("drm/i915: Refactor platform specifics out of intel_get_shared_dpll()")
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1463748426-5956-1-git-send-email-ander.conselvan.de.oliveira@intel.com
(cherry picked from commit bb143165510661feda06fd99298b8b3a94af3046)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>

diff --git a/drivers/gpu/drm/i915/intel_dpll_mgr.c b/drivers/gpu/drm/i915/intel_dpll_mgr.c
index 3ac705936b0436a0a528b45a3352bbcc689f619c..baf6f5584cbd8197334279210e5f08e976d46806 100644 (file)
--- a/drivers/gpu/drm/i915/intel_dpll_mgr.c
+++ b/drivers/gpu/drm/i915/intel_dpll_mgr.c
@@ -366,6 +366,9 @@ ibx_get_dpll(struct intel_crtc *crtc, struct intel_crtc_state *crtc_state,
                                             DPLL_ID_PCH_PLL_B);
        }
 
+       if (!pll)
+               return NULL;
+
        /* reference the pll */
        intel_reference_shared_dpll(pll, crtc_state);