From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933787AbeBMIo2 (ORCPT ); Tue, 13 Feb 2018 03:44:28 -0500 Received: from mail-lf0-f67.google.com ([209.85.215.67]:44094 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933631AbeBMIo0 (ORCPT ); Tue, 13 Feb 2018 03:44:26 -0500 X-Google-Smtp-Source: AH8x225wb2P8/HL/KCYHJ3sMREEWHGOBWAtdjeerk3guh/ZtDfIH04yFtUwlHXvgyTRleMGXMKdQ0Q== From: Oleksandr Andrushchenko To: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Cc: daniel.vetter@intel.com, gustavo@padovan.org, airlied@linux.ie, seanpaul@chromium.org, Oleksandr Andrushchenko Subject: [PATCH] drm/simple_kms_helper: Fix NULL pointer dereference with no active CRTC Date: Tue, 13 Feb 2018 10:44:16 +0200 Message-Id: <1518511456-28257-1-git-send-email-andr2000@gmail.com> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oleksandr Andrushchenko It is possible that drm_simple_kms_plane_atomic_check called with no CRTC set, e.g. when user-space application sets CRTC_ID/FB_ID to 0 before doing any actual drawing. This leads to NULL pointer dereference because in this case new CRTC state is NULL and must be checked before accessing. Signed-off-by: Oleksandr Andrushchenko --- drivers/gpu/drm/drm_simple_kms_helper.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_simple_kms_helper.c b/drivers/gpu/drm/drm_simple_kms_helper.c index 9ca8a4a59b74..a05eca9cec8b 100644 --- a/drivers/gpu/drm/drm_simple_kms_helper.c +++ b/drivers/gpu/drm/drm_simple_kms_helper.c @@ -121,8 +121,10 @@ static int drm_simple_kms_plane_atomic_check(struct drm_plane *plane, pipe = container_of(plane, struct drm_simple_display_pipe, plane); crtc_state = drm_atomic_get_new_crtc_state(plane_state->state, &pipe->crtc); - if (!crtc_state->enable) - return 0; /* nothing to check when disabling or disabled */ + + if (!crtc_state || !crtc_state->enable) + /* nothing to check when disabling or disabled or no CRTC set */ + return 0; if (crtc_state->enable) drm_mode_get_hv_timing(&crtc_state->mode, -- 2.7.4 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Oleksandr Andrushchenko Subject: [PATCH] drm/simple_kms_helper: Fix NULL pointer dereference with no active CRTC Date: Tue, 13 Feb 2018 10:44:16 +0200 Message-ID: <1518511456-28257-1-git-send-email-andr2000@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail-lf0-x243.google.com (mail-lf0-x243.google.com [IPv6:2a00:1450:4010:c07::243]) by gabe.freedesktop.org (Postfix) with ESMTPS id 38C6989718 for ; Tue, 13 Feb 2018 08:44:27 +0000 (UTC) Received: by mail-lf0-x243.google.com with SMTP id f136so24038144lff.8 for ; Tue, 13 Feb 2018 00:44:26 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Cc: airlied@linux.ie, daniel.vetter@intel.com, Oleksandr Andrushchenko List-Id: dri-devel@lists.freedesktop.org RnJvbTogT2xla3NhbmRyIEFuZHJ1c2hjaGVua28gPG9sZWtzYW5kcl9hbmRydXNoY2hlbmtvQGVw YW0uY29tPgoKSXQgaXMgcG9zc2libGUgdGhhdCBkcm1fc2ltcGxlX2ttc19wbGFuZV9hdG9taWNf Y2hlY2sgY2FsbGVkCndpdGggbm8gQ1JUQyBzZXQsIGUuZy4gd2hlbiB1c2VyLXNwYWNlIGFwcGxp Y2F0aW9uIHNldHMgQ1JUQ19JRC9GQl9JRAp0byAwIGJlZm9yZSBkb2luZyBhbnkgYWN0dWFsIGRy YXdpbmcuIFRoaXMgbGVhZHMgdG8gTlVMTCBwb2ludGVyCmRlcmVmZXJlbmNlIGJlY2F1c2UgaW4g dGhpcyBjYXNlIG5ldyBDUlRDIHN0YXRlIGlzIE5VTEwgYW5kIG11c3QgYmUKY2hlY2tlZCBiZWZv cmUgYWNjZXNzaW5nLgoKU2lnbmVkLW9mZi1ieTogT2xla3NhbmRyIEFuZHJ1c2hjaGVua28gPG9s ZWtzYW5kcl9hbmRydXNoY2hlbmtvQGVwYW0uY29tPgotLS0KIGRyaXZlcnMvZ3B1L2RybS9kcm1f c2ltcGxlX2ttc19oZWxwZXIuYyB8IDYgKysrKy0tCiAxIGZpbGUgY2hhbmdlZCwgNCBpbnNlcnRp b25zKCspLCAyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9kcm1f c2ltcGxlX2ttc19oZWxwZXIuYyBiL2RyaXZlcnMvZ3B1L2RybS9kcm1fc2ltcGxlX2ttc19oZWxw ZXIuYwppbmRleCA5Y2E4YTRhNTliNzQuLmEwNWVjYTljZWM4YiAxMDA2NDQKLS0tIGEvZHJpdmVy cy9ncHUvZHJtL2RybV9zaW1wbGVfa21zX2hlbHBlci5jCisrKyBiL2RyaXZlcnMvZ3B1L2RybS9k cm1fc2ltcGxlX2ttc19oZWxwZXIuYwpAQCAtMTIxLDggKzEyMSwxMCBAQCBzdGF0aWMgaW50IGRy bV9zaW1wbGVfa21zX3BsYW5lX2F0b21pY19jaGVjayhzdHJ1Y3QgZHJtX3BsYW5lICpwbGFuZSwK IAlwaXBlID0gY29udGFpbmVyX29mKHBsYW5lLCBzdHJ1Y3QgZHJtX3NpbXBsZV9kaXNwbGF5X3Bp cGUsIHBsYW5lKTsKIAljcnRjX3N0YXRlID0gZHJtX2F0b21pY19nZXRfbmV3X2NydGNfc3RhdGUo cGxhbmVfc3RhdGUtPnN0YXRlLAogCQkJCQkJICAgJnBpcGUtPmNydGMpOwotCWlmICghY3J0Y19z dGF0ZS0+ZW5hYmxlKQotCQlyZXR1cm4gMDsgLyogbm90aGluZyB0byBjaGVjayB3aGVuIGRpc2Fi bGluZyBvciBkaXNhYmxlZCAqLworCisJaWYgKCFjcnRjX3N0YXRlIHx8ICFjcnRjX3N0YXRlLT5l bmFibGUpCisJCS8qIG5vdGhpbmcgdG8gY2hlY2sgd2hlbiBkaXNhYmxpbmcgb3IgZGlzYWJsZWQg b3Igbm8gQ1JUQyBzZXQgKi8KKwkJcmV0dXJuIDA7CiAKIAlpZiAoY3J0Y19zdGF0ZS0+ZW5hYmxl KQogCQlkcm1fbW9kZV9nZXRfaHZfdGltaW5nKCZjcnRjX3N0YXRlLT5tb2RlLAotLSAKMi43LjQK Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCmRyaS1kZXZl bCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9yZwpodHRwczovL2xp c3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZlbAo=