| Message ID | 20171204215418.GA23874@embeddedor.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, Dec 04, 2017 at 03:54:18PM -0600, Gustavo A. R. Silva wrote: > crtc_state is being null checked in a previous code block, which implies > that such pointer might be null. > > crtc_state is dereferenced in drm_atomic_helper_check_plane_state, hence > there is a potential null pointer dereference. This is a false positive. drm_atomic_helper_check_plane_state() will not dereference crtc_state when plane_state->crtc is NULL. > > Fix this by warning-on and returning -EINVAL in case crtc_state is null. > > Addresses-Coverity-ID: 1462412 ("Dereference after null check") > Fixes: a01cb8ba3f62 ("drm: Move drm_plane_helper_check_state() into drm_atomic_helper.c") > Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> > --- > drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > index a2a93d7..72c3b290 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > @@ -454,6 +454,9 @@ int vmw_du_primary_plane_atomic_check(struct drm_plane *plane, > clip.y2 = crtc_state->adjusted_mode.vdisplay; > } > > + if (WARN_ON(!crtc_state)) > + return -EINVAL; This would in fact break the driver because it would flag an error whenever the plane is disabled. > + > ret = drm_atomic_helper_check_plane_state(state, crtc_state, &clip, > DRM_PLANE_HELPER_NO_SCALING, > DRM_PLANE_HELPER_NO_SCALING, > -- > 2.7.4 > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel
Hi Ville, Quoting Ville Syrjälä <ville.syrjala@linux.intel.com>: > On Mon, Dec 04, 2017 at 03:54:18PM -0600, Gustavo A. R. Silva wrote: >> crtc_state is being null checked in a previous code block, which implies >> that such pointer might be null. >> >> crtc_state is dereferenced in drm_atomic_helper_check_plane_state, hence >> there is a potential null pointer dereference. > > This is a false positive. drm_atomic_helper_check_plane_state() will not > dereference crtc_state when plane_state->crtc is NULL. > You are right. Thank you for clarifying. -- Gustavo A. R. Silva
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index a2a93d7..72c3b290 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -454,6 +454,9 @@ int vmw_du_primary_plane_atomic_check(struct drm_plane *plane, clip.y2 = crtc_state->adjusted_mode.vdisplay; } + if (WARN_ON(!crtc_state)) + return -EINVAL; + ret = drm_atomic_helper_check_plane_state(state, crtc_state, &clip, DRM_PLANE_HELPER_NO_SCALING, DRM_PLANE_HELPER_NO_SCALING,
crtc_state is being null checked in a previous code block, which implies that such pointer might be null. crtc_state is dereferenced in drm_atomic_helper_check_plane_state, hence there is a potential null pointer dereference. Fix this by warning-on and returning -EINVAL in case crtc_state is null. Addresses-Coverity-ID: 1462412 ("Dereference after null check") Fixes: a01cb8ba3f62 ("drm: Move drm_plane_helper_check_state() into drm_atomic_helper.c") Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 +++ 1 file changed, 3 insertions(+)