| Message ID | 20241029083429.1185479-1-chenridong@huaweicloud.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle | expand |
On 2024/10/29 16:34, Chen Ridong wrote: > From: Chen Ridong <chenridong@huawei.com> > > The 'vmw_user_object_buffer' function may return NULL with incorrect > inputs. To avoid possible null pointer dereference, add a check whether > the 'bo' is NULL in the vmw_framebuffer_surface_create_handle. > > Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") > Signed-off-by: Chen Ridong <chenridong@huawei.com> > --- > drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > index f39bf992364d..8db38927729b 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > @@ -1265,6 +1265,8 @@ static int vmw_framebuffer_surface_create_handle(struct drm_framebuffer *fb, > struct vmw_framebuffer_surface *vfbs = vmw_framebuffer_to_vfbs(fb); > struct vmw_bo *bo = vmw_user_object_buffer(&vfbs->uo); > > + if (WARN_ON(!bo)) > + return -EINVAL; > return drm_gem_handle_create(file_priv, &bo->tbo.base, handle); > } > Friendly ping.
On 2024/10/29 16:34, Chen Ridong wrote: > From: Chen Ridong <chenridong@huawei.com> > > The 'vmw_user_object_buffer' function may return NULL with incorrect > inputs. To avoid possible null pointer dereference, add a check whether > the 'bo' is NULL in the vmw_framebuffer_surface_create_handle. > > Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") > Signed-off-by: Chen Ridong <chenridong@huawei.com> > --- > drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > index f39bf992364d..8db38927729b 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > @@ -1265,6 +1265,8 @@ static int vmw_framebuffer_surface_create_handle(struct drm_framebuffer *fb, > struct vmw_framebuffer_surface *vfbs = vmw_framebuffer_to_vfbs(fb); > struct vmw_bo *bo = vmw_user_object_buffer(&vfbs->uo); > > + if (WARN_ON(!bo)) > + return -EINVAL; > return drm_gem_handle_create(file_priv, &bo->tbo.base, handle); > } > Friendly ping.
On Tue, Oct 29, 2024 at 4:43 AM Chen Ridong <chenridong@huaweicloud.com> wrote: > > From: Chen Ridong <chenridong@huawei.com> > > The 'vmw_user_object_buffer' function may return NULL with incorrect > inputs. To avoid possible null pointer dereference, add a check whether > the 'bo' is NULL in the vmw_framebuffer_surface_create_handle. > > Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") > Signed-off-by: Chen Ridong <chenridong@huawei.com> > --- > drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > index f39bf992364d..8db38927729b 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > @@ -1265,6 +1265,8 @@ static int vmw_framebuffer_surface_create_handle(struct drm_framebuffer *fb, > struct vmw_framebuffer_surface *vfbs = vmw_framebuffer_to_vfbs(fb); > struct vmw_bo *bo = vmw_user_object_buffer(&vfbs->uo); > > + if (WARN_ON(!bo)) > + return -EINVAL; > return drm_gem_handle_create(file_priv, &bo->tbo.base, handle); > } > > -- > 2.34.1 > Thank you. I pushed it to drm-misc-fixes. z
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index f39bf992364d..8db38927729b 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1265,6 +1265,8 @@ static int vmw_framebuffer_surface_create_handle(struct drm_framebuffer *fb, struct vmw_framebuffer_surface *vfbs = vmw_framebuffer_to_vfbs(fb); struct vmw_bo *bo = vmw_user_object_buffer(&vfbs->uo); + if (WARN_ON(!bo)) + return -EINVAL; return drm_gem_handle_create(file_priv, &bo->tbo.base, handle); }