2020-08-19 14:39:26

by Nadezda Lutovinova

[permalink] [raw]
Subject: [PATCH] drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly

If ge_b850v3_lvds_init() does not allocate memory for ge_b850v3_lvds_ptr,
then a null pointer dereference is accessed.

The patch adds checking of the return value of ge_b850v3_lvds_init().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Nadezda Lutovinova <[email protected]>
---
drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
index 6200f12..ab81748 100644
--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
@@ -302,8 +302,12 @@ static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c,
const struct i2c_device_id *id)
{
struct device *dev = &stdp4028_i2c->dev;
+ int ret;
+
+ ret = ge_b850v3_lvds_init(dev);

- ge_b850v3_lvds_init(dev);
+ if (ret)
+ return ret;

ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c;
i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr);
@@ -361,8 +365,12 @@ static int stdp2690_ge_b850v3_fw_probe(struct i2c_client *stdp2690_i2c,
const struct i2c_device_id *id)
{
struct device *dev = &stdp2690_i2c->dev;
+ int ret;
+
+ ret = ge_b850v3_lvds_init(dev);

- ge_b850v3_lvds_init(dev);
+ if (ret)
+ return ret;

ge_b850v3_lvds_ptr->stdp2690_i2c = stdp2690_i2c;
i2c_set_clientdata(stdp2690_i2c, ge_b850v3_lvds_ptr);
--
1.9.1


2020-08-23 15:26:21

by Sam Ravnborg

[permalink] [raw]
Subject: Re: [PATCH] drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly

Hi Nadezda

On Wed, Aug 19, 2020 at 05:37:56PM +0300, Nadezda Lutovinova wrote:
> If ge_b850v3_lvds_init() does not allocate memory for ge_b850v3_lvds_ptr,
> then a null pointer dereference is accessed.
>
> The patch adds checking of the return value of ge_b850v3_lvds_init().
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Nadezda Lutovinova <[email protected]>

Thanks, applied to drm-misc-next, so it will hit upstream during the
next merge window.

Sam

> ---
> drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
> index 6200f12..ab81748 100644
> --- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
> +++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
> @@ -302,8 +302,12 @@ static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c,
> const struct i2c_device_id *id)
> {
> struct device *dev = &stdp4028_i2c->dev;
> + int ret;
> +
> + ret = ge_b850v3_lvds_init(dev);
>
> - ge_b850v3_lvds_init(dev);
> + if (ret)
> + return ret;
>
> ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c;
> i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr);
> @@ -361,8 +365,12 @@ static int stdp2690_ge_b850v3_fw_probe(struct i2c_client *stdp2690_i2c,
> const struct i2c_device_id *id)
> {
> struct device *dev = &stdp2690_i2c->dev;
> + int ret;
> +
> + ret = ge_b850v3_lvds_init(dev);
>
> - ge_b850v3_lvds_init(dev);
> + if (ret)
> + return ret;
>
> ge_b850v3_lvds_ptr->stdp2690_i2c = stdp2690_i2c;
> i2c_set_clientdata(stdp2690_i2c, ge_b850v3_lvds_ptr);
> --
> 1.9.1
>
> _______________________________________________
> dri-devel mailing list
> [email protected]
> https://lists.freedesktop.org/mailman/listinfo/dri-devel