It is possible to dereference a null pointer if drm_mode_duplicate() returns NULL.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Andrey Shumilin <[email protected]>
---
drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
index 670c9739e5e1..1f0c5f4a5fd2 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
@@ -209,7 +209,8 @@ static int nv17_tv_get_ld_modes(struct drm_encoder *encoder,
struct drm_display_mode *mode;
mode = drm_mode_duplicate(encoder->dev, tv_mode);
-
+ if (mode == NULL)
+ continue;
mode->clock = tv_norm->tv_enc_mode.vrefresh *
mode->htotal / 1000 *
mode->vtotal / 1000;
@@ -258,6 +259,8 @@ static int nv17_tv_get_hd_modes(struct drm_encoder *encoder,
if (modes[i].hdisplay == output_mode->hdisplay &&
modes[i].vdisplay == output_mode->vdisplay) {
mode = drm_mode_duplicate(encoder->dev, output_mode);
+ if (mode == NULL)
+ continue;
mode->type |= DRM_MODE_TYPE_PREFERRED;
} else {
--
2.30.2
> Subject: tvnv17.c: Adding a NULL pointer check.
As
$ git log --oneline drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
874ee2d67fc9 drm/nouveau: Remove unnecessary include statements for
drm_crtc_helper.h
80ed86d4b6d7 drm/connector: Rename drm_mode_create_tv_properties
1fd4a5a36f9f drm/connector: Rename legacy TV property
09838c4efe9a drm/nouveau/kms: Search for encoders' connectors properly
2574c809d7c0 drm/nouveau/kms/nv04-nv4x: Use match_string() helper to
simplify the code
...
shows, a better prefix should be
drm/nouveau:
and there should not be a dot at the end.
e.g.
drm/nouveau: Avoid NPE in nv17_tv_get_XX_modes()
On 16.11.2023 09:51, Andrey Shumilin wrote:
> It is possible to dereference a null pointer if drm_mode_duplicate() returns NULL.
I would suggest to add a little bit more details:
drm_mode_duplicate() may return NULL in case of error, e.g. if memory
allocation fails. It leads to NULL pointer dereference in
nv17_tv_get_ld_modes() and nv17_tv_get_hd_modes(), since they do not
check if drm_mode_duplicate() succeeds.
Otherwise, looks good.
Reviewed-by: Alexey Khoroshilov <[email protected]>
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Andrey Shumilin <[email protected]>
> ---
> drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
> index 670c9739e5e1..1f0c5f4a5fd2 100644
> --- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
> +++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
> @@ -209,7 +209,8 @@ static int nv17_tv_get_ld_modes(struct drm_encoder *encoder,
> struct drm_display_mode *mode;
>
> mode = drm_mode_duplicate(encoder->dev, tv_mode);
> -
> + if (mode == NULL)
> + continue;
> mode->clock = tv_norm->tv_enc_mode.vrefresh *
> mode->htotal / 1000 *
> mode->vtotal / 1000;
> @@ -258,6 +259,8 @@ static int nv17_tv_get_hd_modes(struct drm_encoder *encoder,
> if (modes[i].hdisplay == output_mode->hdisplay &&
> modes[i].vdisplay == output_mode->vdisplay) {
> mode = drm_mode_duplicate(encoder->dev, output_mode);
> + if (mode == NULL)
> + continue;
> mode->type |= DRM_MODE_TYPE_PREFERRED;
>
> } else {
>