Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp935443imm; Fri, 27 Jul 2018 08:32:17 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd2bxhtq123rhy4fnsa4MU9cFaUHCx8XrimKXmgF4DFpdsBCVjoa3VxpprX87I0NoQBY6yB X-Received: by 2002:a62:c505:: with SMTP id j5-v6mr6997357pfg.153.1532705537338; Fri, 27 Jul 2018 08:32:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532705537; cv=none; d=google.com; s=arc-20160816; b=PW+1M6NR2sMy5PWJpeqMIg1DfvUN6JKiRcvjwj2UbgyGZ/8d9AmcM1RZ6sejEQqFbB coSUpdkZHAvYDYDjSiub8rdxxI7gquc+YraClJmrlgW10DpDKv+h08ssMyvOs+zJAv3L 9xEhLrt9yd0maXccS3Mnyf7HqDNJcya4Mm3h6HI08diImKHmpy68CJC9qsGtEBuaalES ML6W9L0ULGBcQawPS0eufEWKgAMVT5CTh8wmWfd94P3iizVqb6XUETS/n95ZdKt0lcVt STMYT6wrbH+3tViy9ga73amVj5EZPqY1sAMNrjeK1EkOu3G6LMx0TdRK7y6VAlt0K06h SAuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=v0o5Ec39/jw63OTorVyNidXE998d1f2Esm1nfZwhEoQ=; b=FW/wE9I+pFYfkjMxPVXl3oj1UserkuyCUOxsld0Jpr8zbIGB+FfgkxMgiTm8TVBDU3 TtNQCNZxHxbHGS39W6RlR4jwu5J62StafYaOksE1jUZFcbC5/ed8vQv4DyGh4lt8dixx 8Oei/Sglj9V8h3ukYWbjLkaoda7akW/fvUSuSrAJVH25nXUeiob11igdQ8zW9uOVr+qJ UcU7u8TOviUypI+coWK4dO5Juxu5udzQseS0fh/Sqa9Y04jW9nGqQWDgp+XCivOtE/Qm Ltrp7D61dNVkfg3du7nby+Lnt8082KcwsJNUCh0fOU3KkRhWiHzF0cEWlGfO39trmHzw vILw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c3-v6si3667406pld.457.2018.07.27.08.32.02; Fri, 27 Jul 2018 08:32:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388759AbeG0Qx3 (ORCPT + 99 others); Fri, 27 Jul 2018 12:53:29 -0400 Received: from bran.ispras.ru ([83.149.199.196]:19366 "EHLO smtp.ispras.ru" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730771AbeG0Qx3 (ORCPT ); Fri, 27 Jul 2018 12:53:29 -0400 Received: from myklebust.intra.ispras.ru (unknown [10.10.2.207]) by smtp.ispras.ru (Postfix) with ESMTP id 1FFAA203B2; Fri, 27 Jul 2018 18:31:02 +0300 (MSK) From: Anton Vasilyev To: Dave Airlie Cc: Anton Vasilyev , Gerd Hoffmann , David Airlie , virtualization@lists.linux-foundation.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: [PATCH] drm: qxl: Fix NULL pointer dereference at qxl_alloc_client_monitors_config Date: Fri, 27 Jul 2018 18:30:58 +0300 Message-Id: <20180727153058.23620-1-vasilyev@ispras.ru> X-Mailer: git-send-email 2.18.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If qxl_alloc_client_monitors_config() fails to allocate client_monitors_config then NULL pointer dereference occurs in function qxl_display_copy_rom_client_monitors_config() after qxl_alloc_client_monitors_config() call. The patch adds return error from qxl_alloc_client_monitors_config() and additional status for qxl_display_copy_rom_client_monitors_config return value. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev --- Note: Is it correct that qxl_display_read_client_monitors_config() does not return error in case of fail? --- drivers/gpu/drm/qxl/qxl_display.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c index 768207fbbae3..a59b2eca5f5b 100644 --- a/drivers/gpu/drm/qxl/qxl_display.c +++ b/drivers/gpu/drm/qxl/qxl_display.c @@ -37,7 +37,8 @@ static bool qxl_head_enabled(struct qxl_head *head) return head->width && head->height; } -static void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count) +static int qxl_alloc_client_monitors_config(struct qxl_device *qdev, + unsigned int count) { if (qdev->client_monitors_config && count > qdev->client_monitors_config->count) { @@ -49,15 +50,17 @@ static void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned c sizeof(struct qxl_monitors_config) + sizeof(struct qxl_head) * count, GFP_KERNEL); if (!qdev->client_monitors_config) - return; + return -ENOMEM; } qdev->client_monitors_config->count = count; + return 0; } enum { MONITORS_CONFIG_MODIFIED, MONITORS_CONFIG_UNCHANGED, MONITORS_CONFIG_BAD_CRC, + MONITORS_CONFIG_ERROR, }; static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) @@ -87,7 +90,10 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) && (num_monitors != qdev->client_monitors_config->count)) { status = MONITORS_CONFIG_MODIFIED; } - qxl_alloc_client_monitors_config(qdev, num_monitors); + if (qxl_alloc_client_monitors_config(qdev, num_monitors)) { + status = MONITORS_CONFIG_ERROR; + return status; + } /* we copy max from the client but it isn't used */ qdev->client_monitors_config->max_allowed = qdev->monitors_config->max_allowed; @@ -161,6 +167,10 @@ void qxl_display_read_client_monitors_config(struct qxl_device *qdev) break; udelay(5); } + if (status == MONITORS_CONFIG_ERROR) { + DRM_DEBUG_KMS("ignoring client monitors config: error"); + return; + } if (status == MONITORS_CONFIG_BAD_CRC) { DRM_DEBUG_KMS("ignoring client monitors config: bad crc"); return; -- 2.18.0