Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10874422ybi; Thu, 25 Jul 2019 06:24:17 -0700 (PDT) X-Google-Smtp-Source: APXvYqwTXFwtHXDdQOLerUpWvyNYh9rZ+BHuuKK2JfBLFLTsV5pYD9xmANmLk0bK1Mt+K+7BYue0 X-Received: by 2002:a17:90a:80c4:: with SMTP id k4mr93954484pjw.74.1564061057725; Thu, 25 Jul 2019 06:24:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564061057; cv=none; d=google.com; s=arc-20160816; b=jYjZU8mhq92iQawB+Wl2lElsXCHK745L0zvjoZmyda/u/Vy7idr6bJ3GEijgund8O3 zQBblmDtr/Q6dKV0w+qGxJDXCH7ppxekuZ6KDMzZtlMzv1boy25w+UchQlWhdxtAnpzw 9gg2JwB4u/sDL2x/h3LSgNbkZfSOeGMgpIMTSXx8HC4il/G4Lu0NEP8dj2Yc+/0K3fVN 2wfCGQnZG6jO/3TVBQ1nALHGuNYKlW1ZATJtQ1plVgkkFveXdsCigDYFe+NSuy6xAILS f8WQ1xoNdnwKJYF88wBBZPbNxTSfjXFfb/oJMZ44oHvmF3ewgHuIJFBrQKT9ytfNlaTf FM/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=JpFXTqBiiF/d0FWq+ji6QHY6zUynDSMtWm/er7s/Jh0=; b=pibzHzZnSiWqKwKBliJ7yeOyzbm3al1gfjx9zPhZf/vD8wmquo1BvsZj5zkcHw53U1 mPi1yjOtcYS+VsVMC07CdfQ4WKfNeSSayTj17KzcC+BD8ikB5NA9HMoSGrlzSxrqtcj6 BMWz5pM0gnVkXo0dbr7YiwyEp90KAnvS/6VADHYpSUc+vJPZOKbzf62lbioaEudCdTEd tw+K42B3ZizwGDKqWJFskGZNwCLtv9fMCUmm+mmJIvI1CUthh0BVXy8ArwRNd4T3JhTG Nl9cMe4CU7lst4E4Ct7yUJCpAW7IJ8zcyO9vJ/ozrppYYA36snJDMBhQWe6ZbjAy/SPm ubPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="kji/UF2e"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t62si16543555pgd.175.2019.07.25.06.24.02; Thu, 25 Jul 2019 06:24:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="kji/UF2e"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728702AbfGYKVi (ORCPT + 99 others); Thu, 25 Jul 2019 06:21:38 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:40986 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726441AbfGYKVi (ORCPT ); Thu, 25 Jul 2019 06:21:38 -0400 Received: by mail-pl1-f196.google.com with SMTP id m9so23145909pls.8 for ; Thu, 25 Jul 2019 03:21:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=JpFXTqBiiF/d0FWq+ji6QHY6zUynDSMtWm/er7s/Jh0=; b=kji/UF2eV8qHYMdbqskMt6Ux4Dd8KtsNq7korGFByiRLA//9JNBlfJnLK3kLPqni24 LZlQcEqlULQCkSFaswVc4umI+nHSlLgVEcuANIcOLfDEL/syjIcQ/48J4Cc+UoCXEQdJ x8HPK7REeezOh69mIMxMAnlD/IRMr3WI/r/A0facrnc1RXNNFa6Yd/ZkNnP6WXB8+nC/ Pslct7+Sv3kxiQBp1niRy1cJ38JMklfghh6U1RtUCYe5QexyeepJ2TCzm9lwrC7Ejv3k OpmTrsVFBcg1GpFxhgS2KyUgSsvTwzaGERRHQhafwNdEPm4Jgc/Yysi5PnnQnrj5/UK4 j51w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=JpFXTqBiiF/d0FWq+ji6QHY6zUynDSMtWm/er7s/Jh0=; b=Ay8oetzjLK2NdQxMONQq+GaBz+V9Jn484lqRR1CAR38o/QRr0Db1hQcB1Xtr7oNr66 H5AK0V1Iw6X5d6x6WWMGHy6vhOsi/HYboI1iDHV87xH9ZeFBUumD5CSjAGoltC4vf2dM BeBuX0WwcawkuuSxeqC7mTaWLQcz6Je7MZiH28c3iEunAx5rLtkcyPzLAO+unU227HL3 gZ7DBtFHhx/NaJA0KQ5TNIcUpWyhPniWttDZ2QzWcbUvktIZR4HTVNM+l9qcHbaHza6j PVKWuY+PJQ5EP8VmfAA4QOs+HFYSx/6OsqyIi01b0rPGI+GA6tIcVKg00yqzk8gGb/6r /wUw== X-Gm-Message-State: APjAAAVSwXZU59RfnXv1kSHblaWI27jJU3TbM0SyW0VWyRDprVjJwJmW +MBtLpa+m5HHu8VJXxGrY+k= X-Received: by 2002:a17:902:7c96:: with SMTP id y22mr92009461pll.39.1564050097023; Thu, 25 Jul 2019 03:21:37 -0700 (PDT) Received: from oslab.tsinghua.edu.cn ([2402:f000:4:72:808::3ca]) by smtp.gmail.com with ESMTPSA id p27sm74548188pfq.136.2019.07.25.03.21.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Jul 2019 03:21:36 -0700 (PDT) From: Jia-Ju Bai To: airlied@redhat.com, kraxel@redhat.com, airlied@linux.ie, daniel@ffwll.ch Cc: virtualization@lists.linux-foundation.org, spice-devel@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH] gpu: drm: qxl: Fix possible null-pointer dereferences in qxl_crtc_atomic_flush() Date: Thu, 25 Jul 2019 18:21:27 +0800 Message-Id: <20190725102127.16086-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In qxl_crtc_atomic_flush(), there is an if statement on line 376 to check whether crtc->state is NULL: if (crtc->state && crtc->state->event) When crtc->state is NULL and qxl_crtc_update_monitors_config() is call, qxl_crtc_update_monitors_config() uses crtc->state on line 326: if (crtc->state->active) and on line 358: DRM_DEBUG_KMS(..., crtc->state->active, ...); Thus, possible null-pointer dereferences may occur. To fix these bugs, crtc->state is checked before calling qxl_crtc_update_monitors_config(). These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai --- drivers/gpu/drm/qxl/qxl_display.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c index 8b319ebbb0fb..fae18ef1ba59 100644 --- a/drivers/gpu/drm/qxl/qxl_display.c +++ b/drivers/gpu/drm/qxl/qxl_display.c @@ -382,7 +382,8 @@ static void qxl_crtc_atomic_flush(struct drm_crtc *crtc, spin_unlock_irqrestore(&dev->event_lock, flags); } - qxl_crtc_update_monitors_config(crtc, "flush"); + if (crtc->state) + qxl_crtc_update_monitors_config(crtc, "flush"); } static void qxl_crtc_destroy(struct drm_crtc *crtc) -- 2.17.0