Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10906522ybi; Thu, 25 Jul 2019 06:53:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqz76DMEK0XfLVLsNUdZTOtIL7u11kAdVxd4996Co+xmjVbar6dez1NmnX1bZlmir5h752bQ X-Received: by 2002:a17:902:7d8b:: with SMTP id a11mr37742692plm.306.1564062829301; Thu, 25 Jul 2019 06:53:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564062829; cv=none; d=google.com; s=arc-20160816; b=V3Vnb4vxUHBnqvSZpCkimOenoAK9krD+UeMtm0qg4NR28hMP45cTnFbp8X9Dos9tXx qu39mkyqQLrdD7RiAjWb1Jic24owxXNteLV2ekGOBiiIYmjhFqCUCDeIvbvQcgV4eOtK seFWU8iSbpe3DZ0EUiKjHjOwSw6GFjPoA9el6lm+vzG1WRJ1C4xK3ojetiUaYoHlEvId 9AAr4cyvAb7p1Md5RA/bu3So/lMBQyudlYb7YMlgLJFwUZDAC83Ge0FyeyGD8N56bABO Iy7U1FNZveSKAXAetLiEv5P8roDALP5DzHng2cqnfN8V3eCPd8W8Ffcu6JwtML003jNU zbAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=cy0ew9uPB8kVgEkmAFM7ms4faY7aDGiLUN/eaDicKPg=; b=F5vlEgRFEvaV7pf9pShTzJ5tozRL4rviKd3okkgn/XD69KtSXin+56d7IZH8mIsLSb b9AUjR2FN6QeAu+bciRRCWvhuQzyv7RKwfOCYezWht2jYe29BoKG5oDGbv9piezWHCp2 eCK/LGfXdnECHQKY9hT7QWZWNB4veaI35V5INdbFN8/EIpox/vasUXVnW0cjt32/l26P iJhhKFaCYkxTT/36Pldj0pj7+QB9R4DejblpcA6/GG7qJboBFLDO9Ku+4KelS+Fk28ni J0CX3Q9N1W/OQl+W0dOM/T2IWlSEeEEyf88oRummt4pk5XbuxnB9THPS8pSnQUaerrp/ Xr4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b=WPZhZWmR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s13si14261759pji.109.2019.07.25.06.53.34; Thu, 25 Jul 2019 06:53:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b=WPZhZWmR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729592AbfGYMED (ORCPT + 99 others); Thu, 25 Jul 2019 08:04:03 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:41324 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726323AbfGYMED (ORCPT ); Thu, 25 Jul 2019 08:04:03 -0400 Received: by mail-ed1-f68.google.com with SMTP id p15so49972295eds.8 for ; Thu, 25 Jul 2019 05:04:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=cy0ew9uPB8kVgEkmAFM7ms4faY7aDGiLUN/eaDicKPg=; b=WPZhZWmRLRFJE8jPPQtDSMQzuxgwp3LQMY9ubs6jUiptnchPg7kFyCCu6lCq07dzQM Bv+b5kp750NTw97eMhhEIN/2+zSUClyeCkEsIT/KpeyftRjloI9FYcvGhe7H6n21aHB7 QXdsWpYtCXLTZIJx5CLvoTfenLF2F848/TPPE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=cy0ew9uPB8kVgEkmAFM7ms4faY7aDGiLUN/eaDicKPg=; b=JZVHr784zyL1QWyZDhMqmCoNhZCR3509fpAB48O/qGY1B0uyyNCObGvEI3ttNWC6tz T5s1jTDsO7ax1kF3bhzMofs7k0Zx3LGPOsGLyHl6ZmJ6ZqUnu/zw2svunJxs4J6hgbbd fgE7SsU/uHnOyY6/bpA0pnVWFea8VHOr4tutY1Ni4rfF7UIr8wRInd9LNjSpN+FEVLPK 2LzWstzjZwxCe9YDPDgyKQZvpLV5IcTNa6yXgAM2SaOCrPzTm682w3w0VgnqgkkDyS+z brq3iE6DA7GK5Y+SPP8y6BNYGlAxY0M3cRvfxhNOpsDLq1UmOaY+fpxsLmEEoPL1oP3V FYuA== X-Gm-Message-State: APjAAAUUgPBCrsm74/5MZefCzpGr4VvaKB1jsSryMUwqDte7vWB7G5sr 5zT75mVON+wTTvkxI6/TflQ= X-Received: by 2002:a50:9871:: with SMTP id h46mr76005765edb.69.1564056241883; Thu, 25 Jul 2019 05:04:01 -0700 (PDT) Received: from phenom.ffwll.local ([2a02:168:569e:0:3106:d637:d723:e855]) by smtp.gmail.com with ESMTPSA id k8sm13001747edr.31.2019.07.25.05.04.00 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Thu, 25 Jul 2019 05:04:01 -0700 (PDT) Date: Thu, 25 Jul 2019 14:03:59 +0200 From: Daniel Vetter To: Jia-Ju Bai Cc: airlied@redhat.com, kraxel@redhat.com, airlied@linux.ie, daniel@ffwll.ch, virtualization@lists.linux-foundation.org, spice-devel@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] gpu: drm: qxl: Fix possible null-pointer dereferences in qxl_crtc_atomic_flush() Message-ID: <20190725120359.GB15868@phenom.ffwll.local> Mail-Followup-To: Jia-Ju Bai , airlied@redhat.com, kraxel@redhat.com, airlied@linux.ie, virtualization@lists.linux-foundation.org, spice-devel@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org References: <20190725102127.16086-1-baijiaju1990@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190725102127.16086-1-baijiaju1990@gmail.com> X-Operating-System: Linux phenom 4.19.0-5-amd64 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 25, 2019 at 06:21:27PM +0800, Jia-Ju Bai wrote: > In qxl_crtc_atomic_flush(), there is an if statement on line 376 to > check whether crtc->state is NULL: > if (crtc->state && crtc->state->event) > > When crtc->state is NULL and qxl_crtc_update_monitors_config() is call, > qxl_crtc_update_monitors_config() uses crtc->state on line 326: > if (crtc->state->active) > and on line 358: > DRM_DEBUG_KMS(..., crtc->state->active, ...); > > Thus, possible null-pointer dereferences may occur. > > To fix these bugs, crtc->state is checked before calling > qxl_crtc_update_monitors_config(). > > These bugs are found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai crtc->state should never be NULL in this function, ever. Imo correct fix is to remove that other NULL check (since obviously it would blow up, hence it's dead code). Atomic kms drivers use drm_mode_config_reset() to make sure the various ->state pointers are always set and valid. -Daniel > --- > drivers/gpu/drm/qxl/qxl_display.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c > index 8b319ebbb0fb..fae18ef1ba59 100644 > --- a/drivers/gpu/drm/qxl/qxl_display.c > +++ b/drivers/gpu/drm/qxl/qxl_display.c > @@ -382,7 +382,8 @@ static void qxl_crtc_atomic_flush(struct drm_crtc *crtc, > spin_unlock_irqrestore(&dev->event_lock, flags); > } > > - qxl_crtc_update_monitors_config(crtc, "flush"); > + if (crtc->state) > + qxl_crtc_update_monitors_config(crtc, "flush"); > } > > static void qxl_crtc_destroy(struct drm_crtc *crtc) > -- > 2.17.0 > -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch