Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3625032pxb; Mon, 24 Jan 2022 13:48:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJxNZnF/XZJ1xEoUEqpQ7Y06UiBe36SUI1C4WypWorN20Xq6AmW6mSZwsAC9kVDE/BkO2waw X-Received: by 2002:a65:57ce:: with SMTP id q14mr4959973pgr.557.1643060907639; Mon, 24 Jan 2022 13:48:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643060907; cv=none; d=google.com; s=arc-20160816; b=OhhtwKG2R9A/5cfyrKhBdRZA7NRPeT/UO9Q0/ZU+R1MHSONdiQ6jVZIq0TorR74KS0 HN4oqZpBhUoo2NhJ4c4A+0ThuaUQp7uv9vWcUhLHs5wgW5dMAL1XSkJDStO3gjyoGL7T nYiAka/sMrISepnUqUgb7NtWXGTAvebj1YF9UgxcNS8LWjXWMVZllrzrYplYHgrv1COs PpZ496GqFiwzjG+vWfW+v7e1BZT+jyM8kIY1lVm1p2dg4gZgIYDbivWnZbJw+ULE5Q/6 enZ78dVQS+Xc71rkhgRjgSvoq4zA0hCjYEm+TrsAX6y//TFh8Mjs63MvWSaIk9mdbmfH hqIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=w+lZqp5VkPjN0faGgSSPKZ3zUhREnNDGIkuhzUCrVAU=; b=PQiAc6fIQQ+WI8EcUeTDUbI8BnhwXE4TpQ/ulwg6IYUK9ZKJZEN3yrQnvA24kqvOXU gTj2tN46B9PP0Pa91LIhOjlUHmazKf8mC61OGDfIdm64RHq0YIMwfmQiIAeKGw+N0jeC yClvHgfELNr1p5BNSYUL82kq3iEq1bSxjjMJUuHmVT4r5nsMLUwvOnuuYEBAtZzWsI+z dJrnQQrkriQXVlJjoML2CTvrVkvm3Xj25dm0Wbl0p3tAwnPLR3NZ77vltgMk+yb/QNmq UyfWo5lrZGVi97fKboHs8OryxMOowyeoJnyzbXCFJTTOwrd7Hn7rIsyFPa4TQWIRPa34 4NaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=CSAtIjx4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s5si14932591pfk.321.2022.01.24.13.48.13; Mon, 24 Jan 2022 13:48:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=CSAtIjx4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1455268AbiAXVfF (ORCPT + 99 others); Mon, 24 Jan 2022 16:35:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1442666AbiAXUzE (ORCPT ); Mon, 24 Jan 2022 15:55:04 -0500 Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F661C095421 for ; Mon, 24 Jan 2022 11:59:34 -0800 (PST) Received: by mail-ot1-x32b.google.com with SMTP id b12-20020a9d754c000000b0059eb935359eso7475632otl.8 for ; Mon, 24 Jan 2022 11:59:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w+lZqp5VkPjN0faGgSSPKZ3zUhREnNDGIkuhzUCrVAU=; b=CSAtIjx4L+ZkJciYlaWlmCBX6UHmUCvw1LCMR3LfRIGvEjh3fERyo+hkCxZVzZVBsC CgSeSRBEHJ02dBKUqKVxK6XFAAcuOQ4HPqrhCT0oM/R6lZoVCbPvRX8v0CD5P6hmoT/+ L58y+kpGl8c7DIBbCzp6UolIERAa6i9T8H7vLoRLfxa3bX0GRY3NSj//B756aVhSNbhp G3j4knVTvzCoKjLC++e7sAY/UarFC0XGY1l2esyRVCnHuD+dnsdNaC3fDALkIi4oZvL7 N/XrfocLShB4Ad0AqhzV2I9DzafUi1yimxXNA6kNHy4Wki4vd57iuwzOA1Hc/MXKK3Uo 3RpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w+lZqp5VkPjN0faGgSSPKZ3zUhREnNDGIkuhzUCrVAU=; b=7y2HVvaPFUDu9/3M81lSU/ygLJ2tiyiTIpfsonte5kAm+Ikv81zQHWujTSY/fNGlHG Ps+w5b9VMgYG5U65a9EJTt9a/0blJPVBEsjbLsQzBoGVuPND3w9djPjloZuxsakim0Vd d2Yg3kEDZLVbwMinUkU8BsMcBM47ntv9wpfFXiq84IQXn5NBg924F9+BTV4edGwamLDv MSK4vqdy7TibT6p1cfiD+4ZQznsNstEt36KcKF10WpDzGyvDq/KqGCd12wymxoGh3K9T tf71ee04nIqU/A9cnrQSdvUobX5e/95oG0Fi71IXZNK/nM43NN++HgfX410wX7kTXudx 7XLw== X-Gm-Message-State: AOAM531nHsoMtBSTnl4o3z9VhnhCKa/AgMQ7kisUbbTI1XrH2oYMGh2+ uGuwbrjpH2Q0x8kFYWwyTbGqC18zGZenC7VyY2c= X-Received: by 2002:a05:6830:1d90:: with SMTP id y16mr12820867oti.200.1643054373917; Mon, 24 Jan 2022 11:59:33 -0800 (PST) MIME-Version: 1.0 References: <20220124165732.56587-1-zhou1615@umn.edu> In-Reply-To: <20220124165732.56587-1-zhou1615@umn.edu> From: Alex Deucher Date: Mon, 24 Jan 2022 14:59:22 -0500 Message-ID: Subject: Re: [PATCH] drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes() To: Zhou Qingyang Cc: Wayne Lin , Leo Li , Kangjie Lu , Qingqing Zhuo , "Pan, Xinhui" , Rodrigo Siqueira , Roman Li , amd-gfx list , Nicholas Kazlauskas , David Airlie , Aurabindo Pillai , Tony Cheng , Maling list - DRI developers , Jude Shih , Alex Deucher , Nikola Cornij , =?UTF-8?Q?Christian_K=C3=B6nig?= , LKML Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Applied. Thanks! Alex On Mon, Jan 24, 2022 at 12:05 PM Zhou Qingyang wrote: > > In amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode() > is assigned to mode and is passed to drm_mode_probed_add() directly after > that. drm_mode_probed_add() passes &mode->head to list_add_tail(), and > there is a dereference of it in list_add_tail() without recoveries, which > could lead to NULL pointer dereference on failure of > amdgpu_dm_create_common_mode(). > > Fix this by adding a NULL check of mode. > > This bug was found by a static analyzer. > > Builds with 'make allyesconfig' show no new warnings, > and our static analyzer no longer warns about this code. > > Fixes: e7b07ceef2a6 ("drm/amd/display: Merge amdgpu_dm_types and amdgpu_dm") > Signed-off-by: Zhou Qingyang > --- > The analysis employs differential checking to identify inconsistent > security operations (e.g., checks or kfrees) between two code paths > and confirms that the inconsistent operations are not recovered in the > current function or the callers, so they constitute bugs. > > Note that, as a bug found by static analysis, it can be a false > positive or hard to trigger. Multiple researchers have cross-reviewed > the bug. > > drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c > index 7f9773f8dab6..9ad94186b146 100644 > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c > @@ -8143,6 +8143,9 @@ static void amdgpu_dm_connector_add_common_modes(struct drm_encoder *encoder, > mode = amdgpu_dm_create_common_mode(encoder, > common_modes[i].name, common_modes[i].w, > common_modes[i].h); > + if (!mode) > + continue; > + > drm_mode_probed_add(connector, mode); > amdgpu_dm_connector->num_modes++; > } > -- > 2.25.1 >