Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp580262iog;
        Mon, 13 Jun 2022 08:31:25 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vXb85AfEwjxpGnCJWiddrMt580+0F6Ds+N2hh8CBkjEBXICcQXEbsnirx65HJItfJcJzQz
X-Received: by 2002:a17:902:c2ca:b0:168:db72:16a with SMTP id c10-20020a170902c2ca00b00168db72016amr191662pla.171.1655134285480;
        Mon, 13 Jun 2022 08:31:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655134285; cv=none;
        d=google.com; s=arc-20160816;
        b=GdEkyrp6ESHIO5aPwnRY7B7D/MxmG9PtrGd4qS7mlOSTIiV5bdNsiz8E3tYad6U8Ag
         NyfUkmyugk5FxYUSORlrhy5i1gxwSaCsELl/JbQSKeJ1Y8omYg5H6OB1IiMbP3R/25ui
         XjFWa7nuqrRewazp3G8LPRnvOBTOLmuhfQoNW8pibh2SgVl64GFxPnRyD+ziRKhYBq/K
         DQe9edM7RyApj/wSjOX/YbblJi8wLxZv2RN11rxg7WcQMCma8IvznVxvBYBHH93Uk1by
         AKUb+g3HlK5K549jbsR+9hXAsEX6/6TdYnPV+kzDgP//4cOHSqqkVeaIykUn/pM6FWMl
         Iakw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=glpBFGO8h6XxGAskFvU1Oyi3UP68TYrpT7KwOr+xagc=;
        b=TxKBb50Tanj5Te6GSWiMPtU8bdfDU8b5Zc2C2H/vf9yyVSDjWg//fbj/nBkAUpgGQt
         uYKTKhgv0EMUNOr8ZeeZWe0zwQptyu9qZizVOuC1wIDCckiGgDbreUCLyoIORYlyS0RD
         Sy2s/z4SJehMCIGuiOfDFXkvBIkwF8I9NO3uAfW/g8MY5akzqGtAjdVv6pi2R8IwqT0S
         dhZWXrwk03zNcQ9QDId0f5pb9DFTu62o3giMuyiNDvFU/mkwCySjnAbL3UCITDmYCTne
         NABgg74Umbg9+tS7MExUuSFeZVWbf3H5TUrIj07A1znN4MmEF8IdrPb+PsDCSgpzoqZr
         05qw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=T03hT7vr;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id s20-20020a056a00195400b0050e136de8absi9171588pfk.283.2022.06.13.08.31.11;
        Mon, 13 Jun 2022 08:31:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=T03hT7vr;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1352311AbiFMLLo (ORCPT
        <rfc822;aditya.jainadityajain.jain@gmail.com> + 99 others);
        Mon, 13 Jun 2022 07:11:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60254 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1352126AbiFMLJX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Jun 2022 07:09:23 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE38033E95;
        Mon, 13 Jun 2022 03:35:27 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id D8E4560FFD;
        Mon, 13 Jun 2022 10:35:22 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E8E24C34114;
        Mon, 13 Jun 2022 10:35:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1655116522;
        bh=c7Bux8gORtIUyKX+nEOcBp7LJR8TG4CjpwtkMuws2Hw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=T03hT7vrhiomwPXK/4Z0JEZHOAS+pESDPF2lk8CNexO2c9LdZnc/iJXbDh56/GuT8
         FjgqNpg038EzXetNIJU5zXMLrx1s/24St1Nu0lJb3RFbvgFTrF1Yot0nMPqn3syIoi
         ZHoUKttTFc6khp5h6ayHvryvzWblt2DPELaVf9p4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Zhou Qingyang <zhou1615@umn.edu>,
        Liviu Dudau <liviu.dudau@arm.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 092/411] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
Date:   Mon, 13 Jun 2022 12:06:05 +0200
Message-Id: <20220613094931.440825663@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220613094928.482772422@linuxfoundation.org>
References: <20220613094928.482772422@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zhou Qingyang <zhou1615@umn.edu>

[ Upstream commit f5e284bb74ab296f98122673c7ecd22028b2c200 ]

In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
formats and used in drm_universal_plane_init().
drm_universal_plane_init() passes formats to
__drm_universal_plane_init(). __drm_universal_plane_init() further
passes formats to memcpy() as src parameter, which could lead to an
undefined behavior bug on failure of komeda_get_layer_fourcc_list().

Fix this bug by adding a check of formats.

This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.

Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.

Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
and our static analyzer no longer warns about this code.

Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://lore.kernel.org/dri-devel/20211201033704.32054-1-zhou1615@umn.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
index a5f57b38d193..bc3f42e915e9 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
@@ -264,6 +264,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
 
 	formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
 					       layer->layer_type, &n_formats);
+	if (!formats) {
+		kfree(kplane);
+		return -ENOMEM;
+	}
 
 	err = drm_universal_plane_init(&kms->base, plane,
 			get_possible_crtcs(kms, c->pipeline),
-- 
2.35.1