diff mbox series

drm/qxl: fix NULL dereference in qxl_add_mode

Message ID	20240301085511.23298-1-a.burakov@rosalinux.ru
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel+bounces-88142-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; From: Aleksandr Burakov <a.burakov@rosalinux.ru> To: Dave Airlie <airlied@redhat.com>, Gerd Hoffmann <kraxel@redhat.com> Cc: Aleksandr Burakov <a.burakov@rosalinux.ru>, virtualization@lists.linux-foundation.org, spice-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] drm/qxl: fix NULL dereference in qxl_add_mode Date: Fri, 1 Mar 2024 11:55:11 +0300 Message-Id: <20240301085511.23298-1-a.burakov@rosalinux.ru> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-getmail-retrieved-from-mailbox: INBOX
Series	drm/qxl: fix NULL dereference in qxl_add_mode \| drm/qxl: fix NULL dereference in qxl_add_mode

Commit Message

Aleksandr Burakov March 1, 2024, 8:55 a.m. UTC

  Return value of a function 'drm_cvt_mode' is dereferenced without
checking for NULL but drm_mode_create() in drm_cvt_mode() may
return NULL value in case of memory allocation error.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 1b043677d4be ("drm/qxl: add qxl_add_mode helper function")
Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
---
 drivers/gpu/drm/qxl/qxl_display.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Gerd Hoffmann March 1, 2024, 10:54 a.m. UTC | #1

On Fri, Mar 01, 2024 at 11:55:11AM +0300, Aleksandr Burakov wrote:
> Return value of a function 'drm_cvt_mode' is dereferenced without
> checking for NULL but drm_mode_create() in drm_cvt_mode() may
> return NULL value in case of memory allocation error.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 1b043677d4be ("drm/qxl: add qxl_add_mode helper function")
> Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
> ---
>  drivers/gpu/drm/qxl/qxl_display.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c
> index a152a7c6db21..447532c29e02 100644
> --- a/drivers/gpu/drm/qxl/qxl_display.c
> +++ b/drivers/gpu/drm/qxl/qxl_display.c
> @@ -236,8 +236,10 @@ static int qxl_add_mode(struct drm_connector *connector,
>  		return 0;
>  
>  	mode = drm_cvt_mode(dev, width, height, 60, false, false, false);
> -	if (preferred)
> +	if (preferred && mode)
>  		mode->type |= DRM_MODE_TYPE_PREFERRED;
> +	else
> +		return 0;
>  	mode->hdisplay = width;

That doesn't fix the NULL pointer dereference in case "preferred" is
false.

I'd suggest "if (!mode) return 0" instead.

diff mbox series

Patch

diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c
index a152a7c6db21..447532c29e02 100644
--- a/drivers/gpu/drm/qxl/qxl_display.c
+++ b/drivers/gpu/drm/qxl/qxl_display.c
@@ -236,8 +236,10 @@  static int qxl_add_mode(struct drm_connector *connector,
 		return 0;
 
 	mode = drm_cvt_mode(dev, width, height, 60, false, false, false);
-	if (preferred)
+	if (preferred && mode)
 		mode->type |= DRM_MODE_TYPE_PREFERRED;
+	else
+		return 0;
 	mode->hdisplay = width;
 	mode->vdisplay = height;
 	drm_mode_set_name(mode);