| Message ID | 20150126095343.GA3508@ulmo (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On Mon, 26 Jan 2015, Thierry Reding <thierry.reding@gmail.com> wrote: > On Mon, Jan 26, 2015 at 11:07:52AM +0200, Jani Nikula wrote: >> On Fri, 23 Jan 2015, Thierry Reding <thierry.reding@gmail.com> wrote: >> > Thierry Reding (4): >> > drm/mipi-dsi: Avoid potential NULL pointer dereference >> >> I can't find this one, has it been posted on the list? > > I thought it had, but I can't find any record of that. It certainly was > reported on-list: > > Subject: re: drm/dsi: Add message to packet translator > Message-ID: <20141216235305.GC31467@mwanda> > > I've attached the patch for convenience. Ah, so not a very likely scenario. Looks good to me. Thanks, Jani. > > Thierry > From 903c75cb0da218e3849fff3c2c17a9f2ab5705ba Mon Sep 17 00:00:00 2001 > From: Thierry Reding <treding@nvidia.com> > Date: Fri, 5 Dec 2014 11:46:56 +0100 > Subject: [PATCH] drm/mipi-dsi: Avoid potential NULL pointer dereference > > The mipi_dsi_packet_create() function dereferences the msg pointer > before checking that it's valid. Move the dereference down to where it > is required to avoid potentially dereferencing a NULL pointer. > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Thierry Reding <treding@nvidia.com> > --- > drivers/gpu/drm/drm_mipi_dsi.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c > index c0644bb865f2..2d5ca8eec13a 100644 > --- a/drivers/gpu/drm/drm_mipi_dsi.c > +++ b/drivers/gpu/drm/drm_mipi_dsi.c > @@ -323,8 +323,6 @@ EXPORT_SYMBOL(mipi_dsi_packet_format_is_long); > int mipi_dsi_create_packet(struct mipi_dsi_packet *packet, > const struct mipi_dsi_msg *msg) > { > - const u8 *tx = msg->tx_buf; > - > if (!packet || !msg) > return -EINVAL; > > @@ -353,8 +351,10 @@ int mipi_dsi_create_packet(struct mipi_dsi_packet *packet, > packet->header[2] = (msg->tx_len >> 8) & 0xff; > > packet->payload_length = msg->tx_len; > - packet->payload = tx; > + packet->payload = msg->tx_buf; > } else { > + const u8 *tx = msg->tx_buf; > + > packet->header[1] = (msg->tx_len > 0) ? tx[0] : 0; > packet->header[2] = (msg->tx_len > 1) ? tx[1] : 0; > } > -- > 2.1.3 >
From 903c75cb0da218e3849fff3c2c17a9f2ab5705ba Mon Sep 17 00:00:00 2001 From: Thierry Reding <treding@nvidia.com> Date: Fri, 5 Dec 2014 11:46:56 +0100 Subject: [PATCH] drm/mipi-dsi: Avoid potential NULL pointer dereference The mipi_dsi_packet_create() function dereferences the msg pointer before checking that it's valid. Move the dereference down to where it is required to avoid potentially dereferencing a NULL pointer. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Thierry Reding <treding@nvidia.com> --- drivers/gpu/drm/drm_mipi_dsi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c index c0644bb865f2..2d5ca8eec13a 100644 --- a/drivers/gpu/drm/drm_mipi_dsi.c +++ b/drivers/gpu/drm/drm_mipi_dsi.c @@ -323,8 +323,6 @@ EXPORT_SYMBOL(mipi_dsi_packet_format_is_long); int mipi_dsi_create_packet(struct mipi_dsi_packet *packet, const struct mipi_dsi_msg *msg) { - const u8 *tx = msg->tx_buf; - if (!packet || !msg) return -EINVAL; @@ -353,8 +351,10 @@ int mipi_dsi_create_packet(struct mipi_dsi_packet *packet, packet->header[2] = (msg->tx_len >> 8) & 0xff; packet->payload_length = msg->tx_len; - packet->payload = tx; + packet->payload = msg->tx_buf; } else { + const u8 *tx = msg->tx_buf; + packet->header[1] = (msg->tx_len > 0) ? tx[0] : 0; packet->header[2] = (msg->tx_len > 1) ? tx[1] : 0; } -- 2.1.3