| Message ID | 20240802044736.1570345-1-make24@iscas.ac.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v4,RESEND] drm/client: fix null pointer dereference in drm_client_modeset_probe | expand |
Am 02.08.24 um 06:47 schrieb Ma Ke: > In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is > assigned to modeset->mode, which will lead to a possible NULL pointer > dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. > > Cc: stable@vger.kernel.org > Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code") > Signed-off-by: Ma Ke <make24@iscas.ac.cn> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> > --- > Changes in v4: > - modified patch, set ret and break to handle error rightly. > Changes in v3: > - modified patch as suggestions, returned error directly when failing to > get modeset->mode. > Changes in v2: > - added the recipient's email address, due to the prolonged absence of a > response from the recipients. > - added Cc stable. > --- > drivers/gpu/drm/drm_client_modeset.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c > index 31af5cf37a09..cee5eafbfb81 100644 > --- a/drivers/gpu/drm/drm_client_modeset.c > +++ b/drivers/gpu/drm/drm_client_modeset.c > @@ -880,6 +880,11 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, > > kfree(modeset->mode); > modeset->mode = drm_mode_duplicate(dev, mode); > + if (!modeset->mode) { > + ret = -ENOMEM; > + break; > + } > + > drm_connector_get(connector); > modeset->connectors[modeset->num_connectors++] = connector; > modeset->x = offset->x;
Hi Am 02.08.24 um 06:47 schrieb Ma Ke: > In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is > assigned to modeset->mode, which will lead to a possible NULL pointer > dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. > > Cc: stable@vger.kernel.org > Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code") > Signed-off-by: Ma Ke <make24@iscas.ac.cn> Thanks, merged into drm-misc-fixes. Best regards Thomas > --- > Changes in v4: > - modified patch, set ret and break to handle error rightly. > Changes in v3: > - modified patch as suggestions, returned error directly when failing to > get modeset->mode. > Changes in v2: > - added the recipient's email address, due to the prolonged absence of a > response from the recipients. > - added Cc stable. > --- > drivers/gpu/drm/drm_client_modeset.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c > index 31af5cf37a09..cee5eafbfb81 100644 > --- a/drivers/gpu/drm/drm_client_modeset.c > +++ b/drivers/gpu/drm/drm_client_modeset.c > @@ -880,6 +880,11 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, > > kfree(modeset->mode); > modeset->mode = drm_mode_duplicate(dev, mode); > + if (!modeset->mode) { > + ret = -ENOMEM; > + break; > + } > + > drm_connector_get(connector); > modeset->connectors[modeset->num_connectors++] = connector; > modeset->x = offset->x;
diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c index 31af5cf37a09..cee5eafbfb81 100644 --- a/drivers/gpu/drm/drm_client_modeset.c +++ b/drivers/gpu/drm/drm_client_modeset.c @@ -880,6 +880,11 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, kfree(modeset->mode); modeset->mode = drm_mode_duplicate(dev, mode); + if (!modeset->mode) { + ret = -ENOMEM; + break; + } + drm_connector_get(connector); modeset->connectors[modeset->num_connectors++] = connector; modeset->x = offset->x;
In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is assigned to modeset->mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable@vger.kernel.org Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code") Signed-off-by: Ma Ke <make24@iscas.ac.cn> --- Changes in v4: - modified patch, set ret and break to handle error rightly. Changes in v3: - modified patch as suggestions, returned error directly when failing to get modeset->mode. Changes in v2: - added the recipient's email address, due to the prolonged absence of a response from the recipients. - added Cc stable. --- drivers/gpu/drm/drm_client_modeset.c | 5 +++++ 1 file changed, 5 insertions(+)