| Message ID | 20250314012029.668306-1-chenyuan0y@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | drm/sun4i: backend: Fix error pointers in sun4i_backend_atomic_check | expand |
Hi, On Thu, Mar 13, 2025 at 08:20:29PM -0500, Chenyuan Yang wrote: > The function sun4i_backend_atomic_check was dereferencing pointers > returned by drm_atomic_get_plane_state without checking for errors. This > could lead to undefined behavior if the function returns an error pointer. > > This commit adds checks using IS_ERR to ensure that plane_state is > valid before dereferencing them. > > Similar to commit da29abe71e16 > ("drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed"). > > Fixes: 96180dde23b7 ("drm/sun4i: backend: Add a custom atomic_check for the frontend") > Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com> > --- > drivers/gpu/drm/sun4i/sun4i_backend.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c b/drivers/gpu/drm/sun4i/sun4i_backend.c > index 2dded3b828df..a8e0e2123764 100644 > --- a/drivers/gpu/drm/sun4i/sun4i_backend.c > +++ b/drivers/gpu/drm/sun4i/sun4i_backend.c > @@ -490,6 +490,10 @@ static int sun4i_backend_atomic_check(struct sunxi_engine *engine, > drm_for_each_plane_mask(plane, drm, crtc_state->plane_mask) { > struct drm_plane_state *plane_state = > drm_atomic_get_plane_state(state, plane); > + > + if (IS_ERR(plane_state)) > + return PTR_ERR(plane_state); > + This introduces a build warning. You shouldn't mix declarations and code. Maxime
HI Maxime.
Thanks so much for pointing that out!
How about such a patch?
diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c
b/drivers/gpu/drm/sun4i/sun4i_backend.c
index 2dded3b828df..5ad0e90d3e6b 100644
--- a/drivers/gpu/drm/sun4i/sun4i_backend.c
+++ b/drivers/gpu/drm/sun4i/sun4i_backend.c
@@ -490,9 +490,14 @@ static int sun4i_backend_atomic_check(struct
sunxi_engine *engine,
drm_for_each_plane_mask(plane, drm, crtc_state->plane_mask) {
struct drm_plane_state *plane_state =
drm_atomic_get_plane_state(state, plane);
- struct sun4i_layer_state *layer_state =
- state_to_sun4i_layer_state(plane_state);
- struct drm_framebuffer *fb = plane_state->fb;
+ struct sun4i_layer_state *layer_state = NULL;
+ struct drm_framebuffer *fb = NULL;
+
+ if (IS_ERR(plane_state))
+ return PTR_ERR(plane_state);
+
+ layer_state = state_to_sun4i_layer_state(plane_state);
+ fb = plane_state->fb;
if (!sun4i_backend_plane_is_supported(plane_state,
&layer_state->uses_frontend))
diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c b/drivers/gpu/drm/sun4i/sun4i_backend.c index 2dded3b828df..a8e0e2123764 100644 --- a/drivers/gpu/drm/sun4i/sun4i_backend.c +++ b/drivers/gpu/drm/sun4i/sun4i_backend.c @@ -490,6 +490,10 @@ static int sun4i_backend_atomic_check(struct sunxi_engine *engine, drm_for_each_plane_mask(plane, drm, crtc_state->plane_mask) { struct drm_plane_state *plane_state = drm_atomic_get_plane_state(state, plane); + + if (IS_ERR(plane_state)) + return PTR_ERR(plane_state); + struct sun4i_layer_state *layer_state = state_to_sun4i_layer_state(plane_state); struct drm_framebuffer *fb = plane_state->fb;
The function sun4i_backend_atomic_check was dereferencing pointers returned by drm_atomic_get_plane_state without checking for errors. This could lead to undefined behavior if the function returns an error pointer. This commit adds checks using IS_ERR to ensure that plane_state is valid before dereferencing them. Similar to commit da29abe71e16 ("drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed"). Fixes: 96180dde23b7 ("drm/sun4i: backend: Add a custom atomic_check for the frontend") Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com> --- drivers/gpu/drm/sun4i/sun4i_backend.c | 4 ++++ 1 file changed, 4 insertions(+)