Ma Ke
2024-Jun-25 08:18 UTC
[PATCH] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is
assigned to mode, which will lead to a possible NULL pointer dereference
on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().
Add a check to avoid null pointer dereference.
Cc: stable at vger.kernel.org
Signed-off-by: Ma Ke <make24 at iscas.ac.cn>
---
drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
index 670c9739e5e1..9c3dc9a5bb46 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
@@ -258,6 +258,8 @@ static int nv17_tv_get_hd_modes(struct drm_encoder *encoder,
if (modes[i].hdisplay == output_mode->hdisplay &&
modes[i].vdisplay == output_mode->vdisplay) {
mode = drm_mode_duplicate(encoder->dev, output_mode);
+ if (!mode)
+ continue;
mode->type |= DRM_MODE_TYPE_PREFERRED;
} else {
@@ -265,6 +267,8 @@ static int nv17_tv_get_hd_modes(struct drm_encoder *encoder,
modes[i].vdisplay, 60, false,
(output_mode->flags &
DRM_MODE_FLAG_INTERLACE), false);
+ if (!mode)
+ continue;
}
/* CVT modes are sometimes unsuitable... */
--
2.25.1
Markus Elfring
2024-Jun-25 14:34 UTC
[PATCH] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
> In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is > assigned to mode, which will lead to a possible NULL pointer dereference > on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode(). > Add a check to avoid null pointer dereference.Can a wording approach (like the following) be a better change description? A null pointer is stored in the local variable ?mode? after a call of the function ?drm_cvt_mode? or ?drm_mode_duplicate? failed. This pointer was used in subsequent statements where an undesirable dereference will be performed then. Thus add corresponding return value checks.> Cc: stable at vger.kernel.orgWould you like to add the tag ?Fixes? accordingly? How do you think about to use a summary phrase like ?Prevent null pointer dereferences in nv17_tv_get_hd_modes()?? Regards, Markus
Lyude Paul
2024-Jun-25 19:11 UTC
[PATCH] drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
Reviewed-by: Lyude Paul <lyude at redhat.com> I will push this and the other patch that you sent upstream in just a moment, thanks! On Tue, 2024-06-25 at 16:10 +0800, Ma Ke wrote:> In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() > is > assigned to mode, which will lead to a possible NULL pointer > dereference > on failure of drm_mode_duplicate(). The same applies to > drm_cvt_mode(). > Add a check to avoid null pointer dereference. > > Cc: stable at vger.kernel.org > Signed-off-by: Ma Ke <make24 at iscas.ac.cn> > --- > ?drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 4 ++++ > ?1 file changed, 4 insertions(+) > > diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c > b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c > index 670c9739e5e1..9c3dc9a5bb46 100644 > --- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c > +++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c > @@ -258,6 +258,8 @@ static int nv17_tv_get_hd_modes(struct > drm_encoder *encoder, > ? if (modes[i].hdisplay == output_mode->hdisplay && > ? ??? modes[i].vdisplay == output_mode->vdisplay) { > ? mode = drm_mode_duplicate(encoder->dev, > output_mode); > + if (!mode) > + continue; > ? mode->type |= DRM_MODE_TYPE_PREFERRED; > ? > ? } else { > @@ -265,6 +267,8 @@ static int nv17_tv_get_hd_modes(struct > drm_encoder *encoder, > ? ??? modes[i].vdisplay, 60, > false, > ? ??? (output_mode->flags & > ? ???? > DRM_MODE_FLAG_INTERLACE), false); > + if (!mode) > + continue; > ? } > ? > ? /* CVT modes are sometimes unsuitable... */-- Cheers, Lyude Paul (she/her) Software Engineer at Red Hat