We recently modified drm_fb_helper_single_add_all_connectors() to allow NULL "fb_helper" pointers. But the problem is that it gets dereferenced before we checked for NULL.
Fixes: c777990fb45b ("drm/fb-helper: Handle function NULL argument") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 6654f2f87775..f73457e5bbbc 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -178,7 +178,6 @@ EXPORT_SYMBOL(drm_fb_helper_add_one_connector); */ int drm_fb_helper_single_add_all_connectors(struct drm_fb_helper *fb_helper) { - struct drm_device *dev = fb_helper->dev; struct drm_connector *connector; struct drm_connector_list_iter conn_iter; int i, ret = 0; @@ -187,7 +186,7 @@ int drm_fb_helper_single_add_all_connectors(struct drm_fb_helper *fb_helper) return 0;
mutex_lock(&fb_helper->lock); - drm_connector_list_iter_begin(dev, &conn_iter); + drm_connector_list_iter_begin(fb_helper->dev, &conn_iter); drm_for_each_connector_iter(connector, &conn_iter) { ret = __drm_fb_helper_add_one_connector(fb_helper, connector); if (ret)
On Wed, Dec 06, 2017 at 04:07:49PM +0300, Dan Carpenter wrote:
We recently modified drm_fb_helper_single_add_all_connectors() to allow NULL "fb_helper" pointers. But the problem is that it gets dereferenced before we checked for NULL.
Fixes: c777990fb45b ("drm/fb-helper: Handle function NULL argument") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
Just merged a similar patch yesterday (drat yours slightly prettier!):
commit 89f3f35620c7f244880485de11079cb4d98ed604 (HEAD -> drm-misc-next, drm-misc/for-linux-next, drm-misc/drm-misc-next) Author: Gustavo A. R. Silva garsilva@embeddedor.com Date: Tue Dec 5 11:46:28 2017 -0600
drm/fb-helper: Fix potential NULL pointer dereference
Thanks anyway, -Daniel
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 6654f2f87775..f73457e5bbbc 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -178,7 +178,6 @@ EXPORT_SYMBOL(drm_fb_helper_add_one_connector); */ int drm_fb_helper_single_add_all_connectors(struct drm_fb_helper *fb_helper) {
- struct drm_device *dev = fb_helper->dev; struct drm_connector *connector; struct drm_connector_list_iter conn_iter; int i, ret = 0;
@@ -187,7 +186,7 @@ int drm_fb_helper_single_add_all_connectors(struct drm_fb_helper *fb_helper) return 0;
mutex_lock(&fb_helper->lock);
- drm_connector_list_iter_begin(dev, &conn_iter);
- drm_connector_list_iter_begin(fb_helper->dev, &conn_iter); drm_for_each_connector_iter(connector, &conn_iter) { ret = __drm_fb_helper_add_one_connector(fb_helper, connector); if (ret)
dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
dri-devel@lists.freedesktop.org
-
Dan Carpenter -
Daniel Vetter