Re: [PATCH][next] drm/gma500: fix null dereference of pointer fb before null check
From: Patrik Jakobsson
Date: Thu Dec 19 2019 - 09:39:19 EST
On Mon, Dec 16, 2019 at 5:21 PM Colin King <colin.king@xxxxxxxxxxxxx> wrote:
>
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> Pointer fb is being dereferenced when assigning dev before it
> is null checked. Fix this by only dereferencing dev after the
> null check.
Applied to drm-misc-next
Thanks
Patrik
>
> Fixes: 6b7ce2c4161a ("drm/gma500: Remove struct psb_fbdev")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> ---
> drivers/gpu/drm/gma500/accel_2d.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/gma500/accel_2d.c b/drivers/gpu/drm/gma500/accel_2d.c
> index b9e5a38632f7..adc0507545bf 100644
> --- a/drivers/gpu/drm/gma500/accel_2d.c
> +++ b/drivers/gpu/drm/gma500/accel_2d.c
> @@ -228,8 +228,8 @@ static void psbfb_copyarea_accel(struct fb_info *info,
> {
> struct drm_fb_helper *fb_helper = info->par;
> struct drm_framebuffer *fb = fb_helper->fb;
> - struct drm_device *dev = fb->dev;
> - struct drm_psb_private *dev_priv = dev->dev_private;
> + struct drm_device *dev;
> + struct drm_psb_private *dev_priv;
> uint32_t offset;
> uint32_t stride;
> uint32_t src_format;
> @@ -238,6 +238,8 @@ static void psbfb_copyarea_accel(struct fb_info *info,
> if (!fb)
> return;
>
> + dev = fb->dev;
> + dev_priv = dev->dev_private;
> offset = to_gtt_range(fb->obj[0])->offset;
> stride = fb->pitches[0];
>
> --
> 2.24.0
>