Re: [PATCH] fix NULL pointer deference crash

From: Dan Carpenter
Date: Wed Mar 31 2021 - 16:03:51 EST


Hi Hassan,

url: https://github.com/0day-ci/linux/commits/Hassan-Shahbazi/fix-NULL-pointer-deference-crash/20210401-004543
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
config: x86_64-randconfig-m001-20210330 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

New smatch warnings:
drivers/video/fbdev/core/fbcon.c:1336 fbcon_cursor() warn: variable dereferenced before check 'ops' (see line 1324)

Old smatch warnings:
drivers/video/fbdev/core/fbcon.c:3028 fbcon_get_con2fb_map_ioctl() warn: potential spectre issue 'con2fb_map' [r]

vim +/ops +1336 drivers/video/fbdev/core/fbcon.c

^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1318 static void fbcon_cursor(struct vc_data *vc, int mode)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1319 {
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1320 struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1321 struct fbcon_ops *ops = info->fbcon_par;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1322 int c = scr_readw((u16 *) vc->vc_pos);
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1323
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 @1324 ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 1325
d1e2306681ad3cb drivers/video/console/fbcon.c Michal Januszewski 2007-05-08 1326 if (fbcon_is_inactive(vc, info) || vc->vc_deccm != 1)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1327 return;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1328
c0e4b3ad67997a6 drivers/video/fbdev/core/fbcon.c Jiri Slaby 2020-06-15 1329 if (vc->vc_cursor_type & CUR_SW)
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1330 fbcon_del_cursor_timer(info);
a5edce421848442 drivers/video/console/fbcon.c Thierry Reding 2015-05-21 1331 else
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1332 fbcon_add_cursor_timer(info);
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1333
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1334 ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
^^^^^^^^^^^^^^^^^
Dereferenced

^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1335
1d73453653c6d4f drivers/video/fbdev/core/fbcon.c Hassan Shahbazi 2021-03-31 @1336 if (ops && ops->cursor)
^^^
Checked too late

06a0df4d1b8b13b drivers/video/fbdev/core/fbcon.c Linus Torvalds 2020-09-08 1337 ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1338 get_color(vc, info, c, 0));
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1339 }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Attachment: .config.gz
Description: application/gzip