drm/simple_kms_helper: Fix NULL pointer dereference with no active CRTC
authorOleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
Thu, 22 Feb 2018 06:09:19 +0000 (08:09 +0200)
committerDaniel Vetter <daniel.vetter@ffwll.ch>
Thu, 22 Feb 2018 16:11:46 +0000 (17:11 +0100)
It is possible that drm_simple_kms_plane_atomic_check called
with no CRTC set, e.g. when user-space application sets CRTC_ID/FB_ID
to 0 before doing any actual drawing. This leads to NULL pointer
dereference because in this case new CRTC state is NULL and must be
checked before accessing.

Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/1519279759-7803-1-git-send-email-andr2000@gmail.com
drivers/gpu/drm/drm_simple_kms_helper.c

index 6c327fdbaaee546729d8f05685278ec188350990..2d324a5515f9e48d64fc95af68a95f4aeb0d90ec 100644 (file)
@@ -112,12 +112,6 @@ static int drm_simple_kms_plane_atomic_check(struct drm_plane *plane,
        pipe = container_of(plane, struct drm_simple_display_pipe, plane);
        crtc_state = drm_atomic_get_new_crtc_state(plane_state->state,
                                                   &pipe->crtc);
-       if (!crtc_state->enable)
-               return 0; /* nothing to check when disabling or disabled */
-
-       if (crtc_state->enable)
-               drm_mode_get_hv_timing(&crtc_state->mode,
-                                      &clip.x2, &clip.y2);
 
        ret = drm_atomic_helper_check_plane_state(plane_state, crtc_state,
                                                  &clip,
@@ -128,7 +122,9 @@ static int drm_simple_kms_plane_atomic_check(struct drm_plane *plane,
                return ret;
 
        if (!plane_state->visible)
-               return -EINVAL;
+               return 0;
+
+       drm_mode_get_hv_timing(&crtc_state->mode, &clip.x2, &clip.y2);
 
        if (!pipe->funcs || !pipe->funcs->check)
                return 0;