[GIT PULL] drm/panel: Changes for v3.20-rc1

Mon, 26 Jan 2015 12:28:41 +0200 

On Mon, 26 Jan 2015, Thierry Reding <thierry.reding at gmail.com> wrote:
> On Mon, Jan 26, 2015 at 11:07:52AM +0200, Jani Nikula wrote:
>> On Fri, 23 Jan 2015, Thierry Reding <thierry.reding at gmail.com> wrote:
>> > Thierry Reding (4):
>> >       drm/mipi-dsi: Avoid potential NULL pointer dereference
>> 
>> I can't find this one, has it been posted on the list?
>
> I thought it had, but I can't find any record of that. It certainly was
> reported on-list:
>
>       Subject: re: drm/dsi: Add message to packet translator
>       Message-ID: <20141216235305.GC31467 at mwanda>
>
> I've attached the patch for convenience.

Ah, so not a very likely scenario. Looks good to me.

Thanks,
Jani.

>
> Thierry
> From 903c75cb0da218e3849fff3c2c17a9f2ab5705ba Mon Sep 17 00:00:00 2001
> From: Thierry Reding <treding at nvidia.com>
> Date: Fri, 5 Dec 2014 11:46:56 +0100
> Subject: [PATCH] drm/mipi-dsi: Avoid potential NULL pointer dereference
>
> The mipi_dsi_packet_create() function dereferences the msg pointer
> before checking that it's valid. Move the dereference down to where it
> is required to avoid potentially dereferencing a NULL pointer.
>
> Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
> Signed-off-by: Thierry Reding <treding at nvidia.com>
> ---
>  drivers/gpu/drm/drm_mipi_dsi.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
> index c0644bb865f2..2d5ca8eec13a 100644
> --- a/drivers/gpu/drm/drm_mipi_dsi.c
> +++ b/drivers/gpu/drm/drm_mipi_dsi.c
> @@ -323,8 +323,6 @@ EXPORT_SYMBOL(mipi_dsi_packet_format_is_long);
>  int mipi_dsi_create_packet(struct mipi_dsi_packet *packet,
>                          const struct mipi_dsi_msg *msg)
>  {
> -     const u8 *tx = msg->tx_buf;
> -
>       if (!packet || !msg)
>               return -EINVAL;
>  
> @@ -353,8 +351,10 @@ int mipi_dsi_create_packet(struct mipi_dsi_packet 
> *packet,
>               packet->header[2] = (msg->tx_len >> 8) & 0xff;
>  
>               packet->payload_length = msg->tx_len;
> -             packet->payload = tx;
> +             packet->payload = msg->tx_buf;
>       } else {
> +             const u8 *tx = msg->tx_buf;
> +
>               packet->header[1] = (msg->tx_len > 0) ? tx[0] : 0;
>               packet->header[2] = (msg->tx_len > 1) ? tx[1] : 0;
>       }
> -- 
> 2.1.3
>

-- 
Jani Nikula, Intel Open Source Technology Center

Reply via email to