On Fri, Mar 01, 2024 at 11:55:11AM +0300, Aleksandr Burakov wrote:
> Return value of a function 'drm_cvt_mode' is dereferenced without
> checking for NULL but drm_mode_create() in drm_cvt_mode() may
> return NULL value in case of memory allocation error.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1b043677d4be ("drm/qxl: add qxl_add_mode helper function")
> Signed-off-by: Aleksandr Burakov <a.burakov@xxxxxxxxxxxx>
> ---
> drivers/gpu/drm/qxl/qxl_display.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c
> index a152a7c6db21..447532c29e02 100644
> --- a/drivers/gpu/drm/qxl/qxl_display.c
> +++ b/drivers/gpu/drm/qxl/qxl_display.c
> @@ -236,8 +236,10 @@ static int qxl_add_mode(struct drm_connector *connector,
> return 0;
>
> mode = drm_cvt_mode(dev, width, height, 60, false, false, false);
> - if (preferred)
> + if (preferred && mode)
> mode->type |= DRM_MODE_TYPE_PREFERRED;
> + else
> + return 0;
> mode->hdisplay = width;
That doesn't fix the NULL pointer dereference in case "preferred" is
false.
I'd suggest "if (!mode) return 0" instead.
