In qxl_crtc_atomic_flush(), there is an if statement on line 376 to check whether crtc->state is NULL: if (crtc->state && crtc->state->event) When crtc->state is NULL and qxl_crtc_update_monitors_config() is call, qxl_crtc_update_monitors_config() uses crtc->state on line 326: if (crtc->state->active) and on line 358: DRM_DEBUG_KMS(..., crtc->state->active, ...); Thus, possible null-pointer dereferences may occur. To fix these bugs, crtc->state is checked before calling qxl_crtc_update_monitors_config(). These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> --- drivers/gpu/drm/qxl/qxl_display.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c index 8b319ebbb0fb..fae18ef1ba59 100644 --- a/drivers/gpu/drm/qxl/qxl_display.c +++ b/drivers/gpu/drm/qxl/qxl_display.c @@ -382,7 +382,8 @@ static void qxl_crtc_atomic_flush(struct drm_crtc *crtc, spin_unlock_irqrestore(&dev->event_lock, flags); } - qxl_crtc_update_monitors_config(crtc, "flush"); + if (crtc->state) + qxl_crtc_update_monitors_config(crtc, "flush"); } static void qxl_crtc_destroy(struct drm_crtc *crtc) -- 2.17.0 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel