Patch "drm/msm: Fix potential NULL dereference in DPU SSPP" has been added to the 5.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 14 Nov 2021 22:20:13 -0500

This is a note to let you know that I've just added the patch titled

    drm/msm: Fix potential NULL dereference in DPU SSPP

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9c6810b56a3cf76f42170df435757f5ff599749f
Author: Jessica Zhang <jesszhan@xxxxxxxxxxxxxx>
Date:   Wed Oct 20 10:57:33 2021 -0700

    drm/msm: Fix potential NULL dereference in DPU SSPP
    
    [ Upstream commit 8bf71a5719b6cc5b6ba358096081e5d50ea23ab6 ]
    
    Move initialization of sblk in _sspp_subblk_offset() after NULL check to
    avoid potential NULL pointer dereference.
    
    Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
    Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Signed-off-by: Jessica Zhang <jesszhan@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20211020175733.3379-1-jesszhan@xxxxxxxxxxxxxx
    Signed-off-by: Rob Clark <robdclark@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c
index 69eed79324865..f9460672176aa 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c
@@ -138,11 +138,13 @@ static int _sspp_subblk_offset(struct dpu_hw_pipe *ctx,
 		u32 *idx)
 {
 	int rc = 0;
-	const struct dpu_sspp_sub_blks *sblk = ctx->cap->sblk;
+	const struct dpu_sspp_sub_blks *sblk;
 
-	if (!ctx)
+	if (!ctx || !ctx->cap || !ctx->cap->sblk)
 		return -EINVAL;
 
+	sblk = ctx->cap->sblk;
+
 	switch (s_id) {
 	case DPU_SSPP_SRC:
 		*idx = sblk->src_blk.base;
@@ -419,7 +421,7 @@ static void _dpu_hw_sspp_setup_scaler3(struct dpu_hw_pipe *ctx,
 
 	(void)pe;
 	if (_sspp_subblk_offset(ctx, DPU_SSPP_SCALER_QSEED3, &idx) || !sspp
-		|| !scaler3_cfg || !ctx || !ctx->cap || !ctx->cap->sblk)
+		|| !scaler3_cfg)
 		return;
 
 	dpu_hw_setup_scaler3(&ctx->hw, scaler3_cfg, idx,






