On Wed, Oct 2, 2024 at 8:26 AM Nikolay Kuratov <kniv@xxxxxxxxxxxxxx> wrote:
>
> Currently if condition (!bo and !vmw_kms_srf_ok()) was met
> we go to err_out with ret == 0.
> err_out dereferences vfb if ret == 0, but in our case vfb is still NULL.
>
> Fix this by assigning sensible error to ret.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE
>
> Signed-off-by: Nikolay Kuratov <kniv@xxxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 810b3e1683d0 ("drm/vmwgfx: Support topology greater than texture size")
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
> index 288ed0bb75cb..752510a11e1b 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
> @@ -1539,6 +1539,7 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev,
> DRM_ERROR("Surface size cannot exceed %dx%d\n",
> dev_priv->texture_max_width,
> dev_priv->texture_max_height);
> + ret = -EINVAL;
> goto err_out;
> }
>
> --
> 2.34.1
>
Thank you. I pushed it to drm-misc-fixes.
z
