On Wed, Oct 2, 2024 at 8:26 AM Nikolay Kuratov <kniv@xxxxxxxxxxxxxx> wrote: > > Currently if condition (!bo and !vmw_kms_srf_ok()) was met > we go to err_out with ret == 0. > err_out dereferences vfb if ret == 0, but in our case vfb is still NULL. > > Fix this by assigning sensible error to ret. > > Found by Linux Verification Center (linuxtesting.org) with SVACE > > Signed-off-by: Nikolay Kuratov <kniv@xxxxxxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > Fixes: 810b3e1683d0 ("drm/vmwgfx: Support topology greater than texture size") > --- > drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > index 288ed0bb75cb..752510a11e1b 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c > @@ -1539,6 +1539,7 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, > DRM_ERROR("Surface size cannot exceed %dx%d\n", > dev_priv->texture_max_width, > dev_priv->texture_max_height); > + ret = -EINVAL; > goto err_out; > } > > -- > 2.34.1 > Thank you. I pushed it to drm-misc-fixes. z