drm: msm: fix potential NULL pointer dereference

adding NULL check before dereferencing a pointer.

Change-Id: I260b016abdcb16f5b16e58671ed208df21c99a46
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>

diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c b/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c
index 309401e..35000d7 100644 (file)
--- a/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c
+++ b/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2018, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -439,7 +439,7 @@ int dsi_connector_get_modes(struct drm_connector *connector,
        rc = dsi_display_get_modes(display, NULL, &count);
        if (rc) {
                pr_err("failed to get num of modes, rc=%d\n", rc);
-               goto error;
+               goto end;
        }
 
        size = count * sizeof(*modes);

diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
index 01b6425..d751625 100644 (file)
--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
+++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
@@ -193,7 +193,8 @@ static void mdp5_plane_reset(struct drm_plane *plane)
 
        kfree(to_mdp5_plane_state(plane->state));
        mdp5_state = kzalloc(sizeof(*mdp5_state), GFP_KERNEL);
-
+       if (!mdp5_state)
+               return;
        /* assign default blend parameters */
        mdp5_state->alpha = 255;
        mdp5_state->premultiplied = 0;
@@ -686,14 +687,21 @@ static int mdp5_plane_mode_set(struct drm_plane *plane,
        bool vflip, hflip;
        unsigned long flags;
        int ret;
+       const struct msm_format *msm_fmt;
 
+       msm_fmt = msm_framebuffer_format(fb);
        nplanes = drm_format_num_planes(fb->pixel_format);
 
        /* bad formats should already be rejected: */
        if (WARN_ON(nplanes > pipe2nclients(pipe)))
                return -EINVAL;
 
-       format = to_mdp_format(msm_framebuffer_format(fb));
+       if (!msm_fmt) {
+               pr_err("invalid format");
+               return -EINVAL;
+       }
+
+       format = to_mdp_format(msm_fmt);
        pix_format = format->base.pixel_format;
 
        /* src values are in Q16 fixed point, convert to integer: */

diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index 2e528b1..af36b95 100644 (file)
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -347,6 +347,10 @@ static int submit_reloc(struct msm_gpu *gpu,
         * to do it page-by-page, w/ kmap() if not vmap()d..
         */
        ptr = msm_gem_vaddr(&obj->base);
+       if (!ptr) {
+               DRM_ERROR("Invalid format");
+               return -EINVAL;
+       }
 
        if (IS_ERR(ptr)) {
                ret = PTR_ERR(ptr);

diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c
index b52c475..4586b62 100644 (file)
--- a/drivers/gpu/drm/msm/msm_iommu.c
+++ b/drivers/gpu/drm/msm/msm_iommu.c
@@ -237,7 +237,8 @@ static struct device *find_context_bank(const char *name)
 
        /* Get the parent device */
        parent = of_find_device_by_node(node->parent);
-
+       if (!parent)
+               return ERR_PTR(-ENODEV);
        /* Populate the sub nodes */
        of_platform_populate(parent->dev.of_node, NULL, NULL, &parent->dev);