From 8604e9806fd8feac2b9caa8bfa98c06c73654429 Mon Sep 17 00:00:00 2001
From: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Date: Wed, 4 Apr 2018 17:58:29 +0530
Subject: [PATCH] drm: msm: fix potential NULL pointer dereference

adding NULL check before dereferencing a pointer.

Change-Id: I260b016abdcb16f5b16e58671ed208df21c99a46
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
---
 drivers/gpu/drm/msm/dsi-staging/dsi_drm.c |  4 ++--
 drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c | 12 ++++++++++--
 drivers/gpu/drm/msm/msm_gem_submit.c      |  4 ++++
 drivers/gpu/drm/msm/msm_iommu.c           |  3 ++-
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c b/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c
index 309401eb3093..35000d7eb12a 100644
--- a/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c
+++ b/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2018, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -439,7 +439,7 @@ int dsi_connector_get_modes(struct drm_connector *connector,
 	rc = dsi_display_get_modes(display, NULL, &count);
 	if (rc) {
 		pr_err("failed to get num of modes, rc=%d\n", rc);
-		goto error;
+		goto end;
 	}
 
 	size = count * sizeof(*modes);
diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
index 01b6425c6e19..d751625bbfd7 100644
--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
+++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
@@ -193,7 +193,8 @@ static void mdp5_plane_reset(struct drm_plane *plane)
 
 	kfree(to_mdp5_plane_state(plane->state));
 	mdp5_state = kzalloc(sizeof(*mdp5_state), GFP_KERNEL);
-
+	if (!mdp5_state)
+		return;
 	/* assign default blend parameters */
 	mdp5_state->alpha = 255;
 	mdp5_state->premultiplied = 0;
@@ -686,14 +687,21 @@ static int mdp5_plane_mode_set(struct drm_plane *plane,
 	bool vflip, hflip;
 	unsigned long flags;
 	int ret;
+	const struct msm_format *msm_fmt;
 
+	msm_fmt = msm_framebuffer_format(fb);
 	nplanes = drm_format_num_planes(fb->pixel_format);
 
 	/* bad formats should already be rejected: */
 	if (WARN_ON(nplanes > pipe2nclients(pipe)))
 		return -EINVAL;
 
-	format = to_mdp_format(msm_framebuffer_format(fb));
+	if (!msm_fmt) {
+		pr_err("invalid format");
+		return -EINVAL;
+	}
+
+	format = to_mdp_format(msm_fmt);
 	pix_format = format->base.pixel_format;
 
 	/* src values are in Q16 fixed point, convert to integer: */
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index 2e528b112e1f..af36b95beadb 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -347,6 +347,10 @@ static int submit_reloc(struct msm_gpu *gpu,
 	 * to do it page-by-page, w/ kmap() if not vmap()d..
 	 */
 	ptr = msm_gem_vaddr(&obj->base);
+	if (!ptr) {
+		DRM_ERROR("Invalid format");
+		return -EINVAL;
+	}
 
 	if (IS_ERR(ptr)) {
 		ret = PTR_ERR(ptr);
diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c
index b52c4752c5fe..4586b62401fb 100644
--- a/drivers/gpu/drm/msm/msm_iommu.c
+++ b/drivers/gpu/drm/msm/msm_iommu.c
@@ -237,7 +237,8 @@ static struct device *find_context_bank(const char *name)
 
 	/* Get the parent device */
 	parent = of_find_device_by_node(node->parent);
-
+	if (!parent)
+		return ERR_PTR(-ENODEV);
 	/* Populate the sub nodes */
 	of_platform_populate(parent->dev.of_node, NULL, NULL, &parent->dev);
 
-- 
2.11.0