kern/138383: NULL pointer dereference in mach64_dma_vertex() in file sys/dev/drm/mach64_state.c

[Patroklos Argyroudis]

>Number:         138383
>Category:       kern
>Synopsis:       NULL pointer dereference in mach64_dma_vertex() in file sys/dev/drm/mach64_state.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 31 10:40:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Patroklos Argyroudis
>Release:        8.0-CURRENT
>Organization:
census, inc
>Environment:
N/A
>Description:
There is a NULL pointer dereference in mach64_dma_vertex() line 829 in file sys/dev/drm/mach64_state.c.  The check against NULL in line 834 should happen before the dereference of dev_priv.
>How-To-Repeat:
N/A
>Fix:
Patch attached.

Patch attached with submission follows:

--- ./sys/dev/drm/mach64_state.c.orig	2009-08-28 15:42:13.000000000 +0300
+++ ./sys/dev/drm/mach64_state.c	2009-08-28 15:55:17.000000000 +0300
@@ -826,7 +826,7 @@
 		      struct drm_file *file_priv)
 {
 	drm_mach64_private_t *dev_priv = dev->dev_private;
-	drm_mach64_sarea_t *sarea_priv = dev_priv->sarea_priv;
+	drm_mach64_sarea_t *sarea_priv;
 	drm_mach64_vertex_t *vertex = data;
 
 	LOCK_TEST_WITH_RETURN(dev, file_priv);
@@ -836,6 +836,8 @@
 		return -EINVAL;
 	}
 
+	sarea_priv = dev_priv->sarea_priv;
+
 	DRM_DEBUG("pid=%d buf=%p used=%lu discard=%d\n",
 		  DRM_CURRENTPID,
 		  vertex->buf, vertex->used, vertex->discard);


>Release-Note:
>Audit-Trail:
>Unformatted: