| Message ID | 1484740335-26368-1-git-send-email-ander.conselvan.de.oliveira@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Jan 18, 2017 at 01:52:15PM +0200, Ander Conselvan de Oliveira wrote: > The error paths in hsw_trans_edp_pipe_A_crc_wa() and > intel_prepare_reset() would potentially call drm_atomic_state_put with a > NULL state, which would lead to a NULL pointer dereference. > > Found by coverity. > > Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state") > Cc: Chris Wilson <chris@chris-wilson.co.uk> > Cc: Daniel Vetter <daniel.vetter@ffwll.ch> > Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+ > Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com> > --- > drivers/gpu/drm/i915/intel_display.c | 3 ++- > drivers/gpu/drm/i915/intel_pipe_crc.c | 4 +++- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c > index caa2e02..b5a09bd 100644 > --- a/drivers/gpu/drm/i915/intel_display.c > +++ b/drivers/gpu/drm/i915/intel_display.c > @@ -3577,7 +3577,8 @@ void intel_prepare_reset(struct drm_i915_private *dev_priv) > return; > > err: > - drm_atomic_state_put(state); > + if (state) > + drm_atomic_state_put(state); There's no point in the common err cleanup path here. Take a look at cleaning up the error handling in general in this function. > } > > void intel_finish_reset(struct drm_i915_private *dev_priv) > diff --git a/drivers/gpu/drm/i915/intel_pipe_crc.c b/drivers/gpu/drm/i915/intel_pipe_crc.c > index 0f1da81..f1bbf49 100644 > --- a/drivers/gpu/drm/i915/intel_pipe_crc.c > +++ b/drivers/gpu/drm/i915/intel_pipe_crc.c > @@ -579,7 +579,9 @@ static void hsw_trans_edp_pipe_A_crc_wa(struct drm_i915_private *dev_priv, > out: > WARN(ret, "Toggling workaround to %i returns %i\n", enable, ret); > drm_modeset_unlock_all(dev); > - drm_atomic_state_put(state); > + > + if (state) > + drm_atomic_state_put(state); Better to use the more typical onion error unwind paths. -Chris
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c index caa2e02..b5a09bd 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -3577,7 +3577,8 @@ void intel_prepare_reset(struct drm_i915_private *dev_priv) return; err: - drm_atomic_state_put(state); + if (state) + drm_atomic_state_put(state); } void intel_finish_reset(struct drm_i915_private *dev_priv) diff --git a/drivers/gpu/drm/i915/intel_pipe_crc.c b/drivers/gpu/drm/i915/intel_pipe_crc.c index 0f1da81..f1bbf49 100644 --- a/drivers/gpu/drm/i915/intel_pipe_crc.c +++ b/drivers/gpu/drm/i915/intel_pipe_crc.c @@ -579,7 +579,9 @@ static void hsw_trans_edp_pipe_A_crc_wa(struct drm_i915_private *dev_priv, out: WARN(ret, "Toggling workaround to %i returns %i\n", enable, ret); drm_modeset_unlock_all(dev); - drm_atomic_state_put(state); + + if (state) + drm_atomic_state_put(state); } static int ivb_pipe_crc_ctl_reg(struct drm_i915_private *dev_priv,
The error paths in hsw_trans_edp_pipe_A_crc_wa() and intel_prepare_reset() would potentially call drm_atomic_state_put with a NULL state, which would lead to a NULL pointer dereference. Found by coverity. Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state") Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+ Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com> --- drivers/gpu/drm/i915/intel_display.c | 3 ++- drivers/gpu/drm/i915/intel_pipe_crc.c | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-)