diff mbox

drm/i915: Avoid drm_atomic_state_put(NULL) on error paths

Message ID 1484742868-9551-1-git-send-email-ander.conselvan.de.oliveira@intel.com (mailing list archive)
State New, archived
Headers show

Commit Message

Ander Conselvan de Oliveira Jan. 18, 2017, 12:34 p.m. UTC
The error paths in hsw_trans_edp_pipe_A_crc_wa() and
intel_prepare_reset() would potentially call drm_atomic_state_put with a
NULL state, which would lead to a NULL pointer dereference.

Found by coverity.

v2: Improve the error paths. (Chris)

Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state")
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
---
 drivers/gpu/drm/i915/intel_display.c  | 10 +++-------
 drivers/gpu/drm/i915/intel_pipe_crc.c | 10 ++++++----
 2 files changed, 9 insertions(+), 11 deletions(-)

Comments

Chris Wilson Jan. 18, 2017, 12:49 p.m. UTC | #1
On Wed, Jan 18, 2017 at 02:34:28PM +0200, Ander Conselvan de Oliveira wrote:
> The error paths in hsw_trans_edp_pipe_A_crc_wa() and
> intel_prepare_reset() would potentially call drm_atomic_state_put with a
> NULL state, which would lead to a NULL pointer dereference.
> 
> Found by coverity.
> 
> v2: Improve the error paths. (Chris)
> 
> Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state")
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+
> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris
Chris Wilson Jan. 18, 2017, 1:58 p.m. UTC | #2
On Wed, Jan 18, 2017 at 12:49:00PM +0000, Chris Wilson wrote:
> On Wed, Jan 18, 2017 at 02:34:28PM +0200, Ander Conselvan de Oliveira wrote:
> > The error paths in hsw_trans_edp_pipe_A_crc_wa() and
> > intel_prepare_reset() would potentially call drm_atomic_state_put with a
> > NULL state, which would lead to a NULL pointer dereference.
> > 
> > Found by coverity.
> > 
> > v2: Improve the error paths. (Chris)
> > 
> > Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state")
> > Cc: Chris Wilson <chris@chris-wilson.co.uk>
> > Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> > Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+
> > Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>

Thanks for the patch for yet another of my mistakes.
-Chris
diff mbox

Patch

diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 8aca92b..0d055e8 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -3561,23 +3561,19 @@  void intel_prepare_reset(struct drm_i915_private *dev_priv)
 	state = drm_atomic_helper_duplicate_state(dev, ctx);
 	if (IS_ERR(state)) {
 		ret = PTR_ERR(state);
-		state = NULL;
 		DRM_ERROR("Duplicating state failed with %i\n", ret);
-		goto err;
+		return;
 	}
 
 	ret = drm_atomic_helper_disable_all(dev, ctx);
 	if (ret) {
 		DRM_ERROR("Suspending crtc's failed with %i\n", ret);
-		goto err;
+		drm_atomic_state_put(state);
+		return;
 	}
 
 	dev_priv->modeset_restore_state = state;
 	state->acquire_ctx = ctx;
-	return;
-
-err:
-	drm_atomic_state_put(state);
 }
 
 void intel_finish_reset(struct drm_i915_private *dev_priv)
diff --git a/drivers/gpu/drm/i915/intel_pipe_crc.c b/drivers/gpu/drm/i915/intel_pipe_crc.c
index 0f1da81..c0b1f99 100644
--- a/drivers/gpu/drm/i915/intel_pipe_crc.c
+++ b/drivers/gpu/drm/i915/intel_pipe_crc.c
@@ -560,14 +560,14 @@  static void hsw_trans_edp_pipe_A_crc_wa(struct drm_i915_private *dev_priv,
 	state = drm_atomic_state_alloc(dev);
 	if (!state) {
 		ret = -ENOMEM;
-		goto out;
+		goto unlock;
 	}
 
 	state->acquire_ctx = drm_modeset_legacy_acquire_ctx(&crtc->base);
 	pipe_config = intel_atomic_get_crtc_state(state, crtc);
 	if (IS_ERR(pipe_config)) {
 		ret = PTR_ERR(pipe_config);
-		goto out;
+		goto put_state;
 	}
 
 	pipe_config->pch_pfit.force_thru = enable;
@@ -576,10 +576,12 @@  static void hsw_trans_edp_pipe_A_crc_wa(struct drm_i915_private *dev_priv,
 		pipe_config->base.connectors_changed = true;
 
 	ret = drm_atomic_commit(state);
-out:
+
+put_state:
+	drm_atomic_state_put(state);
+unlock:
 	WARN(ret, "Toggling workaround to %i returns %i\n", enable, ret);
 	drm_modeset_unlock_all(dev);
-	drm_atomic_state_put(state);
 }
 
 static int ivb_pipe_crc_ctl_reg(struct drm_i915_private *dev_priv,