| Message ID | 1403803475-16337-5-git-send-email-John.C.Harrison@Intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, 26 Jun 2014 18:23:55 +0100 John.C.Harrison@Intel.com wrote: > From: John Harrison <John.C.Harrison@Intel.com> > > The i915_gem_record_rings() code was unconditionally querying and saving state > for the batch_obj of a request structure. This is not necessarily set. Thus a > null pointer dereference can occur. > --- > drivers/gpu/drm/i915/i915_gpu_error.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c > index 87ec60e..0738f21 100644 > --- a/drivers/gpu/drm/i915/i915_gpu_error.c > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c > @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev, > * as the simplest method to avoid being overwritten > * by userspace. > */ > - error->ring[i].batchbuffer = > - i915_error_object_create(dev_priv, > - request->batch_obj, > - request->ctx ? > - request->ctx->vm : > - &dev_priv->gtt.base); > + if(request->batch_obj) > + error->ring[i].batchbuffer = > + i915_error_object_create(dev_priv, > + request->batch_obj, > + request->ctx ? > + request->ctx->vm : > + &dev_priv->gtt.base); > > if (HAS_BROKEN_CS_TLB(dev_priv->dev) && > ring->scratch.obj) Reviewed-by: Jesse Barnes <jbarnes@virtuosugeek.org>
On Mon, Jun 30, 2014 at 02:40:05PM -0700, Jesse Barnes wrote: > On Thu, 26 Jun 2014 18:23:55 +0100 > John.C.Harrison@Intel.com wrote: > > > From: John Harrison <John.C.Harrison@Intel.com> > > > > The i915_gem_record_rings() code was unconditionally querying and saving state > > for the batch_obj of a request structure. This is not necessarily set. Thus a > > null pointer dereference can occur. > > --- > > drivers/gpu/drm/i915/i915_gpu_error.c | 13 +++++++------ > > 1 file changed, 7 insertions(+), 6 deletions(-) > > > > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c > > index 87ec60e..0738f21 100644 > > --- a/drivers/gpu/drm/i915/i915_gpu_error.c > > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c > > @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev, > > * as the simplest method to avoid being overwritten > > * by userspace. > > */ > > - error->ring[i].batchbuffer = > > - i915_error_object_create(dev_priv, > > - request->batch_obj, > > - request->ctx ? > > - request->ctx->vm : > > - &dev_priv->gtt.base); > > + if(request->batch_obj) > > + error->ring[i].batchbuffer = > > + i915_error_object_create(dev_priv, > > + request->batch_obj, > > + request->ctx ? > > + request->ctx->vm : > > + &dev_priv->gtt.base); > > > > if (HAS_BROKEN_CS_TLB(dev_priv->dev) && > > ring->scratch.obj) > > Reviewed-by: Jesse Barnes <jbarnes@virtuosugeek.org> Nah, put the NULL check into the macro. i915_error_object_create() was originally written as a no-op on NULL pointers for cleanliness, we may as well do the check centrally and remove the extras we have grown. -Chris
On Tue, Jul 01, 2014 at 08:12:11AM +0100, Chris Wilson wrote: > On Mon, Jun 30, 2014 at 02:40:05PM -0700, Jesse Barnes wrote: > > On Thu, 26 Jun 2014 18:23:55 +0100 > > John.C.Harrison@Intel.com wrote: > > > > > From: John Harrison <John.C.Harrison@Intel.com> > > > > > > The i915_gem_record_rings() code was unconditionally querying and saving state > > > for the batch_obj of a request structure. This is not necessarily set. Thus a > > > null pointer dereference can occur. > > > --- > > > drivers/gpu/drm/i915/i915_gpu_error.c | 13 +++++++------ > > > 1 file changed, 7 insertions(+), 6 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c > > > index 87ec60e..0738f21 100644 > > > --- a/drivers/gpu/drm/i915/i915_gpu_error.c > > > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c > > > @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev, > > > * as the simplest method to avoid being overwritten > > > * by userspace. > > > */ > > > - error->ring[i].batchbuffer = > > > - i915_error_object_create(dev_priv, > > > - request->batch_obj, > > > - request->ctx ? > > > - request->ctx->vm : > > > - &dev_priv->gtt.base); > > > + if(request->batch_obj) > > > + error->ring[i].batchbuffer = > > > + i915_error_object_create(dev_priv, > > > + request->batch_obj, > > > + request->ctx ? > > > + request->ctx->vm : > > > + &dev_priv->gtt.base); > > > > > > if (HAS_BROKEN_CS_TLB(dev_priv->dev) && > > > ring->scratch.obj) > > > > Reviewed-by: Jesse Barnes <jbarnes@virtuosugeek.org> > > Nah, put the NULL check into the macro. i915_error_object_create() was > originally written as a no-op on NULL pointers for cleanliness, we may > as well do the check centrally and remove the extras we have grown. Also the usual broken record from your maintainer: How does this blow up and can we please have a testcase for it? Oscar provided a basic error state check test, so the infrastructure for a new subtest is now there. I hope ;-) -Daniel
diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c index 87ec60e..0738f21 100644 --- a/drivers/gpu/drm/i915/i915_gpu_error.c +++ b/drivers/gpu/drm/i915/i915_gpu_error.c @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev, * as the simplest method to avoid being overwritten * by userspace. */ - error->ring[i].batchbuffer = - i915_error_object_create(dev_priv, - request->batch_obj, - request->ctx ? - request->ctx->vm : - &dev_priv->gtt.base); + if(request->batch_obj) + error->ring[i].batchbuffer = + i915_error_object_create(dev_priv, + request->batch_obj, + request->ctx ? + request->ctx->vm : + &dev_priv->gtt.base); if (HAS_BROKEN_CS_TLB(dev_priv->dev) && ring->scratch.obj)
From: John Harrison <John.C.Harrison@Intel.com> The i915_gem_record_rings() code was unconditionally querying and saving state for the batch_obj of a request structure. This is not necessarily set. Thus a null pointer dereference can occur. --- drivers/gpu/drm/i915/i915_gpu_error.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)