From patchwork Wed Feb 12 22:24:00 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?St=C3=A9phane_Marchesin?= X-Patchwork-Id: 3641681 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id E6052BF13A for ; Thu, 13 Feb 2014 00:33:33 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3FA7820149 for ; Thu, 13 Feb 2014 00:33:29 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 50E492013A for ; Thu, 13 Feb 2014 00:33:27 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id A041BFB0F2; Wed, 12 Feb 2014 16:33:23 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-pb0-f46.google.com (mail-pb0-f46.google.com [209.85.160.46]) by gabe.freedesktop.org (Postfix) with ESMTP id 562A7F9C32 for ; Wed, 12 Feb 2014 14:24:05 -0800 (PST) Received: by mail-pb0-f46.google.com with SMTP id um1so9831418pbc.19 for ; Wed, 12 Feb 2014 14:24:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding; bh=BVrw9Ay/zh3N1usYzqJGPSX3yb26ijVzmunNgGafMWk=; b=Zt9CLWl0g4K5NrxW1078r1iTAQsAW6njDS10fcFaAXo0Kg5Ak591xVuUcSRWT2ttJS KdJm1WiEPhEDuMVI1O4pLZdJigcFQBpOGMNs+pFaBcMSU4f6Au3R3dJNWWM9wNXJekCi W4nl5jzAkB3q+0brsgYSuuHO0gubj+nfe0ElI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-type:content-transfer-encoding; bh=BVrw9Ay/zh3N1usYzqJGPSX3yb26ijVzmunNgGafMWk=; b=DXKmKQDaopilV1HjH+wPi+TI9o5IMtXG9Hr5yfIuLGkyA1nfjoTweOqqOZ8qjT9Z6k K5G2MAmLUu1C4MbHIv0sAR2UBP7SgG8wBsoIb9MrdhDgshfpSO/W5GEBVz0THHVyyLDo EiZAqD16AtZ04DCxeYNySHmyBab8Vv8JJXtGfEu52DIWiyOE7MG4RQTDwAar7EGfWkc7 h+o3U6qgnnOum99OqS04pnLoI8Hsz5pMJCniJo11HWFK5cV4sK1pmnutWXYOyqOZpI36 s1Nwo1nhYVPYD5RJwbP5Eb7MJc0BE2FuCGiupr88Z+UtpFwEvj/UK3J4XvPQk5a++94W 1fUg== X-Gm-Message-State: ALoCoQmY9fP4BoJQYqH7iuy50J6B/G3wVSkyLundhPevCvh4WidagoEbPMDs9I1tYmUhW3hY6tOz X-Received: by 10.68.202.225 with SMTP id kl1mr54409931pbc.54.1392243845031; Wed, 12 Feb 2014 14:24:05 -0800 (PST) Received: from localhost ([2620:0:1000:1b01:82c1:6eff:fef8:b068]) by mx.google.com with ESMTPSA id yd4sm67158492pbc.13.2014.02.12.14.24.02 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 12 Feb 2014 14:24:03 -0800 (PST) From: =?UTF-8?q?St=C3=A9phane=20Marchesin?= To: dri-devel@lists.freedesktop.org Subject: [PATCH] drm: Avoid NULL master_priv access in i915 kernel driver Date: Wed, 12 Feb 2014 14:24:00 -0800 Message-Id: <1392243840-32019-1-git-send-email-marcheu@chromium.org> X-Mailer: git-send-email 1.9.0.rc1.175.g0b1dcb5 MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 12 Feb 2014 16:33:21 -0800 Cc: Stuart Abercrombie , =?UTF-8?q?St=C3=A9phane=20Marchesin?= X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Stuart Abercrombie In several places, including the interrupt handler, the i915 driver assumes it can deref. dev->primary->master->driver_priv if dev->primary->master is non-NULL. This wasn't true if drm_open_helper was midway through, so rearrange the initialization order. v2: Address this in drm_open_helper instead of the various access points -- basically Stephane's fix. Signed-off-by: Stuart Abercrombie Signed-off-by: Stéphane Marchesin --- drivers/gpu/drm/drm_fops.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c index 7f2af9a..3df3032 100644 --- a/drivers/gpu/drm/drm_fops.c +++ b/drivers/gpu/drm/drm_fops.c @@ -260,9 +260,11 @@ static int drm_open_helper(struct inode *inode, struct file *filp, * any master object for render clients */ mutex_lock(&dev->struct_mutex); if (!priv->minor->master && !drm_is_render_client(priv)) { - /* create a new master */ - priv->minor->master = drm_master_create(priv->minor); - if (!priv->minor->master) { + /* create a new master but don't assign it yet + * to ensure master->driver_priv is set up first + */ + struct drm_master *master_ptr = drm_master_create(priv->minor); + if (!master_ptr) { mutex_unlock(&dev->struct_mutex); ret = -ENOMEM; goto out_close; @@ -270,7 +272,7 @@ static int drm_open_helper(struct inode *inode, struct file *filp, priv->is_master = 1; /* take another reference for the copy in the local file priv */ - priv->master = drm_master_get(priv->minor->master); + priv->master = drm_master_get(master_ptr); priv->authenticated = 1; @@ -280,7 +282,7 @@ static int drm_open_helper(struct inode *inode, struct file *filp, if (ret) { mutex_lock(&dev->struct_mutex); /* drop both references if this fails */ - drm_master_put(&priv->minor->master); + drm_master_put(&master_ptr); drm_master_put(&priv->master); mutex_unlock(&dev->struct_mutex); goto out_close; @@ -291,12 +293,13 @@ static int drm_open_helper(struct inode *inode, struct file *filp, ret = dev->driver->master_set(dev, priv, true); if (ret) { /* drop both references if this fails */ - drm_master_put(&priv->minor->master); + drm_master_put(&master_ptr); drm_master_put(&priv->master); mutex_unlock(&dev->struct_mutex); goto out_close; } } + priv->minor->master = master_ptr; } else if (!drm_is_render_client(priv)) { /* get a reference to the master */ priv->master = drm_master_get(priv->minor->master);