From patchwork Tue Dec 24 17:51:24 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ben Widawsky <ben@bwidawsk.net>
X-Patchwork-Id: 3404501
Return-Path: <intel-gfx-bounces@lists.freedesktop.org>
X-Original-To: patchwork-intel-gfx@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 2A7779F372
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Tue, 24 Dec 2013 17:51:40 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 5272620145
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Tue, 24 Dec 2013 17:51:39 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id EB9B620134
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Tue, 24 Dec 2013 17:51:37 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 395F4F9EB9;
	Tue, 24 Dec 2013 09:51:35 -0800 (PST)
X-Original-To: intel-gfx@lists.freedesktop.org
Delivered-To: intel-gfx@lists.freedesktop.org
Received: from mail.bwidawsk.net (bwidawsk.net [166.78.191.112])
	by gabe.freedesktop.org (Postfix) with ESMTP id 37DD9FA583
	for <intel-gfx@lists.freedesktop.org>;
	Tue, 24 Dec 2013 09:51:27 -0800 (PST)
Received: by mail.bwidawsk.net (Postfix, from userid 5001)
	id 16C954A6D7; Tue, 24 Dec 2013 09:51:27 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
Received: from bwidawsk.net (jfdmzpr03-ext.jf.intel.com [134.134.139.72])
	by mail.bwidawsk.net (Postfix) with ESMTPSA id 5B8CD4A6CA
	for <intel-gfx@lists.freedesktop.org>;
	Tue, 24 Dec 2013 09:51:26 -0800 (PST)
Date: Tue, 24 Dec 2013 09:51:24 -0800
From: Ben Widawsky <ben@bwidawsk.net>
To: Intel GFX <intel-gfx@lists.freedesktop.org>
Message-ID: <20131224175124.GA13719@bwidawsk.net>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.22 (2013-10-16)
Subject: [Intel-gfx] [penguin-kernel@I-love.SAKURA.ne.jp: [PATCH] drm/i915:
	Fix refcount leak and possible NULL pointer dereference.]
X-BeenThere: intel-gfx@lists.freedesktop.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Intel graphics driver community testing & development
	<intel-gfx.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces@lists.freedesktop.org
Errors-To: intel-gfx-bounces@lists.freedesktop.org
X-Virus-Scanned: ClamAV using ClamSMTP

----- Forwarded message from Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -----

Date: Tue, 24 Dec 2013 20:50:23 +0900
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: chris@chris-wilson.co.uk, ben@bwidawsk.net, daniel.vetter@ffwll.ch
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] drm/i915: Fix refcount leak and possible NULL pointer dereference.
Message-Id: <201312242050.CGH78112.JQFOSVMLOFtHOF@I-love.SAKURA.ne.jp>

>From 482be6384379072eb4c0d45d0ab8a25df4f59ed7 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Tue, 24 Dec 2013 18:04:14 +0900
Subject: [PATCH] drm/i915: Fix refcount leak and possible NULL pointer dereference.

Since get_pid_task() grabs a reference on the task_struct, we have to drop the
refcount after reading that task's comm name. Also, directly reading like
get_pid_task()->comm can trigger an oops when get_pid_task() returned NULL.

This patch fixes both problems.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 drivers/gpu/drm/i915/i915_debugfs.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
index 6ed45a9..d0a8e0a 100644
--- a/drivers/gpu/drm/i915/i915_debugfs.c
+++ b/drivers/gpu/drm/i915/i915_debugfs.c
@@ -406,11 +406,20 @@ static int i915_gem_object_info(struct seq_file *m, void* data)
 	seq_putc(m, '\n');
 	list_for_each_entry_reverse(file, &dev->filelist, lhead) {
 		struct file_stats stats;
+		struct task_struct *task;
+		char name[TASK_COMM_LEN];
 
 		memset(&stats, 0, sizeof(stats));
 		idr_for_each(&file->object_idr, per_file_stats, &stats);
+		task = get_pid_task(file->pid, PIDTYPE_PID);
+		if (task) {
+			get_task_comm(name, task);
+			put_task_struct(task);
+		} else {
+			strlcpy(name, "<unknown>", sizeof(name));
+		}
 		seq_printf(m, "%s: %u objects, %zu bytes (%zu active, %zu inactive, %zu unbound)\n",
-			   get_pid_task(file->pid, PIDTYPE_PID)->comm,
+			   name,
 			   stats.count,
 			   stats.total,
 			   stats.active,