| Message ID | d05f0edf121264a9d0adb8ca713fd8cc4ae068bf.1447938059.git.lukas@wunner.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Nov 18, 2015 at 01:43:20PM +0100, Lukas Wunner wrote: > intelfb_create() is called once on driver initialization. If it fails, > ifbdev->helper.fbdev, ifbdev->fb or ifbdev->fb->obj may be NULL. > > Further up in the call stack, intel_fbdev_initial_config() calls > intel_fbdev_fini() to tear down the ifbdev on failure. This calls > intel_fbdev_destroy() which dereferences ifbdev->fb. Fix the ensuing > oops. > > Also check in these functions if ifbdev is not NULL to avoid oops: > > i915_gem_framebuffer_info() is called on access to debugfs file > "i915_gem_framebuffer" and dereferences ifbdev, ifbdev->helper.fb > and ifbdev->helper.fb->obj. > > intel_connector_add_to_fbdev() / intel_connector_remove_from_fbdev() > are called when registering / unregistering an mst connector and > dereference ifbdev. > > v3: Drop additional null pointer checks in intel_fbdev_set_suspend(), > intel_fbdev_output_poll_changed() and intel_fbdev_restore_mode() > since they already check if ifbdev is not NULL, which is sufficient > now that intel_fbdev_fini() is called on initialization failure. > (Requested by Daniel Vetter <daniel.vetter@ffwll.ch>) > > Signed-off-by: Lukas Wunner <lukas@wunner.de> Queued for -next, thanks for the patch. Aside, with this patch and the static inline dummies from Archit I think we can drop most of the #ifdef blocks (not the one in debugfs though). Care for a follow-up patch to remove them around add/remove_one_connector? -Daniel > --- > drivers/gpu/drm/i915/i915_debugfs.c | 24 +++++++++++++----------- > drivers/gpu/drm/i915/intel_dp_mst.c | 10 ++++++++-- > drivers/gpu/drm/i915/intel_fbdev.c | 6 ++++-- > 3 files changed, 25 insertions(+), 15 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c > index 038d5c6..411a9c6 100644 > --- a/drivers/gpu/drm/i915/i915_debugfs.c > +++ b/drivers/gpu/drm/i915/i915_debugfs.c > @@ -1877,17 +1877,19 @@ static int i915_gem_framebuffer_info(struct seq_file *m, void *data) > struct drm_i915_private *dev_priv = dev->dev_private; > > ifbdev = dev_priv->fbdev; > - fb = to_intel_framebuffer(ifbdev->helper.fb); > - > - seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ", > - fb->base.width, > - fb->base.height, > - fb->base.depth, > - fb->base.bits_per_pixel, > - fb->base.modifier[0], > - atomic_read(&fb->base.refcount.refcount)); > - describe_obj(m, fb->obj); > - seq_putc(m, '\n'); > + if (ifbdev) { > + fb = to_intel_framebuffer(ifbdev->helper.fb); > + > + seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ", > + fb->base.width, > + fb->base.height, > + fb->base.depth, > + fb->base.bits_per_pixel, > + fb->base.modifier[0], > + atomic_read(&fb->base.refcount.refcount)); > + describe_obj(m, fb->obj); > + seq_putc(m, '\n'); > + } > #endif > > mutex_lock(&dev->mode_config.fb_lock); > diff --git a/drivers/gpu/drm/i915/intel_dp_mst.c b/drivers/gpu/drm/i915/intel_dp_mst.c > index 9d8a5b4..8c4e7df 100644 > --- a/drivers/gpu/drm/i915/intel_dp_mst.c > +++ b/drivers/gpu/drm/i915/intel_dp_mst.c > @@ -408,7 +408,10 @@ static void intel_connector_add_to_fbdev(struct intel_connector *connector) > { > #ifdef CONFIG_DRM_FBDEV_EMULATION > struct drm_i915_private *dev_priv = to_i915(connector->base.dev); > - drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper, &connector->base); > + > + if (dev_priv->fbdev) > + drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper, > + &connector->base); > #endif > } > > @@ -416,7 +419,10 @@ static void intel_connector_remove_from_fbdev(struct intel_connector *connector) > { > #ifdef CONFIG_DRM_FBDEV_EMULATION > struct drm_i915_private *dev_priv = to_i915(connector->base.dev); > - drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper, &connector->base); > + > + if (dev_priv->fbdev) > + drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper, > + &connector->base); > #endif > } > > diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c > index cd345c5..7ccde58 100644 > --- a/drivers/gpu/drm/i915/intel_fbdev.c > +++ b/drivers/gpu/drm/i915/intel_fbdev.c > @@ -530,8 +530,10 @@ static void intel_fbdev_destroy(struct drm_device *dev, > > drm_fb_helper_fini(&ifbdev->helper); > > - drm_framebuffer_unregister_private(&ifbdev->fb->base); > - drm_framebuffer_remove(&ifbdev->fb->base); > + if (ifbdev->fb) { > + drm_framebuffer_unregister_private(&ifbdev->fb->base); > + drm_framebuffer_remove(&ifbdev->fb->base); > + } > } > > /* > -- > 2.1.0 >
Hi, On Thu, Nov 19, 2015 at 05:02:04PM +0100, Daniel Vetter wrote: > On Wed, Nov 18, 2015 at 01:43:20PM +0100, Lukas Wunner wrote: > > intelfb_create() is called once on driver initialization. If it fails, > > ifbdev->helper.fbdev, ifbdev->fb or ifbdev->fb->obj may be NULL. > > > > Further up in the call stack, intel_fbdev_initial_config() calls > > intel_fbdev_fini() to tear down the ifbdev on failure. This calls > > intel_fbdev_destroy() which dereferences ifbdev->fb. Fix the ensuing > > oops. > > > > Also check in these functions if ifbdev is not NULL to avoid oops: > > > > i915_gem_framebuffer_info() is called on access to debugfs file > > "i915_gem_framebuffer" and dereferences ifbdev, ifbdev->helper.fb > > and ifbdev->helper.fb->obj. > > > > intel_connector_add_to_fbdev() / intel_connector_remove_from_fbdev() > > are called when registering / unregistering an mst connector and > > dereference ifbdev. > > > > v3: Drop additional null pointer checks in intel_fbdev_set_suspend(), > > intel_fbdev_output_poll_changed() and intel_fbdev_restore_mode() > > since they already check if ifbdev is not NULL, which is sufficient > > now that intel_fbdev_fini() is called on initialization failure. > > (Requested by Daniel Vetter <daniel.vetter@ffwll.ch>) > > > > Signed-off-by: Lukas Wunner <lukas@wunner.de> > > Queued for -next, thanks for the patch. Aside, with this patch and the > static inline dummies from Archit I think we can drop most of the #ifdef > blocks (not the one in debugfs though). Care for a follow-up patch to > remove them around add/remove_one_connector? Will do, I actually did check if they are obsolete now but thought they are not because the functions are in drm_fb_helper.c which is only compiled if CONFIG_DRM_FBDEV_EMULATION is defined. I simply forgot to check if there are static inlines. Thanks, Lukas > -Daniel > > --- > > drivers/gpu/drm/i915/i915_debugfs.c | 24 +++++++++++++----------- > > drivers/gpu/drm/i915/intel_dp_mst.c | 10 ++++++++-- > > drivers/gpu/drm/i915/intel_fbdev.c | 6 ++++-- > > 3 files changed, 25 insertions(+), 15 deletions(-) > > > > diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c > > index 038d5c6..411a9c6 100644 > > --- a/drivers/gpu/drm/i915/i915_debugfs.c > > +++ b/drivers/gpu/drm/i915/i915_debugfs.c > > @@ -1877,17 +1877,19 @@ static int i915_gem_framebuffer_info(struct seq_file *m, void *data) > > struct drm_i915_private *dev_priv = dev->dev_private; > > > > ifbdev = dev_priv->fbdev; > > - fb = to_intel_framebuffer(ifbdev->helper.fb); > > - > > - seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ", > > - fb->base.width, > > - fb->base.height, > > - fb->base.depth, > > - fb->base.bits_per_pixel, > > - fb->base.modifier[0], > > - atomic_read(&fb->base.refcount.refcount)); > > - describe_obj(m, fb->obj); > > - seq_putc(m, '\n'); > > + if (ifbdev) { > > + fb = to_intel_framebuffer(ifbdev->helper.fb); > > + > > + seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ", > > + fb->base.width, > > + fb->base.height, > > + fb->base.depth, > > + fb->base.bits_per_pixel, > > + fb->base.modifier[0], > > + atomic_read(&fb->base.refcount.refcount)); > > + describe_obj(m, fb->obj); > > + seq_putc(m, '\n'); > > + } > > #endif > > > > mutex_lock(&dev->mode_config.fb_lock); > > diff --git a/drivers/gpu/drm/i915/intel_dp_mst.c b/drivers/gpu/drm/i915/intel_dp_mst.c > > index 9d8a5b4..8c4e7df 100644 > > --- a/drivers/gpu/drm/i915/intel_dp_mst.c > > +++ b/drivers/gpu/drm/i915/intel_dp_mst.c > > @@ -408,7 +408,10 @@ static void intel_connector_add_to_fbdev(struct intel_connector *connector) > > { > > #ifdef CONFIG_DRM_FBDEV_EMULATION > > struct drm_i915_private *dev_priv = to_i915(connector->base.dev); > > - drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper, &connector->base); > > + > > + if (dev_priv->fbdev) > > + drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper, > > + &connector->base); > > #endif > > } > > > > @@ -416,7 +419,10 @@ static void intel_connector_remove_from_fbdev(struct intel_connector *connector) > > { > > #ifdef CONFIG_DRM_FBDEV_EMULATION > > struct drm_i915_private *dev_priv = to_i915(connector->base.dev); > > - drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper, &connector->base); > > + > > + if (dev_priv->fbdev) > > + drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper, > > + &connector->base); > > #endif > > } > > > > diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c > > index cd345c5..7ccde58 100644 > > --- a/drivers/gpu/drm/i915/intel_fbdev.c > > +++ b/drivers/gpu/drm/i915/intel_fbdev.c > > @@ -530,8 +530,10 @@ static void intel_fbdev_destroy(struct drm_device *dev, > > > > drm_fb_helper_fini(&ifbdev->helper); > > > > - drm_framebuffer_unregister_private(&ifbdev->fb->base); > > - drm_framebuffer_remove(&ifbdev->fb->base); > > + if (ifbdev->fb) { > > + drm_framebuffer_unregister_private(&ifbdev->fb->base); > > + drm_framebuffer_remove(&ifbdev->fb->base); > > + } > > } > > > > /* > > -- > > 2.1.0 > > > > -- > Daniel Vetter > Software Engineer, Intel Corporation > http://blog.ffwll.ch
diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c index 038d5c6..411a9c6 100644 --- a/drivers/gpu/drm/i915/i915_debugfs.c +++ b/drivers/gpu/drm/i915/i915_debugfs.c @@ -1877,17 +1877,19 @@ static int i915_gem_framebuffer_info(struct seq_file *m, void *data) struct drm_i915_private *dev_priv = dev->dev_private; ifbdev = dev_priv->fbdev; - fb = to_intel_framebuffer(ifbdev->helper.fb); - - seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ", - fb->base.width, - fb->base.height, - fb->base.depth, - fb->base.bits_per_pixel, - fb->base.modifier[0], - atomic_read(&fb->base.refcount.refcount)); - describe_obj(m, fb->obj); - seq_putc(m, '\n'); + if (ifbdev) { + fb = to_intel_framebuffer(ifbdev->helper.fb); + + seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ", + fb->base.width, + fb->base.height, + fb->base.depth, + fb->base.bits_per_pixel, + fb->base.modifier[0], + atomic_read(&fb->base.refcount.refcount)); + describe_obj(m, fb->obj); + seq_putc(m, '\n'); + } #endif mutex_lock(&dev->mode_config.fb_lock); diff --git a/drivers/gpu/drm/i915/intel_dp_mst.c b/drivers/gpu/drm/i915/intel_dp_mst.c index 9d8a5b4..8c4e7df 100644 --- a/drivers/gpu/drm/i915/intel_dp_mst.c +++ b/drivers/gpu/drm/i915/intel_dp_mst.c @@ -408,7 +408,10 @@ static void intel_connector_add_to_fbdev(struct intel_connector *connector) { #ifdef CONFIG_DRM_FBDEV_EMULATION struct drm_i915_private *dev_priv = to_i915(connector->base.dev); - drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper, &connector->base); + + if (dev_priv->fbdev) + drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper, + &connector->base); #endif } @@ -416,7 +419,10 @@ static void intel_connector_remove_from_fbdev(struct intel_connector *connector) { #ifdef CONFIG_DRM_FBDEV_EMULATION struct drm_i915_private *dev_priv = to_i915(connector->base.dev); - drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper, &connector->base); + + if (dev_priv->fbdev) + drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper, + &connector->base); #endif } diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c index cd345c5..7ccde58 100644 --- a/drivers/gpu/drm/i915/intel_fbdev.c +++ b/drivers/gpu/drm/i915/intel_fbdev.c @@ -530,8 +530,10 @@ static void intel_fbdev_destroy(struct drm_device *dev, drm_fb_helper_fini(&ifbdev->helper); - drm_framebuffer_unregister_private(&ifbdev->fb->base); - drm_framebuffer_remove(&ifbdev->fb->base); + if (ifbdev->fb) { + drm_framebuffer_unregister_private(&ifbdev->fb->base); + drm_framebuffer_remove(&ifbdev->fb->base); + } } /*
intelfb_create() is called once on driver initialization. If it fails, ifbdev->helper.fbdev, ifbdev->fb or ifbdev->fb->obj may be NULL. Further up in the call stack, intel_fbdev_initial_config() calls intel_fbdev_fini() to tear down the ifbdev on failure. This calls intel_fbdev_destroy() which dereferences ifbdev->fb. Fix the ensuing oops. Also check in these functions if ifbdev is not NULL to avoid oops: i915_gem_framebuffer_info() is called on access to debugfs file "i915_gem_framebuffer" and dereferences ifbdev, ifbdev->helper.fb and ifbdev->helper.fb->obj. intel_connector_add_to_fbdev() / intel_connector_remove_from_fbdev() are called when registering / unregistering an mst connector and dereference ifbdev. v3: Drop additional null pointer checks in intel_fbdev_set_suspend(), intel_fbdev_output_poll_changed() and intel_fbdev_restore_mode() since they already check if ifbdev is not NULL, which is sufficient now that intel_fbdev_fini() is called on initialization failure. (Requested by Daniel Vetter <daniel.vetter@ffwll.ch>) Signed-off-by: Lukas Wunner <lukas@wunner.de> --- drivers/gpu/drm/i915/i915_debugfs.c | 24 +++++++++++++----------- drivers/gpu/drm/i915/intel_dp_mst.c | 10 ++++++++-- drivers/gpu/drm/i915/intel_fbdev.c | 6 ++++-- 3 files changed, 25 insertions(+), 15 deletions(-)