Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6402c330 authored Oct 31, 2014 by John Harrison Committed by Daniel Vetter Nov 04, 2014

drm/i915: Fix null pointer dereference in ring cleanup code

If a ring failed to initialise for any reason then the error path would try to
clean up all rings including those that had not yet been allocated. The ring
clean up code did a check that the ring was valid before starting its work.
Unfortunately, that was after it had already dereferenced the ring to obtain a
dev_private pointer.

Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
Reviewed-by: Damien Lespiau <damien.lespiau@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

parent c883ef1b

drivers/gpu/drm/i915/intel_lrc.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1214,11 +1214,13 @@ static int gen8_emit_request(struct intel_ringbuffer *ringbuf)
		*/
		void intel_logical_ring_cleanup(struct intel_engine_cs *ring)
		{
		struct drm_i915_private *dev_priv = ring->dev->dev_private;
		struct drm_i915_private *dev_priv;

		if (!intel_ring_initialized(ring))
		return;

		dev_priv = ring->dev->dev_private;

		intel_logical_ring_stop(ring);
		WARN_ON((I915_READ_MODE(ring) & MODE_IDLE) == 0);
		ring->preallocated_lazy_request = NULL;

drivers/gpu/drm/i915/intel_ringbuffer.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -1845,12 +1845,15 @@ static int intel_init_ring_buffer(struct drm_device *dev,

		void intel_cleanup_ring_buffer(struct intel_engine_cs *ring)
		{
		struct drm_i915_private *dev_priv = to_i915(ring->dev);
		struct intel_ringbuffer *ringbuf = ring->buffer;
		struct drm_i915_private *dev_priv;
		struct intel_ringbuffer *ringbuf;

		if (!intel_ring_initialized(ring))
		return;

		dev_priv = to_i915(ring->dev);
		ringbuf = ring->buffer;

		intel_stop_ring_buffer(ring);
		WARN_ON(!IS_GEN2(ring->dev) && (I915_READ_MODE(ring) & MODE_IDLE) == 0);