Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54632abe authored by Lukas Wunner's avatar Lukas Wunner Committed by Daniel Vetter
Browse files

drm/i915: Fix oops caused by fbdev initialization failure 



intelfb_create() is called once on driver initialization. If it fails,
ifbdev->helper.fbdev, ifbdev->fb or ifbdev->fb->obj may be NULL.

Further up in the call stack, intel_fbdev_initial_config() calls
intel_fbdev_fini() to tear down the ifbdev on failure. This calls
intel_fbdev_destroy() which dereferences ifbdev->fb. Fix the ensuing
oops.

Also check in these functions if ifbdev is not NULL to avoid oops:

i915_gem_framebuffer_info() is called on access to debugfs file
"i915_gem_framebuffer" and dereferences ifbdev, ifbdev->helper.fb
and ifbdev->helper.fb->obj.

intel_connector_add_to_fbdev() / intel_connector_remove_from_fbdev()
are called when registering / unregistering an mst connector and
dereference ifbdev.

v3: Drop additional null pointer checks in intel_fbdev_set_suspend(),
    intel_fbdev_output_poll_changed() and intel_fbdev_restore_mode()
    since they already check if ifbdev is not NULL, which is sufficient
    now that intel_fbdev_fini() is called on initialization failure.
    (Requested by Daniel Vetter <daniel.vetter@ffwll.ch>)

Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
Link: http://patchwork.freedesktop.org/patch/msgid/d05f0edf121264a9d0adb8ca713fd8cc4ae068bf.1447938059.git.lukas@wunner.de


Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
parent ce7f1728

drivers/gpu/drm/i915/i915_debugfs.c

+13 −11
Original line number Diff line number Diff line
@@ -1878,6 +1878,7 @@ static int i915_gem_framebuffer_info(struct seq_file *m, void *data) 
	struct drm_i915_private *dev_priv = dev->dev_private;



	ifbdev = dev_priv->fbdev;

	if (ifbdev) {

		fb = to_intel_framebuffer(ifbdev->helper.fb);



		seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
@@ -1889,6 +1890,7 @@ static int i915_gem_framebuffer_info(struct seq_file *m, void *data) 
			   atomic_read(&fb->base.refcount.refcount));

		describe_obj(m, fb->obj);

		seq_putc(m, '\n');

	}

#endif



	mutex_lock(&dev->mode_config.fb_lock);

drivers/gpu/drm/i915/intel_dp_mst.c

+8 −2
Original line number Diff line number Diff line
@@ -408,7 +408,10 @@ static void intel_connector_add_to_fbdev(struct intel_connector *connector) 
{

#ifdef CONFIG_DRM_FBDEV_EMULATION

	struct drm_i915_private *dev_priv = to_i915(connector->base.dev);

	drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper, &connector->base);



	if (dev_priv->fbdev)

		drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper,

						&connector->base);

#endif

}
@@ -416,7 +419,10 @@ static void intel_connector_remove_from_fbdev(struct intel_connector *connector) 
{

#ifdef CONFIG_DRM_FBDEV_EMULATION

	struct drm_i915_private *dev_priv = to_i915(connector->base.dev);

	drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper, &connector->base);



	if (dev_priv->fbdev)

		drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper,

						   &connector->base);

#endif

}

drivers/gpu/drm/i915/intel_fbdev.c

+4 −2
Original line number Diff line number Diff line
@@ -529,9 +529,11 @@ static void intel_fbdev_destroy(struct drm_device *dev, 


	drm_fb_helper_fini(&ifbdev->helper);



	if (ifbdev->fb) {

		drm_framebuffer_unregister_private(&ifbdev->fb->base);

		drm_framebuffer_remove(&ifbdev->fb->base);

	}

}



/*

 * Build an intel_fbdev struct using a BIOS allocated framebuffer, if possible.