From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Thu, 28 Jan 2016 09:06:46 +0000 Subject: [patch] drm/vmwgfx: fix a NULL dereference Message-Id: <20160128090646.GA5824@mwanda> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: David Airlie , Daniel Vetter Cc: Thomas Hellstrom , Daniel Stone , kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Alex Deucher We dereference "eaction->event" inside the call to drm_send_event_locked() so should hold off on setting it to NULL until afterward. Fixes: fb740cf2492c ("drm: Create drm_send_event helpers") Signed-off-by: Dan Carpenter diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index e0edf14..37c305b 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -880,8 +880,8 @@ static void vmw_event_fence_action_seq_passed(struct vmw_fence_action *action) } list_del_init(&eaction->fpriv_head); - eaction->event = NULL; drm_send_event_locked(dev, eaction->event); + eaction->event = NULL; spin_unlock_irqrestore(&dev->event_lock, irq_flags); } From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Subject: [patch] drm/vmwgfx: fix a NULL dereference Date: Thu, 28 Jan 2016 12:06:46 +0300 Message-ID: <20160128090646.GA5824@mwanda> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by gabe.freedesktop.org (Postfix) with ESMTPS id F14936E38E for ; Thu, 28 Jan 2016 01:07:06 -0800 (PST) Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: David Airlie , Daniel Vetter Cc: Thomas Hellstrom , Daniel Stone , kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Alex Deucher List-Id: dri-devel@lists.freedesktop.org V2UgZGVyZWZlcmVuY2UgImVhY3Rpb24tPmV2ZW50IiBpbnNpZGUgdGhlIGNhbGwgdG8gZHJtX3Nl bmRfZXZlbnRfbG9ja2VkKCkKc28gc2hvdWxkIGhvbGQgb2ZmIG9uIHNldHRpbmcgaXQgdG8gTlVM TCB1bnRpbCBhZnRlcndhcmQuCgpGaXhlczogZmI3NDBjZjI0OTJjICgiZHJtOiBDcmVhdGUgZHJt X3NlbmRfZXZlbnQgaGVscGVycyIpClNpZ25lZC1vZmYtYnk6IERhbiBDYXJwZW50ZXIgPGRhbi5j YXJwZW50ZXJAb3JhY2xlLmNvbT4KCmRpZmYgLS1naXQgYS9kcml2ZXJzL2dwdS9kcm0vdm13Z2Z4 L3Ztd2dmeF9mZW5jZS5jIGIvZHJpdmVycy9ncHUvZHJtL3Ztd2dmeC92bXdnZnhfZmVuY2UuYwpp bmRleCBlMGVkZjE0Li4zN2MzMDViIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vdm13Z2Z4 L3Ztd2dmeF9mZW5jZS5jCisrKyBiL2RyaXZlcnMvZ3B1L2RybS92bXdnZngvdm13Z2Z4X2ZlbmNl LmMKQEAgLTg4MCw4ICs4ODAsOCBAQCBzdGF0aWMgdm9pZCB2bXdfZXZlbnRfZmVuY2VfYWN0aW9u X3NlcV9wYXNzZWQoc3RydWN0IHZtd19mZW5jZV9hY3Rpb24gKmFjdGlvbikKIAl9CiAKIAlsaXN0 X2RlbF9pbml0KCZlYWN0aW9uLT5mcHJpdl9oZWFkKTsKLQllYWN0aW9uLT5ldmVudCA9IE5VTEw7 CiAJZHJtX3NlbmRfZXZlbnRfbG9ja2VkKGRldiwgZWFjdGlvbi0+ZXZlbnQpOworCWVhY3Rpb24t PmV2ZW50ID0gTlVMTDsKIAlzcGluX3VubG9ja19pcnFyZXN0b3JlKCZkZXYtPmV2ZW50X2xvY2ss IGlycV9mbGFncyk7CiB9CiAKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0 b3Aub3JnCmh0dHA6Ly9saXN0cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmkt ZGV2ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965317AbcA1JHO (ORCPT ); Thu, 28 Jan 2016 04:07:14 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:43248 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753197AbcA1JHI (ORCPT ); Thu, 28 Jan 2016 04:07:08 -0500 Date: Thu, 28 Jan 2016 12:06:46 +0300 From: Dan Carpenter To: David Airlie , Daniel Vetter Cc: Thomas Hellstrom , Alex Deucher , Daniel Stone , Sinclair Yeh , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] drm/vmwgfx: fix a NULL dereference Message-ID: <20160128090646.GA5824@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We dereference "eaction->event" inside the call to drm_send_event_locked() so should hold off on setting it to NULL until afterward. Fixes: fb740cf2492c ("drm: Create drm_send_event helpers") Signed-off-by: Dan Carpenter diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index e0edf14..37c305b 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -880,8 +880,8 @@ static void vmw_event_fence_action_seq_passed(struct vmw_fence_action *action) } list_del_init(&eaction->fpriv_head); - eaction->event = NULL; drm_send_event_locked(dev, eaction->event); + eaction->event = NULL; spin_unlock_irqrestore(&dev->event_lock, irq_flags); }