NULL pointer dereference in i915_gem_request_alloc()

From: vcaputo@pengaru.com
To: chris@chris-wilson.co.uk
Cc: dri-devel@lists.freedesktop.org
Subject: NULL pointer dereference in i915_gem_request_alloc()
Date: Sun, 1 Jan 2017 15:16:31 -0600	[thread overview]
Message-ID: <20170101211631.GA26952@shells.gnugeneration.com> (raw)

Hi Chris,

I've uncovered a bug in i915_gem_request_alloc():
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/i915/i915_gem_request.c?h=v4.9#n425

ctx here may be NULL, and i915_gem_context_get() is unconditionally
adding a reference to the supplied ctx, which makes things go boom when
NULL.

This happens for me in practice via:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/i915/intel_display.c?h=v4.9#n12317

It appears engine->last_context may be NULL.

The comment heading i915_gem_request_alloc() states that ctx shall be
NULL and that an appropriate context will be chosen automatically.  This
is not what is currently implemented.

My reproducer is an unaccelerated drm graphics toy which just sets a
mode and submits page flips using dumb buffers.  If I start Xorg first,
the bug doesn't trigger, presumably because engine->last_context gets
initialized.  But running the toy from the console immediately after
booting without starting Xorg, i915 explodes.

I would have only mailed dri-devel but my last email there seems to be
lost in a moderation queue, and I'd rather not subscribe to another
relatively high-volume list.  I've CC'd the list just in case it gets
through.

Thanks,
Vito Caputo
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel