From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Widawsky <ben@bwidawsk.net>
Subject: [penguin-kernel@I-love.SAKURA.ne.jp: [PATCH] drm/i915:
 Fix refcount leak and possible NULL pointer dereference.]
Date: Tue, 24 Dec 2013 09:51:24 -0800
Message-ID: <20131224175124.GA13719@bwidawsk.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces@lists.freedesktop.org>
Received: from mail.bwidawsk.net (bwidawsk.net [166.78.191.112])
	by gabe.freedesktop.org (Postfix) with ESMTP id 37DD9FA583
	for <intel-gfx@lists.freedesktop.org>;
	Tue, 24 Dec 2013 09:51:27 -0800 (PST)
Received: from bwidawsk.net (jfdmzpr03-ext.jf.intel.com [134.134.139.72])
	by mail.bwidawsk.net (Postfix) with ESMTPSA id 5B8CD4A6CA
	for <intel-gfx@lists.freedesktop.org>;
	Tue, 24 Dec 2013 09:51:26 -0800 (PST)
Content-Disposition: inline
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces@lists.freedesktop.org
Errors-To: intel-gfx-bounces@lists.freedesktop.org
To: Intel GFX <intel-gfx@lists.freedesktop.org>
List-Id: intel-gfx@lists.freedesktop.org

----- Forwarded message from Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -----

Date: Tue, 24 Dec 2013 20:50:23 +0900
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: chris@chris-wilson.co.uk, ben@bwidawsk.net, daniel.vetter@ffwll.ch
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] drm/i915: Fix refcount leak and possible NULL pointer dereference.
Message-Id: <201312242050.CGH78112.JQFOSVMLOFtHOF@I-love.SAKURA.ne.jp>

>>From 482be6384379072eb4c0d45d0ab8a25df4f59ed7 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Tue, 24 Dec 2013 18:04:14 +0900
Subject: [PATCH] drm/i915: Fix refcount leak and possible NULL pointer dereference.

Since get_pid_task() grabs a reference on the task_struct, we have to drop the
refcount after reading that task's comm name. Also, directly reading like
get_pid_task()->comm can trigger an oops when get_pid_task() returned NULL.

This patch fixes both problems.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 drivers/gpu/drm/i915/i915_debugfs.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
index 6ed45a9..d0a8e0a 100644
--- a/drivers/gpu/drm/i915/i915_debugfs.c
+++ b/drivers/gpu/drm/i915/i915_debugfs.c
@@ -406,11 +406,20 @@ static int i915_gem_object_info(struct seq_file *m, void* data)
 	seq_putc(m, '\n');
 	list_for_each_entry_reverse(file, &dev->filelist, lhead) {
 		struct file_stats stats;
+		struct task_struct *task;
+		char name[TASK_COMM_LEN];
 
 		memset(&stats, 0, sizeof(stats));
 		idr_for_each(&file->object_idr, per_file_stats, &stats);
+		task = get_pid_task(file->pid, PIDTYPE_PID);
+		if (task) {
+			get_task_comm(name, task);
+			put_task_struct(task);
+		} else {
+			strlcpy(name, "<unknown>", sizeof(name));
+		}
 		seq_printf(m, "%s: %u objects, %zu bytes (%zu active, %zu inactive, %zu unbound)\n",
-			   get_pid_task(file->pid, PIDTYPE_PID)->comm,
+			   name,
 			   stats.count,
 			   stats.total,
 			   stats.active,
-- 
1.7.1

----- End forwarded message -----

-- 
Ben Widawsky, Intel Open Source Technology Center