From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jesse Barnes <jbarnes@virtuousgeek.org>
Subject: Re: [RFC 04/44] drm/i915: Fix null pointer dereference
 in error capture
Date: Mon, 30 Jun 2014 14:40:05 -0700
Message-ID: <20140630144005.65c7c48d@jbarnes-desktop>
References: <1403803475-16337-1-git-send-email-John.C.Harrison@Intel.com>
 <1403803475-16337-5-git-send-email-John.C.Harrison@Intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces@lists.freedesktop.org>
Received: from mail-pd0-f182.google.com (mail-pd0-f182.google.com
 [209.85.192.182])
 by gabe.freedesktop.org (Postfix) with ESMTP id 7E36F6E0D6
 for <Intel-GFX@lists.freedesktop.org>; Mon, 30 Jun 2014 14:39:24 -0700 (PDT)
Received: by mail-pd0-f182.google.com with SMTP id y13so8911036pdi.13
 for <Intel-GFX@lists.freedesktop.org>; Mon, 30 Jun 2014 14:39:24 -0700 (PDT)
In-Reply-To: <1403803475-16337-5-git-send-email-John.C.Harrison@Intel.com>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
To: John.C.Harrison@Intel.com
Cc: Intel-GFX@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

On Thu, 26 Jun 2014 18:23:55 +0100
John.C.Harrison@Intel.com wrote:

> From: John Harrison <John.C.Harrison@Intel.com>
> 
> The i915_gem_record_rings() code was unconditionally querying and saving state
> for the batch_obj of a request structure. This is not necessarily set. Thus a
> null pointer dereference can occur.
> ---
>  drivers/gpu/drm/i915/i915_gpu_error.c |   13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
> index 87ec60e..0738f21 100644
> --- a/drivers/gpu/drm/i915/i915_gpu_error.c
> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c
> @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev,
>  			 * as the simplest method to avoid being overwritten
>  			 * by userspace.
>  			 */
> -			error->ring[i].batchbuffer =
> -				i915_error_object_create(dev_priv,
> -							 request->batch_obj,
> -							 request->ctx ?
> -							 request->ctx->vm :
> -							 &dev_priv->gtt.base);
> +			if(request->batch_obj)
> +				error->ring[i].batchbuffer =
> +					i915_error_object_create(dev_priv,
> +								 request->batch_obj,
> +								 request->ctx ?
> +								 request->ctx->vm :
> +								 &dev_priv->gtt.base);
>  
>  			if (HAS_BROKEN_CS_TLB(dev_priv->dev) &&
>  			    ring->scratch.obj)

Reviewed-by: Jesse Barnes <jbarnes@virtuosugeek.org>

-- 
Jesse Barnes, Intel Open Source Technology Center