[PATCH] drm: stop vmgfx driver explosion

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] drm: stop vmgfx driver explosion
@ 2012-08-20 14:44 Alan Cox
  2012-08-20 15:04 ` Jakob Bornecrantz
  0 siblings, 1 reply; 2+ messages in thread
From: Alan Cox @ 2012-08-20 14:44 UTC (permalink / raw)
  To: dri-devel, linux-kernel

From: Alan Cox <alan@linux.intel.com>

If you do a page flip with no flags set then event is NULL. If event is
NULL then the vmw_gfx driver likes to go digging into NULL and extracts
NULL->base.file_priv.

On a modern kernel with NULL mapping protection it's just another oops,
without it there are some "intriguing" possibilities.

What it should do is an open question but that for the driver owners to
sort out.

Signed-off-by: Alan Cox <alan@linux.intel.com>
---

 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 6b0078f..c50724b 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -1688,15 +1688,19 @@ int vmw_du_page_flip(struct drm_crtc *crtc,
 	struct vmw_private *dev_priv = vmw_priv(crtc->dev);
 	struct drm_framebuffer *old_fb = crtc->fb;
 	struct vmw_framebuffer *vfb = vmw_framebuffer_to_vfb(fb);
-	struct drm_file *file_priv = event->base.file_priv;
+	struct drm_file *file_priv ;
 	struct vmw_fence_obj *fence = NULL;
 	struct drm_clip_rect clips;
 	int ret;
 
+	if (event == NULL)
+		return -EINVAL;
+
 	/* require ScreenObject support for page flipping */
 	if (!dev_priv->sou_priv)
 		return -ENOSYS;
 
+	file_priv = event->base.file_priv;
 	if (!vmw_kms_screen_object_flippable(dev_priv, crtc))
 		return -EINVAL;
 


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] drm: stop vmgfx driver explosion
  2012-08-20 14:44 [PATCH] drm: stop vmgfx driver explosion Alan Cox
@ 2012-08-20 15:04 ` Jakob Bornecrantz
  0 siblings, 0 replies; 2+ messages in thread
From: Jakob Bornecrantz @ 2012-08-20 15:04 UTC (permalink / raw)
  To: Alan Cox; +Cc: dri-devel, linux-kernel

----- Original Message -----
> From: Alan Cox <alan@linux.intel.com>
> 
> If you do a page flip with no flags set then event is NULL. If event
> is NULL then the vmw_gfx driver likes to go digging into NULL and
> extracts NULL->base.file_priv.
> 
> On a modern kernel with NULL mapping protection it's just another
> oops, without it there are some "intriguing" possibilities.
> 
> What it should do is an open question but that for the driver owners
> to sort out.
> 
> Signed-off-by: Alan Cox <alan@linux.intel.com>

Thanks Alan!

Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>

I think CC stable is in order.

Cheers, Jakob.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-08-20 15:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-20 14:44 [PATCH] drm: stop vmgfx driver explosion Alan Cox
2012-08-20 15:04 ` Jakob Bornecrantz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).