From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from anholt.net ([50.246.234.109]:39830 "EHLO anholt.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750837AbeAUDIy (ORCPT <rfc822;stable@vger.kernel.org>);
        Sat, 20 Jan 2018 22:08:54 -0500
From: Eric Anholt <eric@anholt.net>
To: Boris Brezillon <boris.brezillon@free-electrons.com>,
        David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>,
        dri-devel@lists.freedesktop.org
Cc: Boris Brezillon <boris.brezillon@free-electrons.com>,
        stable@vger.kernel.org
Subject: Re: [PATCH v2] drm/vc4: Fix NULL pointer dereference in vc4_save_hang_state()
In-Reply-To: <20180118145821.22344-1-boris.brezillon@free-electrons.com>
References: <20180118145821.22344-1-boris.brezillon@free-electrons.com>
Date: Sun, 21 Jan 2018 11:08:47 +0800
Message-ID: <87h8rfx60w.fsf@anholt.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
        micalg=pgp-sha512; protocol="application/pgp-signature"
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

--=-=-=
Content-Type: text/plain

Boris Brezillon <boris.brezillon@free-electrons.com> writes:

> When saving BOs in the hang state we skip one entry of the
> kernel_state->bo[] array, thus leaving it to NULL. This leads to a NULL
> pointer dereference when, later in this function, we iterate over all
> BOs to check their ->madv state.
>
> Fixes: ca26d28bbaa3 ("drm/vc4: improve throughput by pipelining binning and rendering jobs")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
> ---
> Changes in v2:
> - Get rid of prev_idx an replace it by k which is indepently incremented
>   every time a new object is added to kernel_state->bo[].
> - Add a WARN_ON_ONCE() when final value of k is inconsistent

Reviewed and pushed to drm-misc-fixes back on Thursday.  Thanks!

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/JuuFDWp9/ZkuCBXtdYpNtH8nugFAlpkBEAACgkQtdYpNtH8
nuj00RAAtaBe70bDqy7CwHa2OKeXXejxxN/vzoYbPq1pGK7XRHecwyOJ0LtvCQua
09scbxGWMCCri0P+c0nEfAt67XKgxFUA95uXudk8FYeRUjsBoycVxEaGzxNu7njN
Q+O1q8U8QszEz4ueel1YThEV13r1RMjWGUtthvwGiB9H3YOROKOi7wnK7tXxi68i
8BZTdh9G1NmfiV/Buov8aFt7rZyYRQ7WVtGyuRF0kWF87SNS6tckbTrmRepPTYEV
CuaSvMra26+f3EOhqAn+9fELkDocw6LqTk2NX+bFsIUJpnanoFEXy3VqRYmGRl4V
4XyBKiN0gVeiyF63UWCY3Wf0rrdMoFjk7EuxT/W5hwzDmqCc/xJa1WylHKusoCdR
NmCdoPIG9FJnD8siVwqEfHTcrB9qfMsdA8S9Vr5aOdIqodytgC8uZnFdNjuF3wIg
Os1IlwcIXd+zwdIjY4Vj3SuEAGpv2Unl+Mte9gR1qTE2FO3p488AzF7riyhZAZX5
ZoHRqmrn2gBjKkA++1d0W1SlHAffJBaHTxqIrT8Ww+gEhIuDZzuTb3ch4OSnmV6H
addyO/YnRNx27S73acJJ8fqVc5xEFZdKACssdKJ7NQCbSQVgappxLL5vJD/J5KA1
nIt82yVKOdtg7DdbPOjyHnOZubtswBLTUxiQGsJW8fip2fYPFDE=
=TLpb
-----END PGP SIGNATURE-----
--=-=-=--