From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Wilson <chris@chris-wilson.co.uk>
Subject: Re: [RFC 04/44] drm/i915: Fix null pointer dereference
 in error capture
Date: Tue, 1 Jul 2014 08:12:11 +0100
Message-ID: <20140701071211.GC17834@nuc-i3427.alporthouse.com>
References: <1403803475-16337-1-git-send-email-John.C.Harrison@Intel.com>
 <1403803475-16337-5-git-send-email-John.C.Harrison@Intel.com>
 <20140630144005.65c7c48d@jbarnes-desktop>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces@lists.freedesktop.org>
Received: from fireflyinternet.com (mail.fireflyinternet.com [87.106.93.118])
 by gabe.freedesktop.org (Postfix) with ESMTP id 3AE356E51B
 for <Intel-GFX@lists.freedesktop.org>; Tue,  1 Jul 2014 00:12:16 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <20140630144005.65c7c48d@jbarnes-desktop>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
To: Jesse Barnes <jbarnes@virtuousgeek.org>
Cc: Intel-GFX@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

On Mon, Jun 30, 2014 at 02:40:05PM -0700, Jesse Barnes wrote:
> On Thu, 26 Jun 2014 18:23:55 +0100
> John.C.Harrison@Intel.com wrote:
> 
> > From: John Harrison <John.C.Harrison@Intel.com>
> > 
> > The i915_gem_record_rings() code was unconditionally querying and saving state
> > for the batch_obj of a request structure. This is not necessarily set. Thus a
> > null pointer dereference can occur.
> > ---
> >  drivers/gpu/drm/i915/i915_gpu_error.c |   13 +++++++------
> >  1 file changed, 7 insertions(+), 6 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
> > index 87ec60e..0738f21 100644
> > --- a/drivers/gpu/drm/i915/i915_gpu_error.c
> > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c
> > @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev,
> >  			 * as the simplest method to avoid being overwritten
> >  			 * by userspace.
> >  			 */
> > -			error->ring[i].batchbuffer =
> > -				i915_error_object_create(dev_priv,
> > -							 request->batch_obj,
> > -							 request->ctx ?
> > -							 request->ctx->vm :
> > -							 &dev_priv->gtt.base);
> > +			if(request->batch_obj)
> > +				error->ring[i].batchbuffer =
> > +					i915_error_object_create(dev_priv,
> > +								 request->batch_obj,
> > +								 request->ctx ?
> > +								 request->ctx->vm :
> > +								 &dev_priv->gtt.base);
> >  
> >  			if (HAS_BROKEN_CS_TLB(dev_priv->dev) &&
> >  			    ring->scratch.obj)
> 
> Reviewed-by: Jesse Barnes <jbarnes@virtuosugeek.org>

Nah, put the NULL check into the macro. i915_error_object_create() was
originally written as a no-op on NULL pointers for cleanliness, we may
as well do the check centrally and remove the extras we have grown.
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre