[Intel-gfx] [PATCH] drm/i915: Avoid drm_atomic_state_put(NULL) on error paths

Wed, 18 Jan 2017 04:34:55 -0800 

The error paths in hsw_trans_edp_pipe_A_crc_wa() and
intel_prepare_reset() would potentially call drm_atomic_state_put with a
NULL state, which would lead to a NULL pointer dereference.

Found by coverity.

v2: Improve the error paths. (Chris)

Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state")
Cc: Chris Wilson <[email protected]>
Cc: Daniel Vetter <[email protected]>
Cc: <[email protected]> # v4.10-rc1+
Signed-off-by: Ander Conselvan de Oliveira 
<[email protected]>
---
 drivers/gpu/drm/i915/intel_display.c  | 10 +++-------
 drivers/gpu/drm/i915/intel_pipe_crc.c | 10 ++++++----
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_display.c 
b/drivers/gpu/drm/i915/intel_display.c
index 8aca92b..0d055e8 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -3561,23 +3561,19 @@ void intel_prepare_reset(struct drm_i915_private 
*dev_priv)
        state = drm_atomic_helper_duplicate_state(dev, ctx);
        if (IS_ERR(state)) {
                ret = PTR_ERR(state);
-               state = NULL;
                DRM_ERROR("Duplicating state failed with %i\n", ret);
-               goto err;
+               return;
        }
 
        ret = drm_atomic_helper_disable_all(dev, ctx);
        if (ret) {
                DRM_ERROR("Suspending crtc's failed with %i\n", ret);
-               goto err;
+               drm_atomic_state_put(state);
+               return;
        }
 
        dev_priv->modeset_restore_state = state;
        state->acquire_ctx = ctx;
-       return;
-
-err:
-       drm_atomic_state_put(state);
 }
 
 void intel_finish_reset(struct drm_i915_private *dev_priv)
diff --git a/drivers/gpu/drm/i915/intel_pipe_crc.c 
b/drivers/gpu/drm/i915/intel_pipe_crc.c
index 0f1da81..c0b1f99 100644
--- a/drivers/gpu/drm/i915/intel_pipe_crc.c
+++ b/drivers/gpu/drm/i915/intel_pipe_crc.c
@@ -560,14 +560,14 @@ static void hsw_trans_edp_pipe_A_crc_wa(struct 
drm_i915_private *dev_priv,
        state = drm_atomic_state_alloc(dev);
        if (!state) {
                ret = -ENOMEM;
-               goto out;
+               goto unlock;
        }
 
        state->acquire_ctx = drm_modeset_legacy_acquire_ctx(&crtc->base);
        pipe_config = intel_atomic_get_crtc_state(state, crtc);
        if (IS_ERR(pipe_config)) {
                ret = PTR_ERR(pipe_config);
-               goto out;
+               goto put_state;
        }
 
        pipe_config->pch_pfit.force_thru = enable;
@@ -576,10 +576,12 @@ static void hsw_trans_edp_pipe_A_crc_wa(struct 
drm_i915_private *dev_priv,
                pipe_config->base.connectors_changed = true;
 
        ret = drm_atomic_commit(state);
-out:
+
+put_state:
+       drm_atomic_state_put(state);
+unlock:
        WARN(ret, "Toggling workaround to %i returns %i\n", enable, ret);
        drm_modeset_unlock_all(dev);
-       drm_atomic_state_put(state);
 }
 
 static int ivb_pipe_crc_ctl_reg(struct drm_i915_private *dev_priv,
-- 
2.5.5

_______________________________________________
Intel-gfx mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Reply via email to