diff options
| author | Alexey Khoroshilov <khoroshilov@ispras.ru> | 2014-02-28 16:20:18 -0500 |
|---|---|---|
| committer | Thomas Hellstrom <thellstrom@vmware.com> | 2014-03-02 03:49:59 -0500 |
| commit | 6950e23e54b1c94abf8c60c1ddfac79133d41de2 (patch) | |
| tree | 47bc913f53068c5f33a867fce9a0251544766aad /drivers/gpu | |
| parent | a34417f6be521d1027b803f0b550ce622c971f41 (diff) | |
drm/vmwgfx: avoid null pointer dereference at failure paths
vmw_takedown_otable_base() and vmw_mob_unbind() check for
potential vmw_fifo_reserve() failure and print error message,
but then immediately dereference NULL pointer.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Diffstat (limited to 'drivers/gpu')
| -rw-r--r-- | drivers/gpu/drm/vmwgfx/vmwgfx_mob.c | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c index d4a5a19cb8c3..04a64b8cd3cd 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c | |||
| @@ -188,18 +188,20 @@ static void vmw_takedown_otable_base(struct vmw_private *dev_priv, | |||
| 188 | 188 | ||
| 189 | bo = otable->page_table->pt_bo; | 189 | bo = otable->page_table->pt_bo; |
| 190 | cmd = vmw_fifo_reserve(dev_priv, sizeof(*cmd)); | 190 | cmd = vmw_fifo_reserve(dev_priv, sizeof(*cmd)); |
| 191 | if (unlikely(cmd == NULL)) | 191 | if (unlikely(cmd == NULL)) { |
| 192 | DRM_ERROR("Failed reserving FIFO space for OTable setup.\n"); | 192 | DRM_ERROR("Failed reserving FIFO space for OTable " |
| 193 | 193 | "takedown.\n"); | |
| 194 | memset(cmd, 0, sizeof(*cmd)); | 194 | } else { |
| 195 | cmd->header.id = SVGA_3D_CMD_SET_OTABLE_BASE; | 195 | memset(cmd, 0, sizeof(*cmd)); |
| 196 | cmd->header.size = sizeof(cmd->body); | 196 | cmd->header.id = SVGA_3D_CMD_SET_OTABLE_BASE; |
| 197 | cmd->body.type = type; | 197 | cmd->header.size = sizeof(cmd->body); |
| 198 | cmd->body.baseAddress = 0; | 198 | cmd->body.type = type; |
| 199 | cmd->body.sizeInBytes = 0; | 199 | cmd->body.baseAddress = 0; |
| 200 | cmd->body.validSizeInBytes = 0; | 200 | cmd->body.sizeInBytes = 0; |
| 201 | cmd->body.ptDepth = SVGA3D_MOBFMT_INVALID; | 201 | cmd->body.validSizeInBytes = 0; |
| 202 | vmw_fifo_commit(dev_priv, sizeof(*cmd)); | 202 | cmd->body.ptDepth = SVGA3D_MOBFMT_INVALID; |
| 203 | vmw_fifo_commit(dev_priv, sizeof(*cmd)); | ||
| 204 | } | ||
| 203 | 205 | ||
| 204 | if (bo) { | 206 | if (bo) { |
| 205 | int ret; | 207 | int ret; |
| @@ -562,11 +564,12 @@ void vmw_mob_unbind(struct vmw_private *dev_priv, | |||
| 562 | if (unlikely(cmd == NULL)) { | 564 | if (unlikely(cmd == NULL)) { |
| 563 | DRM_ERROR("Failed reserving FIFO space for Memory " | 565 | DRM_ERROR("Failed reserving FIFO space for Memory " |
| 564 | "Object unbinding.\n"); | 566 | "Object unbinding.\n"); |
| 567 | } else { | ||
| 568 | cmd->header.id = SVGA_3D_CMD_DESTROY_GB_MOB; | ||
| 569 | cmd->header.size = sizeof(cmd->body); | ||
| 570 | cmd->body.mobid = mob->id; | ||
| 571 | vmw_fifo_commit(dev_priv, sizeof(*cmd)); | ||
| 565 | } | 572 | } |
| 566 | cmd->header.id = SVGA_3D_CMD_DESTROY_GB_MOB; | ||
| 567 | cmd->header.size = sizeof(cmd->body); | ||
| 568 | cmd->body.mobid = mob->id; | ||
| 569 | vmw_fifo_commit(dev_priv, sizeof(*cmd)); | ||
| 570 | if (bo) { | 573 | if (bo) { |
| 571 | vmw_fence_single_bo(bo, NULL); | 574 | vmw_fence_single_bo(bo, NULL); |
| 572 | ttm_bo_unreserve(bo); | 575 | ttm_bo_unreserve(bo); |