4.14-stable patches

added patches:
	drm-vc4-fix-null-pointer-dereference-in-vc4_save_hang_state.patch

diff --git a/queue-4.14/drm-vc4-fix-null-pointer-dereference-in-vc4_save_hang_state.patch b/queue-4.14/drm-vc4-fix-null-pointer-dereference-in-vc4_save_hang_state.patch
new file mode 100644 (file)
index 0000000..c663cd3
--- /dev/null
+++ b/queue-4.14/drm-vc4-fix-null-pointer-dereference-in-vc4_save_hang_state.patch
@@ -0,0 +1,66 @@
+From 17b11b76b87afe9f8be199d7a5f442497133e2b0 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Thu, 18 Jan 2018 15:58:21 +0100
+Subject: drm/vc4: Fix NULL pointer dereference in vc4_save_hang_state()
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 17b11b76b87afe9f8be199d7a5f442497133e2b0 upstream.
+
+When saving BOs in the hang state we skip one entry of the
+kernel_state->bo[] array, thus leaving it to NULL. This leads to a NULL
+pointer dereference when, later in this function, we iterate over all
+BOs to check their ->madv state.
+
+Fixes: ca26d28bbaa3 ("drm/vc4: improve throughput by pipelining binning and rendering jobs")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180118145821.22344-1-boris.brezillon@free-electrons.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_gem.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -146,7 +146,7 @@ vc4_save_hang_state(struct drm_device *d
+       struct vc4_exec_info *exec[2];
+       struct vc4_bo *bo;
+       unsigned long irqflags;
+-      unsigned int i, j, unref_list_count, prev_idx;
++      unsigned int i, j, k, unref_list_count;
+ 
+       kernel_state = kcalloc(1, sizeof(*kernel_state), GFP_KERNEL);
+       if (!kernel_state)
+@@ -182,24 +182,24 @@ vc4_save_hang_state(struct drm_device *d
+               return;
+       }
+ 
+-      prev_idx = 0;
++      k = 0;
+       for (i = 0; i < 2; i++) {
+               if (!exec[i])
+                       continue;
+ 
+               for (j = 0; j < exec[i]->bo_count; j++) {
+                       drm_gem_object_get(&exec[i]->bo[j]->base);
+-                      kernel_state->bo[j + prev_idx] = &exec[i]->bo[j]->base;
++                      kernel_state->bo[k++] = &exec[i]->bo[j]->base;
+               }
+ 
+               list_for_each_entry(bo, &exec[i]->unref_list, unref_head) {
+                       drm_gem_object_get(&bo->base.base);
+-                      kernel_state->bo[j + prev_idx] = &bo->base.base;
+-                      j++;
++                      kernel_state->bo[k++] = &bo->base.base;
+               }
+-              prev_idx = j + 1;
+       }
+ 
++      WARN_ON_ONCE(k != state->bo_count);
++
+       if (exec[0])
+               state->start_bin = exec[0]->ct0ca;
+       if (exec[1])

diff --git a/queue-4.14/series b/queue-4.14/series
index 97850044744cd8ed85684434210b89a23609788f..e3dae0fa7b2ca514eea557160da1b406431f5edc 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -19,3 +19,4 @@ arm-net-bpf-correct-stack-layout-documentation.patch
 arm-net-bpf-fix-register-saving.patch
 arm-net-bpf-fix-ldx-instructions.patch
 arm-net-bpf-clarify-tail_call-index.patch
+drm-vc4-fix-null-pointer-dereference-in-vc4_save_hang_state.patch