git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From s.L-H@gmx.de  Tue Apr  6 16:37:44 2010
   2 From: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>
   3 Date: Tue, 6 Apr 2010 23:45:38 +0200
   4 Subject:  drm/radeon/kms: Fix NULL pointer dereference if memory allocation failed in a simple way
   5
   6
   7 > From: Pauli Nieminen <suokkos@gmail.com>
   8 > Date: Fri, 19 Mar 2010 07:44:33 +0000
   9 > Subject: drm/radeon/kms: Fix NULL pointer dereference if memory allocation failed.
  10 >
  11 > From: Pauli Nieminen <suokkos@gmail.com>
  12 >
  13 > commit fcbc451ba1948fba967198bd150ecbd10bbb7075 upstream.
  14 >
  15 > When there is allocation failure in radeon_cs_parser_relocs parser->nrelocs
  16 > is not cleaned. This causes NULL pointer defeference in radeon_cs_parser_fini
  17 > when clean up code is trying to loop over the relocation array and free the
  18 > objects.
  19 >
  20 > Fix adds a check for a possible NULL pointer in clean up code.
  21 [...]
  22
  23 This patch breaks compiling kernel 2.6.33 + the current stable queue:
  24
  25   CC [M]  drivers/gpu/drm/radeon/radeon_cs.o
  26 /tmp/buildd/linux-sidux-2.6-2.6.33/debian/build/source_amd64_none/drivers/gpu/drm/radeon/radeon_cs.c: In function 'radeon_cs_parser_fini':
  27 /tmp/buildd/linux-sidux-2.6-2.6.33/debian/build/source_amd64_none/drivers/gpu/drm/radeon/radeon_cs.c:200: error: implicit declaration of function 'drm_gem_object_unreference_unlocked'
  28 make[6]: *** [drivers/gpu/drm/radeon/radeon_cs.o] Error 1
  29
  30 as it depends on the introduction of drm_gem_object_unreference_unlocked()
  31 in:
  32
  33 Commit:     c3ae90c099bb62387507e86da7cf799850444b08
  34 Author:     Luca Barbieri <luca@luca-barbieri.com>
  35 AuthorDate: Tue Feb 9 05:49:11 2010 +0000
  36
  37     drm: introduce drm_gem_object_[handle_]unreference_unlocked
  38
  39     This patch introduces the drm_gem_object_unreference_unlocked
  40     and drm_gem_object_handle_unreference_unlocked functions that
  41     do not require holding struct_mutex.
  42
  43     drm_gem_object_unreference_unlocked calls the new
  44     ->gem_free_object_unlocked entry point if available, and
  45     otherwise just takes struct_mutex and just calls ->gem_free_object
  46
  47 which in turn suggests:
  48
  49 Commit:     bc9025bdc4e2b591734cca17697093845007b63d
  50 Author:     Luca Barbieri <luca@luca-barbieri.com>
  51 AuthorDate: Tue Feb 9 05:49:12 2010 +0000
  52
  53     Use drm_gem_object_[handle_]unreference_unlocked where possible
  54
  55     Mostly obvious simplifications.
  56
  57     The i915 pread/pwrite ioctls, intel_overlay_put_image and
  58     nouveau_gem_new were incorrectly using the locked versions
  59     without locking: this is also fixed in this patch.
  60
  61 which don't really look like candidates for 2.6.33-stable.
  62
  63 > --- a/drivers/gpu/drm/radeon/radeon_cs.c
  64 > +++ b/drivers/gpu/drm/radeon/radeon_cs.c
  65 > @@ -193,11 +193,13 @@ static void radeon_cs_parser_fini(struct
  66 >               radeon_bo_list_fence(&parser->validated, parser->ib->fence);
  67 >       }
  68 >       radeon_bo_list_unreserve(&parser->validated);
  69 > -     for (i = 0; i < parser->nrelocs; i++) {
  70 > -             if (parser->relocs[i].gobj) {
  71 > -                     mutex_lock(&parser->rdev->ddev->struct_mutex);
  72 > -                     drm_gem_object_unreference(parser->relocs[i].gobj);
  73 > -                     mutex_unlock(&parser->rdev->ddev->struct_mutex);
  74 > +     if (parser->relocs != NULL) {
  75         ^ the only important part, the rest merely covers the new indentation
  76           level
  77
  78 > +             for (i = 0; i < parser->nrelocs; i++) {
  79 > +                     if (parser->relocs[i].gobj) {
  80 > +                             mutex_lock(&parser->rdev->ddev->struct_mutex);
  81 > +                             drm_gem_object_unreference_unlocked(parser->relocs[i].gobj);
  82                                 ^ drm_gem_object_unreference_unlocked() doesn't exist in 2.6.33, yet
  83                                   we can use drm_gem_object_unreference() instead.
  84
  85 > +                             mutex_unlock(&parser->rdev->ddev->struct_mutex);
  86 > +                     }
  87 >               }
  88 >       }
  89 >       kfree(parser->track);
  90
  91 As a consequence, I'd suggest to merely backport the NULL pointer check,
  92 while ignoring the simplification of using the newly introduced
  93 drm_gem_object_unreference_unlocked() from 2.6.34:
  94
  95 Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
  96 Cc: Pauli Nieminen <suokkos@gmail.com>
  97 Cc: Dave Airlie <airlied@redhat.com>
  98 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  99
 100 ---
 101  drivers/gpu/drm/radeon/radeon_cs.c |   12 +++++++-----
 102  1 file changed, 7 insertions(+), 5 deletions(-)
 103
 104 --- a/drivers/gpu/drm/radeon/radeon_cs.c
 105 +++ b/drivers/gpu/drm/radeon/radeon_cs.c
 106 @@ -193,11 +193,13 @@ static void radeon_cs_parser_fini(struct
 107                 radeon_bo_list_fence(&parser->validated, parser->ib->fence);
 108         }
 109         radeon_bo_list_unreserve(&parser->validated);
 110 -       for (i = 0; i < parser->nrelocs; i++) {
 111 -               if (parser->relocs[i].gobj) {
 112 -                       mutex_lock(&parser->rdev->ddev->struct_mutex);
 113 -                       drm_gem_object_unreference(parser->relocs[i].gobj);
 114 -                       mutex_unlock(&parser->rdev->ddev->struct_mutex);
 115 +       if (parser->relocs != NULL) {
 116 +               for (i = 0; i < parser->nrelocs; i++) {
 117 +                       if (parser->relocs[i].gobj) {
 118 +                               mutex_lock(&parser->rdev->ddev->struct_mutex);
 119 +                               drm_gem_object_unreference(parser->relocs[i].gobj);
 120 +                               mutex_unlock(&parser->rdev->ddev->struct_mutex);
 121 +                       }
 122                 }
 123         }
 124         kfree(parser->track);