drm: stop vmgfx driver explosion

Message ID	20120820144438.6255.39723.stgit@localhost.localdomain (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org> From: Alan Cox <alan@lxorguk.ukuu.org.uk> Subject: [PATCH] drm: stop vmgfx driver explosion To: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Date: Mon, 20 Aug 2012 15:44:52 +0100 Message-ID: <20120820144438.6255.39723.stgit@localhost.localdomain> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org

Message ID

20120820144438.6255.39723.stgit@localhost.localdomain (mailing list archive)

State

New, archived

Headers

From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: [PATCH] drm: stop vmgfx driver explosion
To: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Date: Mon, 20 Aug 2012 15:44:52 +0100
Message-ID: <20120820144438.6255.39723.stgit@localhost.localdomain>
User-Agent: StGIT/0.14.3
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org

Commit Message

Alan Cox Aug. 20, 2012, 2:44 p.m. UTC

From: Alan Cox <alan@linux.intel.com>

If you do a page flip with no flags set then event is NULL. If event is
NULL then the vmw_gfx driver likes to go digging into NULL and extracts
NULL->base.file_priv.

On a modern kernel with NULL mapping protection it's just another oops,
without it there are some "intriguing" possibilities.

What it should do is an open question but that for the driver owners to
sort out.

Signed-off-by: Alan Cox <alan@linux.intel.com>
---

 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Jakob Bornecrantz Aug. 20, 2012, 3:04 p.m. UTC | #1

----- Original Message -----
> From: Alan Cox <alan@linux.intel.com>
> 
> If you do a page flip with no flags set then event is NULL. If event
> is NULL then the vmw_gfx driver likes to go digging into NULL and
> extracts NULL->base.file_priv.
> 
> On a modern kernel with NULL mapping protection it's just another
> oops, without it there are some "intriguing" possibilities.
> 
> What it should do is an open question but that for the driver owners
> to sort out.
> 
> Signed-off-by: Alan Cox <alan@linux.intel.com>

Thanks Alan!

Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>

I think CC stable is in order.

Cheers, Jakob.

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 6b0078f..c50724b 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -1688,15 +1688,19 @@  int vmw_du_page_flip(struct drm_crtc *crtc,
 	struct vmw_private *dev_priv = vmw_priv(crtc->dev);
 	struct drm_framebuffer *old_fb = crtc->fb;
 	struct vmw_framebuffer *vfb = vmw_framebuffer_to_vfb(fb);
-	struct drm_file *file_priv = event->base.file_priv;
+	struct drm_file *file_priv ;
 	struct vmw_fence_obj *fence = NULL;
 	struct drm_clip_rect clips;
 	int ret;
 
+	if (event == NULL)
+		return -EINVAL;
+
 	/* require ScreenObject support for page flipping */
 	if (!dev_priv->sou_priv)
 		return -ENOSYS;
 
+	file_priv = event->base.file_priv;
 	if (!vmw_kms_screen_object_flippable(dev_priv, crtc))
 		return -EINVAL;

drm: stop vmgfx driver explosion

Commit Message

Comments

Patch