drm/i915: Avoid drm_atomic_state_put(NULL) on error paths
authorAnder Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Wed, 18 Jan 2017 12:34:28 +0000 (14:34 +0200)
committerChris Wilson <chris@chris-wilson.co.uk>
Wed, 18 Jan 2017 13:47:22 +0000 (13:47 +0000)
The error paths in hsw_trans_edp_pipe_A_crc_wa() and
intel_prepare_reset() would potentially call drm_atomic_state_put with a
NULL state, which would lead to a NULL pointer dereference.

Found by coverity.

v2: Improve the error paths. (Chris)

Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state")
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1484742868-9551-1-git-send-email-ander.conselvan.de.oliveira@intel.com
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
drivers/gpu/drm/i915/intel_display.c
drivers/gpu/drm/i915/intel_pipe_crc.c

index e4ea4fad9eb93cc221e39842c0abcb7c9d506e10..bf7ebdb0b604e75374138bd962e62ced50823456 100644 (file)
@@ -3560,23 +3560,19 @@ void intel_prepare_reset(struct drm_i915_private *dev_priv)
        state = drm_atomic_helper_duplicate_state(dev, ctx);
        if (IS_ERR(state)) {
                ret = PTR_ERR(state);
-               state = NULL;
                DRM_ERROR("Duplicating state failed with %i\n", ret);
-               goto err;
+               return;
        }
 
        ret = drm_atomic_helper_disable_all(dev, ctx);
        if (ret) {
                DRM_ERROR("Suspending crtc's failed with %i\n", ret);
-               goto err;
+               drm_atomic_state_put(state);
+               return;
        }
 
        dev_priv->modeset_restore_state = state;
        state->acquire_ctx = ctx;
-       return;
-
-err:
-       drm_atomic_state_put(state);
 }
 
 void intel_finish_reset(struct drm_i915_private *dev_priv)
index 0f1da810cff0b1e81a6f3dc06db866dd429988c0..c0b1f99da37b34c914fe180c856bec51dc4c333f 100644 (file)
@@ -560,14 +560,14 @@ static void hsw_trans_edp_pipe_A_crc_wa(struct drm_i915_private *dev_priv,
        state = drm_atomic_state_alloc(dev);
        if (!state) {
                ret = -ENOMEM;
-               goto out;
+               goto unlock;
        }
 
        state->acquire_ctx = drm_modeset_legacy_acquire_ctx(&crtc->base);
        pipe_config = intel_atomic_get_crtc_state(state, crtc);
        if (IS_ERR(pipe_config)) {
                ret = PTR_ERR(pipe_config);
-               goto out;
+               goto put_state;
        }
 
        pipe_config->pch_pfit.force_thru = enable;
@@ -576,10 +576,12 @@ static void hsw_trans_edp_pipe_A_crc_wa(struct drm_i915_private *dev_priv,
                pipe_config->base.connectors_changed = true;
 
        ret = drm_atomic_commit(state);
-out:
+
+put_state:
+       drm_atomic_state_put(state);
+unlock:
        WARN(ret, "Toggling workaround to %i returns %i\n", enable, ret);
        drm_modeset_unlock_all(dev);
-       drm_atomic_state_put(state);
 }
 
 static int ivb_pipe_crc_ctl_reg(struct drm_i915_private *dev_priv,