From 1e5a15d65d4cecb553d7e81c3ac05b1ffbc4bb27 Mon Sep 17 00:00:00 2001 From: Ander Conselvan de Oliveira Date: Wed, 18 Jan 2017 14:34:28 +0200 Subject: [PATCH] drm/i915: Avoid drm_atomic_state_put(NULL) on error paths The error paths in hsw_trans_edp_pipe_A_crc_wa() and intel_prepare_reset() would potentially call drm_atomic_state_put with a NULL state, which would lead to a NULL pointer dereference. Found by coverity. v2: Improve the error paths. (Chris) Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state") Cc: Chris Wilson Cc: Daniel Vetter Cc: # v4.10-rc1+ Signed-off-by: Ander Conselvan de Oliveira Link: http://patchwork.freedesktop.org/patch/msgid/1484742868-9551-1-git-send-email-ander.conselvan.de.oliveira@intel.com Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson --- drivers/gpu/drm/i915/intel_display.c | 10 +++------- drivers/gpu/drm/i915/intel_pipe_crc.c | 10 ++++++---- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c index e4ea4fad9eb9..bf7ebdb0b604 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -3560,23 +3560,19 @@ void intel_prepare_reset(struct drm_i915_private *dev_priv) state = drm_atomic_helper_duplicate_state(dev, ctx); if (IS_ERR(state)) { ret = PTR_ERR(state); - state = NULL; DRM_ERROR("Duplicating state failed with %i\n", ret); - goto err; + return; } ret = drm_atomic_helper_disable_all(dev, ctx); if (ret) { DRM_ERROR("Suspending crtc's failed with %i\n", ret); - goto err; + drm_atomic_state_put(state); + return; } dev_priv->modeset_restore_state = state; state->acquire_ctx = ctx; - return; - -err: - drm_atomic_state_put(state); } void intel_finish_reset(struct drm_i915_private *dev_priv) diff --git a/drivers/gpu/drm/i915/intel_pipe_crc.c b/drivers/gpu/drm/i915/intel_pipe_crc.c index 0f1da810cff0..c0b1f99da37b 100644 --- a/drivers/gpu/drm/i915/intel_pipe_crc.c +++ b/drivers/gpu/drm/i915/intel_pipe_crc.c @@ -560,14 +560,14 @@ static void hsw_trans_edp_pipe_A_crc_wa(struct drm_i915_private *dev_priv, state = drm_atomic_state_alloc(dev); if (!state) { ret = -ENOMEM; - goto out; + goto unlock; } state->acquire_ctx = drm_modeset_legacy_acquire_ctx(&crtc->base); pipe_config = intel_atomic_get_crtc_state(state, crtc); if (IS_ERR(pipe_config)) { ret = PTR_ERR(pipe_config); - goto out; + goto put_state; } pipe_config->pch_pfit.force_thru = enable; @@ -576,10 +576,12 @@ static void hsw_trans_edp_pipe_A_crc_wa(struct drm_i915_private *dev_priv, pipe_config->base.connectors_changed = true; ret = drm_atomic_commit(state); -out: + +put_state: + drm_atomic_state_put(state); +unlock: WARN(ret, "Toggling workaround to %i returns %i\n", enable, ret); drm_modeset_unlock_all(dev); - drm_atomic_state_put(state); } static int ivb_pipe_crc_ctl_reg(struct drm_i915_private *dev_priv, -- 2.20.1