[PATCH 08/13] drm/irq: Check for valid VBLANK before dereference

Thierry Reding thierry.reding at gmail.com
Thu Aug 13 02:20:05 PDT 2015 

On Wed, Aug 12, 2015 at 05:40:11PM +0200, Daniel Vetter wrote:
> On Wed, Aug 12, 2015 at 05:00:30PM +0200, Thierry Reding wrote:
> > From: Thierry Reding <treding at nvidia.com>
> > 
> > When accessing the array of per-CRTC VBLANK structures we must always
> > check that the index into the array is valid before dereferencing to
> > avoid crashing.
> > 
> > Signed-off-by: Thierry Reding <treding at nvidia.com>
> 
> This misses vblank_reset (I guess that function is newer than your
> patches). Can you please do a follow-up? I merged this one meanwhile.

We only have drm_crtc_vblank_reset(), in which case there's no need to
check the index because it's obtained directly from a struct drm_crtc *
and hence will be valid.

Thierry

> > ---
> >  drivers/gpu/drm/drm_irq.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
> > index 5c666c780fe9..a957b9618e85 100644
> > --- a/drivers/gpu/drm/drm_irq.c
> > +++ b/drivers/gpu/drm/drm_irq.c
> > @@ -1110,10 +1110,10 @@ void drm_vblank_put(struct drm_device *dev, int crtc)
> >  {
> >  	struct drm_vblank_crtc *vblank = &dev->vblank[crtc];
> >  
> > -	if (WARN_ON(atomic_read(&vblank->refcount) == 0))
> > +	if (WARN_ON(crtc >= dev->num_crtcs))
> >  		return;
> >  
> > -	if (WARN_ON(crtc >= dev->num_crtcs))
> > +	if (WARN_ON(atomic_read(&vblank->refcount) == 0))
> >  		return;
> >  
> >  	/* Last user schedules interrupt disable */
> > @@ -1158,6 +1158,9 @@ void drm_wait_one_vblank(struct drm_device *dev, int crtc)
> >  	int ret;
> >  	u32 last;
> >  
> > +	if (WARN_ON(crtc >= dev->num_crtcs))
> > +		return;
> > +
> >  	ret = drm_vblank_get(dev, crtc);
> >  	if (WARN(ret, "vblank not available on crtc %i, ret=%i\n", crtc, ret))
> >  		return;
> > @@ -1428,6 +1431,9 @@ void drm_vblank_post_modeset(struct drm_device *dev, int crtc)
> >  	if (!dev->num_crtcs)
> >  		return;
> >  
> > +	if (WARN_ON(crtc >= dev->num_crtcs))
> > +		return;
> > +
> >  	if (vblank->inmodeset) {
> >  		spin_lock_irqsave(&dev->vbl_lock, irqflags);
> >  		dev->vblank_disable_allowed = true;
> > -- 
> > 2.4.5
> > 
> 
> -- 
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/dri-devel/attachments/20150813/3bdec4f5/attachment.sig>

More information about the dri-devel mailing list