[Intel-gfx] [RFC 04/44] drm/i915: Fix null pointer dereference in error capture

[Jesse Barnes]

On Thu, 26 Jun 2014 18:23:55 +0100
John.C.Harrison at Intel.com wrote:

> From: John Harrison <John.C.Harrison at Intel.com>
> 
> The i915_gem_record_rings() code was unconditionally querying and saving state
> for the batch_obj of a request structure. This is not necessarily set. Thus a
> null pointer dereference can occur.
> ---
>  drivers/gpu/drm/i915/i915_gpu_error.c |   13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
> index 87ec60e..0738f21 100644
> --- a/drivers/gpu/drm/i915/i915_gpu_error.c
> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c
> @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev,
>  			 * as the simplest method to avoid being overwritten
>  			 * by userspace.
>  			 */
> -			error->ring[i].batchbuffer =
> -				i915_error_object_create(dev_priv,
> -							 request->batch_obj,
> -							 request->ctx ?
> -							 request->ctx->vm :
> -							 &dev_priv->gtt.base);
> +			if(request->batch_obj)
> +				error->ring[i].batchbuffer =
> +					i915_error_object_create(dev_priv,
> +								 request->batch_obj,
> +								 request->ctx ?
> +								 request->ctx->vm :
> +								 &dev_priv->gtt.base);
>  
>  			if (HAS_BROKEN_CS_TLB(dev_priv->dev) &&
>  			    ring->scratch.obj)

Reviewed-by: Jesse Barnes <jbarnes at virtuosugeek.org>

-- 
Jesse Barnes, Intel Open Source Technology Center