[Intel-gfx] [PATCH v3 2/2] drm/i915: Fix oops caused by fbdev initialization failure

Daniel Vetter daniel at ffwll.ch
Thu Nov 19 08:02:04 PST 2015 

On Wed, Nov 18, 2015 at 01:43:20PM +0100, Lukas Wunner wrote:
> intelfb_create() is called once on driver initialization. If it fails,
> ifbdev->helper.fbdev, ifbdev->fb or ifbdev->fb->obj may be NULL.
> 
> Further up in the call stack, intel_fbdev_initial_config() calls
> intel_fbdev_fini() to tear down the ifbdev on failure. This calls
> intel_fbdev_destroy() which dereferences ifbdev->fb. Fix the ensuing
> oops.
> 
> Also check in these functions if ifbdev is not NULL to avoid oops:
> 
> i915_gem_framebuffer_info() is called on access to debugfs file
> "i915_gem_framebuffer" and dereferences ifbdev, ifbdev->helper.fb
> and ifbdev->helper.fb->obj.
> 
> intel_connector_add_to_fbdev() / intel_connector_remove_from_fbdev()
> are called when registering / unregistering an mst connector and
> dereference ifbdev.
> 
> v3: Drop additional null pointer checks in intel_fbdev_set_suspend(),
>     intel_fbdev_output_poll_changed() and intel_fbdev_restore_mode()
>     since they already check if ifbdev is not NULL, which is sufficient
>     now that intel_fbdev_fini() is called on initialization failure.
>     (Requested by Daniel Vetter <daniel.vetter at ffwll.ch>)
> 
> Signed-off-by: Lukas Wunner <lukas at wunner.de>

Queued for -next, thanks for the patch. Aside, with this patch and the
static inline dummies from Archit I think we can drop most of the #ifdef
blocks (not the one in debugfs though). Care for a follow-up patch to
remove them around add/remove_one_connector?
-Daniel
> ---
>  drivers/gpu/drm/i915/i915_debugfs.c | 24 +++++++++++++-----------
>  drivers/gpu/drm/i915/intel_dp_mst.c | 10 ++++++++--
>  drivers/gpu/drm/i915/intel_fbdev.c  |  6 ++++--
>  3 files changed, 25 insertions(+), 15 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
> index 038d5c6..411a9c6 100644
> --- a/drivers/gpu/drm/i915/i915_debugfs.c
> +++ b/drivers/gpu/drm/i915/i915_debugfs.c
> @@ -1877,17 +1877,19 @@ static int i915_gem_framebuffer_info(struct seq_file *m, void *data)
>  	struct drm_i915_private *dev_priv = dev->dev_private;
>  
>  	ifbdev = dev_priv->fbdev;
> -	fb = to_intel_framebuffer(ifbdev->helper.fb);
> -
> -	seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
> -		   fb->base.width,
> -		   fb->base.height,
> -		   fb->base.depth,
> -		   fb->base.bits_per_pixel,
> -		   fb->base.modifier[0],
> -		   atomic_read(&fb->base.refcount.refcount));
> -	describe_obj(m, fb->obj);
> -	seq_putc(m, '\n');
> +	if (ifbdev) {
> +		fb = to_intel_framebuffer(ifbdev->helper.fb);
> +
> +		seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
> +			   fb->base.width,
> +			   fb->base.height,
> +			   fb->base.depth,
> +			   fb->base.bits_per_pixel,
> +			   fb->base.modifier[0],
> +			   atomic_read(&fb->base.refcount.refcount));
> +		describe_obj(m, fb->obj);
> +		seq_putc(m, '\n');
> +	}
>  #endif
>  
>  	mutex_lock(&dev->mode_config.fb_lock);
> diff --git a/drivers/gpu/drm/i915/intel_dp_mst.c b/drivers/gpu/drm/i915/intel_dp_mst.c
> index 9d8a5b4..8c4e7df 100644
> --- a/drivers/gpu/drm/i915/intel_dp_mst.c
> +++ b/drivers/gpu/drm/i915/intel_dp_mst.c
> @@ -408,7 +408,10 @@ static void intel_connector_add_to_fbdev(struct intel_connector *connector)
>  {
>  #ifdef CONFIG_DRM_FBDEV_EMULATION
>  	struct drm_i915_private *dev_priv = to_i915(connector->base.dev);
> -	drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper, &connector->base);
> +
> +	if (dev_priv->fbdev)
> +		drm_fb_helper_add_one_connector(&dev_priv->fbdev->helper,
> +						&connector->base);
>  #endif
>  }
>  
> @@ -416,7 +419,10 @@ static void intel_connector_remove_from_fbdev(struct intel_connector *connector)
>  {
>  #ifdef CONFIG_DRM_FBDEV_EMULATION
>  	struct drm_i915_private *dev_priv = to_i915(connector->base.dev);
> -	drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper, &connector->base);
> +
> +	if (dev_priv->fbdev)
> +		drm_fb_helper_remove_one_connector(&dev_priv->fbdev->helper,
> +						   &connector->base);
>  #endif
>  }
>  
> diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c
> index cd345c5..7ccde58 100644
> --- a/drivers/gpu/drm/i915/intel_fbdev.c
> +++ b/drivers/gpu/drm/i915/intel_fbdev.c
> @@ -530,8 +530,10 @@ static void intel_fbdev_destroy(struct drm_device *dev,
>  
>  	drm_fb_helper_fini(&ifbdev->helper);
>  
> -	drm_framebuffer_unregister_private(&ifbdev->fb->base);
> -	drm_framebuffer_remove(&ifbdev->fb->base);
> +	if (ifbdev->fb) {
> +		drm_framebuffer_unregister_private(&ifbdev->fb->base);
> +		drm_framebuffer_remove(&ifbdev->fb->base);
> +	}
>  }
>  
>  /*
> -- 
> 2.1.0
> 

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

More information about the Intel-gfx mailing list