On Mon, Jul 19, 2010 at 5:42 PM, Alexander Y. Fomichev <git.user@xxxxxxxxx> wrote: > This patch fix possible NULL pointer dereference when > r600_prepare_blit_copy tries to fill dev_priv->blit_vb->file_priv > without check of dev_priv->blit_vb. dev_priv->blit_vb should be > filled by r600_nomm_get_vb but latest can fail with EAGAIN. > Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=16375 > > --- > drivers/gpu/drm/radeon/r600_blit.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/drivers/gpu/drm/radeon/r600_blit.c b/drivers/gpu/drm/radeon/r600_blit.c > index f4fb88e..0df4a2b 100644 > --- a/drivers/gpu/drm/radeon/r600_blit.c > +++ b/drivers/gpu/drm/radeon/r600_blit.c > @@ -541,6 +541,8 @@ r600_prepare_blit_copy(struct drm_device *dev, struct drm_file *file_priv) > DRM_DEBUG("\n"); > > r600_nomm_get_vb(dev); > + if (!dev_priv->blit_vb) > + return; r600_prepare_blit_copy returns an int so something like this would be better: --- a/drivers/gpu/drm/radeon/r600_blit.c +++ b/drivers/gpu/drm/radeon/r600_blit.c @@ -539,8 +539,10 @@ r600_prepare_blit_copy(struct drm_device *dev, struct drm_file *file_priv) { drm_radeon_private_t *dev_priv = dev->dev_private; DRM_DEBUG("\n"); + int ret = r600_nomm_get_vb(dev); - r600_nomm_get_vb(dev); + if (ret) + return ret; dev_priv->blit_vb->file_priv = file_priv; Alex > > dev_priv->blit_vb->file_priv = file_priv; > > -- > 1.7.1.1 > _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
