From: John Harrison <John.C.Harrison@xxxxxxxxx> The i915_gem_record_rings() code was unconditionally querying and saving state for the batch_obj of a request structure. This is not necessarily set. Thus a null pointer dereference can occur. --- drivers/gpu/drm/i915/i915_gpu_error.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c index 87ec60e..0738f21 100644 --- a/drivers/gpu/drm/i915/i915_gpu_error.c +++ b/drivers/gpu/drm/i915/i915_gpu_error.c @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev, * as the simplest method to avoid being overwritten * by userspace. */ - error->ring[i].batchbuffer = - i915_error_object_create(dev_priv, - request->batch_obj, - request->ctx ? - request->ctx->vm : - &dev_priv->gtt.base); + if(request->batch_obj) + error->ring[i].batchbuffer = + i915_error_object_create(dev_priv, + request->batch_obj, + request->ctx ? + request->ctx->vm : + &dev_priv->gtt.base); if (HAS_BROKEN_CS_TLB(dev_priv->dev) && ring->scratch.obj) -- 1.7.9.5 _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/intel-gfx