On Thu, 26 Jun 2014 18:23:55 +0100 John.C.Harrison@xxxxxxxxx wrote: > From: John Harrison <John.C.Harrison@xxxxxxxxx> > > The i915_gem_record_rings() code was unconditionally querying and saving state > for the batch_obj of a request structure. This is not necessarily set. Thus a > null pointer dereference can occur. > --- > drivers/gpu/drm/i915/i915_gpu_error.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c > index 87ec60e..0738f21 100644 > --- a/drivers/gpu/drm/i915/i915_gpu_error.c > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c > @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device *dev, > * as the simplest method to avoid being overwritten > * by userspace. > */ > - error->ring[i].batchbuffer = > - i915_error_object_create(dev_priv, > - request->batch_obj, > - request->ctx ? > - request->ctx->vm : > - &dev_priv->gtt.base); > + if(request->batch_obj) > + error->ring[i].batchbuffer = > + i915_error_object_create(dev_priv, > + request->batch_obj, > + request->ctx ? > + request->ctx->vm : > + &dev_priv->gtt.base); > > if (HAS_BROKEN_CS_TLB(dev_priv->dev) && > ring->scratch.obj) Reviewed-by: Jesse Barnes <jbarnes@xxxxxxxxxxxxxxxx> -- Jesse Barnes, Intel Open Source Technology Center _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/intel-gfx
