Re: [PATCH] drm/radeon: fix NULL pointer dereference in UMS mode inradeon_cs_parser_fini()

From: Ilija Hadzic
Date: Wed Jan 16 2013 - 22:17:29 EST

Next message: YOSHIFUJI Hideaki: "Re: Redefinition of struct in6_addr in <netinet/in.h> and <linux/in6.h>"
Previous message: Kees Cook: "[PATCH 03/86] drivers/net/ethernet/microchip: remove depends on CONFIG_EXPERIMENTAL"
In reply to: Shuah Khan: "[PATCH] drm/radeon: fix NULL pointer dereference in UMS mode inradeon_cs_parser_fini()"
Next in thread: Shuah Khan: "Re: [PATCH] drm/radeon: fix NULL pointer dereference in UMS mode inradeon_cs_parser_fini()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Actually, the code path affected by your patch is not executed in UMS mode at all. Notice that radeon_cs_parser_fini is only called from radeon_cs_ioctl which is a KMS-only ioctl (see radeon_kms.c).

The equivalent of the fix you are trying to do is in
a6b7e1a02b77ab8fe8775d20a88c53d8ba55482e (function patched by that one is the one used by legacy-CS ioctl), which you should go together with ff4bd0827764e10a428a9d39e6814c5478863f94 if you are backporting UMS fixes to 3.7. Both are needed to prevent kernel crashes in UMS mode.

-- Ilija

On Wed, 16 Jan 2013, Shuah Khan wrote:

Fix parser->rdev NULL pointer dereference in radeon_cs_parser_fini().
While back-porting drm/radeon: fix NULL pointer dereference in UMS mode
patch (commit-id: ff4bd0827764e10a428a9d39e6814c5478863f94) to 3,7.y, noticed
another instance of NULL pointer dereference in radeon_cs_parser_fini()
function.

Signed-off-by: Shuah Khan <shuah.khan@xxxxxx>
CC: stable@xxxxxxxxxxxxxxx 3.7
---
drivers/gpu/drm/radeon/radeon_cs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
index 469661f..d1c282c 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -329,7 +329,7 @@ static void radeon_cs_parser_fini(struct radeon_cs_parser *parser, int error)
kfree(parser->relocs_ptr);
for (i = 0; i < parser->nchunks; i++) {
kfree(parser->chunks[i].kdata);
- if ((parser->rdev->flags & RADEON_IS_AGP)) {
+ if (parser->rdev && (parser->rdev->flags & RADEON_IS_AGP)) {
kfree(parser->chunks[i].kpage[0]);
kfree(parser->chunks[i].kpage[1]);
}
--
1.7.9.5

_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: YOSHIFUJI Hideaki: "Re: Redefinition of struct in6_addr in <netinet/in.h> and <linux/in6.h>"
Previous message: Kees Cook: "[PATCH 03/86] drivers/net/ethernet/microchip: remove depends on CONFIG_EXPERIMENTAL"
In reply to: Shuah Khan: "[PATCH] drm/radeon: fix NULL pointer dereference in UMS mode inradeon_cs_parser_fini()"
Next in thread: Shuah Khan: "Re: [PATCH] drm/radeon: fix NULL pointer dereference in UMS mode inradeon_cs_parser_fini()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]