On Thu, 26 Jun 2014 18:23:55 +0100 john.c.harri...@intel.com wrote: > From: John Harrison <john.c.harri...@intel.com> > > The i915_gem_record_rings() code was unconditionally querying and saving state > for the batch_obj of a request structure. This is not necessarily set. Thus a > null pointer dereference can occur. > --- > drivers/gpu/drm/i915/i915_gpu_error.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c > b/drivers/gpu/drm/i915/i915_gpu_error.c > index 87ec60e..0738f21 100644 > --- a/drivers/gpu/drm/i915/i915_gpu_error.c > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c > @@ -902,12 +902,13 @@ static void i915_gem_record_rings(struct drm_device > *dev, > * as the simplest method to avoid being overwritten > * by userspace. > */ > - error->ring[i].batchbuffer = > - i915_error_object_create(dev_priv, > - request->batch_obj, > - request->ctx ? > - request->ctx->vm : > - &dev_priv->gtt.base); > + if(request->batch_obj) > + error->ring[i].batchbuffer = > + i915_error_object_create(dev_priv, > + > request->batch_obj, > + request->ctx ? > + > request->ctx->vm : > + > &dev_priv->gtt.base); > > if (HAS_BROKEN_CS_TLB(dev_priv->dev) && > ring->scratch.obj)
Reviewed-by: Jesse Barnes <jbar...@virtuosugeek.org> -- Jesse Barnes, Intel Open Source Technology Center _______________________________________________ Intel-gfx mailing list Intel-gfx@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/intel-gfx
