drm/i915: Fix possible null dereference in framebuffer_info debugfs function

Submitted by Namrta Salonie on Nov. 26, 2015, 11:02 a.m.

Details

Message ID 1448535750-3490-1-git-send-email-namrta.salonie@intel.com
State New
Headers show
Series "Fix issues reported by static code analysis tool" ( rev: 2 ) in Intel GFX

Not browsing as part of any series.

Commit Message

Namrta Salonie Nov. 26, 2015, 11:02 a.m.
Found by static code analysis tool.

v2: Inserted block instead of goto & renamed variables (Chris)

Signed-off-by: Namrta Salonie <namrta.salonie@intel.com>
Signed-off-by: Deepak S <deepak.s@intel.com>
---
 drivers/gpu/drm/i915/i915_debugfs.c |   32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

Patch hide | download patch | download mbox

diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
index a3b22bd..7c068ea 100644
--- a/drivers/gpu/drm/i915/i915_debugfs.c
+++ b/drivers/gpu/drm/i915/i915_debugfs.c
@@ -1865,31 +1865,29 @@  static int i915_gem_framebuffer_info(struct seq_file *m, void *data)
 {
 	struct drm_info_node *node = m->private;
 	struct drm_device *dev = node->minor->dev;
-	struct intel_fbdev *ifbdev = NULL;
-	struct intel_framebuffer *fb;
+	struct intel_framebuffer *fbdev_fb = NULL;
 	struct drm_framebuffer *drm_fb;
 
 #ifdef CONFIG_DRM_FBDEV_EMULATION
-	struct drm_i915_private *dev_priv = dev->dev_private;
 
-	ifbdev = dev_priv->fbdev;
-	fb = to_intel_framebuffer(ifbdev->helper.fb);
-
-	seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
-		   fb->base.width,
-		   fb->base.height,
-		   fb->base.depth,
-		   fb->base.bits_per_pixel,
-		   fb->base.modifier[0],
-		   atomic_read(&fb->base.refcount.refcount));
-	describe_obj(m, fb->obj);
-	seq_putc(m, '\n');
+	if (to_i915(dev)->fbdev) {
+		fbdev_fb = to_intel_framebuffer(to_i915(dev)->fbdev->helper.fb);
+		seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
+				fbdev_fb->base.width,
+				fbdev_fb->base.height,
+				fbdev_fb->base.depth,
+				fbdev_fb->base.bits_per_pixel,
+				fbdev_fb->base.modifier[0],
+				atomic_read(&fbdev_fb->base.refcount.refcount));
+		describe_obj(m, fbdev_fb->obj);
+		seq_putc(m, '\n');
+	}
 #endif
 
 	mutex_lock(&dev->mode_config.fb_lock);
 	drm_for_each_fb(drm_fb, dev) {
-		fb = to_intel_framebuffer(drm_fb);
-		if (ifbdev && &fb->base == ifbdev->helper.fb)
+		struct intel_framebuffer *fb = to_intel_framebuffer(drm_fb);
+		if (fb == fbdev_fb)
 			continue;
 
 		seq_printf(m, "user size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",

Comments

On Thu, Nov 26, 2015 at 04:32:30PM +0530, Namrta Salonie wrote:
> Found by static code analysis tool.
> 
> v2: Inserted block instead of goto & renamed variables (Chris)
> 
> Signed-off-by: Namrta Salonie <namrta.salonie@intel.com>
> Signed-off-by: Deepak S <deepak.s@intel.com>
> ---
>  drivers/gpu/drm/i915/i915_debugfs.c |   32 +++++++++++++++-----------------
>  1 file changed, 15 insertions(+), 17 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
> index a3b22bd..7c068ea 100644
> --- a/drivers/gpu/drm/i915/i915_debugfs.c
> +++ b/drivers/gpu/drm/i915/i915_debugfs.c
> @@ -1865,31 +1865,29 @@ static int i915_gem_framebuffer_info(struct seq_file *m, void *data)
>  {
>  	struct drm_info_node *node = m->private;
>  	struct drm_device *dev = node->minor->dev;
> -	struct intel_fbdev *ifbdev = NULL;
> -	struct intel_framebuffer *fb;
> +	struct intel_framebuffer *fbdev_fb = NULL;
>  	struct drm_framebuffer *drm_fb;
>  
>  #ifdef CONFIG_DRM_FBDEV_EMULATION
> -	struct drm_i915_private *dev_priv = dev->dev_private;
>  
> -	ifbdev = dev_priv->fbdev;
> -	fb = to_intel_framebuffer(ifbdev->helper.fb);
> -
> -	seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
> -		   fb->base.width,
> -		   fb->base.height,
> -		   fb->base.depth,
> -		   fb->base.bits_per_pixel,
> -		   fb->base.modifier[0],
> -		   atomic_read(&fb->base.refcount.refcount));
> -	describe_obj(m, fb->obj);
> -	seq_putc(m, '\n');
> +	if (to_i915(dev)->fbdev) {
> +		fbdev_fb = to_intel_framebuffer(to_i915(dev)->fbdev->helper.fb);
> +		seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
> +				fbdev_fb->base.width,
> +				fbdev_fb->base.height,
> +				fbdev_fb->base.depth,
> +				fbdev_fb->base.bits_per_pixel,
> +				fbdev_fb->base.modifier[0],
> +				atomic_read(&fbdev_fb->base.refcount.refcount));

These should be aligned to the opening '('

Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
-Chris
On Thu, Nov 26, 2015 at 12:43:19PM +0000, Chris Wilson wrote:
> On Thu, Nov 26, 2015 at 04:32:30PM +0530, Namrta Salonie wrote:
> > Found by static code analysis tool.
> > 
> > v2: Inserted block instead of goto & renamed variables (Chris)
> > 
> > Signed-off-by: Namrta Salonie <namrta.salonie@intel.com>
> > Signed-off-by: Deepak S <deepak.s@intel.com>
> > ---
> >  drivers/gpu/drm/i915/i915_debugfs.c |   32 +++++++++++++++-----------------
> >  1 file changed, 15 insertions(+), 17 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
> > index a3b22bd..7c068ea 100644
> > --- a/drivers/gpu/drm/i915/i915_debugfs.c
> > +++ b/drivers/gpu/drm/i915/i915_debugfs.c
> > @@ -1865,31 +1865,29 @@ static int i915_gem_framebuffer_info(struct seq_file *m, void *data)
> >  {
> >  	struct drm_info_node *node = m->private;
> >  	struct drm_device *dev = node->minor->dev;
> > -	struct intel_fbdev *ifbdev = NULL;
> > -	struct intel_framebuffer *fb;
> > +	struct intel_framebuffer *fbdev_fb = NULL;
> >  	struct drm_framebuffer *drm_fb;
> >  
> >  #ifdef CONFIG_DRM_FBDEV_EMULATION
> > -	struct drm_i915_private *dev_priv = dev->dev_private;
> >  
> > -	ifbdev = dev_priv->fbdev;
> > -	fb = to_intel_framebuffer(ifbdev->helper.fb);
> > -
> > -	seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
> > -		   fb->base.width,
> > -		   fb->base.height,
> > -		   fb->base.depth,
> > -		   fb->base.bits_per_pixel,
> > -		   fb->base.modifier[0],
> > -		   atomic_read(&fb->base.refcount.refcount));
> > -	describe_obj(m, fb->obj);
> > -	seq_putc(m, '\n');
> > +	if (to_i915(dev)->fbdev) {
> > +		fbdev_fb = to_intel_framebuffer(to_i915(dev)->fbdev->helper.fb);
> > +		seq_printf(m, "fbcon size: %d x %d, depth %d, %d bpp, modifier 0x%llx, refcount %d, obj ",
> > +				fbdev_fb->base.width,
> > +				fbdev_fb->base.height,
> > +				fbdev_fb->base.depth,
> > +				fbdev_fb->base.bits_per_pixel,
> > +				fbdev_fb->base.modifier[0],
> > +				atomic_read(&fbdev_fb->base.refcount.refcount));
> 
> These should be aligned to the opening '('

Patch also doesn't apply cleanly any more on top of drm-intel-nightly. Can
you please rebase and fix up the alignment problem Chris pointed out
above?

Thanks, Daniel

> 
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
> -Chris
> 
> -- 
> Chris Wilson, Intel Open Source Technology Centre
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/intel-gfx