Commit 6bc26542 authored by Chris Wilson's avatar Chris Wilson

drm/i915/fbdev: Check for the framebuffer before use

If the fbdev probing fails, and in our error path we fail to clear the
dev_priv->fbdev, then we can try and use a dangling fbdev pointer, and
in particular a NULL fb. This could also happen in pathological cases
where we try to operate on the fbdev prior to it being probed.
Reported-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Mika Kuoppala <mika.kuoppala@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1468431285-28264-2-git-send-email-chris@chris-wilson.co.ukReviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: default avatarMika Kuoppala <mika.kuoppala@intel.com>
parent 0b8c0e9c
...@@ -782,7 +782,7 @@ void intel_fbdev_set_suspend(struct drm_device *dev, int state, bool synchronous ...@@ -782,7 +782,7 @@ void intel_fbdev_set_suspend(struct drm_device *dev, int state, bool synchronous
struct intel_fbdev *ifbdev = dev_priv->fbdev; struct intel_fbdev *ifbdev = dev_priv->fbdev;
struct fb_info *info; struct fb_info *info;
if (!ifbdev) if (!ifbdev || !ifbdev->fb)
return; return;
info = ifbdev->helper.fbdev; info = ifbdev->helper.fbdev;
...@@ -827,31 +827,28 @@ void intel_fbdev_set_suspend(struct drm_device *dev, int state, bool synchronous ...@@ -827,31 +827,28 @@ void intel_fbdev_set_suspend(struct drm_device *dev, int state, bool synchronous
void intel_fbdev_output_poll_changed(struct drm_device *dev) void intel_fbdev_output_poll_changed(struct drm_device *dev)
{ {
struct drm_i915_private *dev_priv = to_i915(dev); struct intel_fbdev *ifbdev = to_i915(dev)->fbdev;
if (dev_priv->fbdev)
drm_fb_helper_hotplug_event(&dev_priv->fbdev->helper); if (ifbdev && ifbdev->fb)
drm_fb_helper_hotplug_event(&ifbdev->helper);
} }
void intel_fbdev_restore_mode(struct drm_device *dev) void intel_fbdev_restore_mode(struct drm_device *dev)
{ {
int ret; struct intel_fbdev *ifbdev = to_i915(dev)->fbdev;
struct drm_i915_private *dev_priv = to_i915(dev);
struct intel_fbdev *ifbdev = dev_priv->fbdev;
struct drm_fb_helper *fb_helper;
if (!ifbdev) if (!ifbdev)
return; return;
intel_fbdev_sync(ifbdev); intel_fbdev_sync(ifbdev);
if (!ifbdev->fb)
return;
fb_helper = &ifbdev->helper; if (drm_fb_helper_restore_fbdev_mode_unlocked(&ifbdev->helper)) {
ret = drm_fb_helper_restore_fbdev_mode_unlocked(fb_helper);
if (ret) {
DRM_DEBUG("failed to restore crtc mode\n"); DRM_DEBUG("failed to restore crtc mode\n");
} else { } else {
mutex_lock(&fb_helper->dev->struct_mutex); mutex_lock(&dev->struct_mutex);
intel_fb_obj_invalidate(ifbdev->fb->obj, ORIGIN_GTT); intel_fb_obj_invalidate(ifbdev->fb->obj, ORIGIN_GTT);
mutex_unlock(&fb_helper->dev->struct_mutex); mutex_unlock(&dev->struct_mutex);
} }
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment