summaryrefslogtreecommitdiffstats
path: root/drivers/gpu/drm/i915/intel_ringbuffer.c
diff options
context:
space:
mode:
authorJohn Harrison <John.C.Harrison@Intel.com>2014-10-31 12:00:26 +0000
committerDaniel Vetter <daniel.vetter@ffwll.ch>2014-11-04 23:22:14 +0100
commit6402c330a62685c77c32d1bdfa882759c9f8e8a7 (patch)
tree3a8fdba207e57b5d1e2c32f0f57ee5a17f3ca57d /drivers/gpu/drm/i915/intel_ringbuffer.c
parentc883ef1b1c998d2d66866772fd0fc34afa45641e (diff)
downloadlinux-stable-6402c330a62685c77c32d1bdfa882759c9f8e8a7.tar.gz
linux-stable-6402c330a62685c77c32d1bdfa882759c9f8e8a7.tar.bz2
linux-stable-6402c330a62685c77c32d1bdfa882759c9f8e8a7.zip
drm/i915: Fix null pointer dereference in ring cleanup code
If a ring failed to initialise for any reason then the error path would try to clean up all rings including those that had not yet been allocated. The ring clean up code did a check that the ring was valid before starting its work. Unfortunately, that was after it had already dereferenced the ring to obtain a dev_private pointer. Signed-off-by: John Harrison <John.C.Harrison@Intel.com> Reviewed-by: Damien Lespiau <damien.lespiau@intel.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Diffstat (limited to 'drivers/gpu/drm/i915/intel_ringbuffer.c')
-rw-r--r--drivers/gpu/drm/i915/intel_ringbuffer.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
index a8f72e8d64e3..f457146ff6a4 100644
--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
@@ -1845,12 +1845,15 @@ error:
void intel_cleanup_ring_buffer(struct intel_engine_cs *ring)
{
- struct drm_i915_private *dev_priv = to_i915(ring->dev);
- struct intel_ringbuffer *ringbuf = ring->buffer;
+ struct drm_i915_private *dev_priv;
+ struct intel_ringbuffer *ringbuf;
if (!intel_ring_initialized(ring))
return;
+ dev_priv = to_i915(ring->dev);
+ ringbuf = ring->buffer;
+
intel_stop_ring_buffer(ring);
WARN_ON(!IS_GEN2(ring->dev) && (I915_READ_MODE(ring) & MODE_IDLE) == 0);