[PATCH] drm/mgag200: don't pass NULL file_priv to drm_gem_object_lookup()

Mon, 19 Oct 2015 04:27:18 -0600 

Commit bf89209a6d ("drm/mga200g: Hold a proper reference for
cursor_set") clearly didn't take the call site in
drm_fb_helper.c:restore_fbdev_mode() into account, which passes NULL 
for file_priv and hence causes drm_gem_object_lookup() to fault. Move
the lookup back to before "obj" is actually needed, adjusting error
paths suitably once again.

Signed-off-by: Jan Beulich <jbeulich at suse.com>
Cc: Daniel Vetter <daniel.vetter at intel.com>
Cc: Thierry Reding <treding at nvidia.com>
---
 drivers/gpu/drm/mgag200/mgag200_cursor.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- 4.3-rc6/drivers/gpu/drm/mgag200/mgag200_cursor.c
+++ 4.3-rc6-mgag200-cursor-set/drivers/gpu/drm/mgag200/mgag200_cursor.c
@@ -40,7 +40,7 @@ int mga_crtc_cursor_set(struct drm_crtc
        struct mgag200_bo *pixels_2 = mdev->cursor.pixels_2;
        struct mgag200_bo *pixels_current = mdev->cursor.pixels_current;
        struct mgag200_bo *pixels_prev = mdev->cursor.pixels_prev;
-       struct drm_gem_object *obj;
+       struct drm_gem_object *obj = NULL;
        struct mgag200_bo *bo = NULL;
        int ret = 0;
        unsigned int i, row, col;
@@ -70,15 +70,11 @@ int mga_crtc_cursor_set(struct drm_crtc
        BUG_ON(pixels_2 != pixels_current && pixels_2 != pixels_prev);
        BUG_ON(pixels_current == pixels_prev);

-       obj = drm_gem_object_lookup(dev, file_priv, handle);
-       if (!obj)
-               return -ENOENT;
-
        ret = mgag200_bo_reserve(pixels_1, true);
        if (ret) {
                WREG8(MGA_CURPOSXL, 0);
                WREG8(MGA_CURPOSXH, 0);
-               goto out_unref;
+               return ret;
        }
        ret = mgag200_bo_reserve(pixels_2, true);
        if (ret) {
@@ -110,6 +106,12 @@ int mga_crtc_cursor_set(struct drm_crtc
                }
        }

+       obj = drm_gem_object_lookup(dev, file_priv, handle);
+       if (!obj) {
+               ret = -ENOENT;
+               goto out1;
+       }
+
        bo = gem_to_mga_bo(obj);
        ret = mgag200_bo_reserve(bo, true);
        if (ret) {
@@ -243,13 +245,13 @@ int mga_crtc_cursor_set(struct drm_crtc
  out2:
        mgag200_bo_unreserve(bo);
  out1:
+       if (obj)
+               drm_gem_object_unreference_unlocked(obj);
        if (ret)
                mga_hide_cursor(mdev);
        mgag200_bo_unreserve(pixels_1);
 out_unreserve1:
        mgag200_bo_unreserve(pixels_2);
-out_unref:
-       drm_gem_object_unreference_unlocked(obj);

        return ret;
 }

Reply via email to