| Message ID | 20230417143431.58858-1-n.zhandarovich@fintech.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:6358:3046:b0:115:7a1d:dabb with SMTP id p6csp2105038rwl;
Mon, 17 Apr 2023 07:40:24 -0700 (PDT)
X-Google-Smtp-Source:
AKy350aLyO+S+PD8tKeDHjKxh0188fUoEnD/0wqXqHTIXSIkFxzsu1zPZ8iNHsgl0R4lvuQWIuWn
X-Received: by 2002:a05:6a00:2316:b0:63d:2aac:7b88 with SMTP id
h22-20020a056a00231600b0063d2aac7b88mr2169047pfh.25.1681742424585;
Mon, 17 Apr 2023 07:40:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681742424; cv=none;
d=google.com; s=arc-20160816;
b=SI7tTCJxbNSoap13NjWTy+Q7Xc6d4MVxKa6rXpr9z6WrURg8iKkq8Rt7Me8NuVfqMA
wWt1EIJpIwInCM5kQKrbdK7IF4yWSEMucHZB8kWsG/dWMMXNNjLAhYd2RkTxLUMjR+Vr
MEONWr1qcCr5TP3hu1gKdILRn+WQ9zrYmo8xBQEDte8tNnD/7mM1afBISAE1N+qtFbeP
+IkWQK+sSROzTGyR0auBzvT73l/VT4XNbBjvkOE13bIwouaOQIpZekSP7F8jLqyYzORi
C5zu3LI78c3SLsRS04tQ9PwLJeYF5TqSJGgM6xczmmZc/49u4d8LRUuWIAcA97/efFPe
EFUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=V8LC5rsu/82edhf9M5dDufFTq6+GPaNn7FvZ8ZMT5f0=;
b=ogzx+iQ00Pi7gU4mofztdfvHL/iLUD8DFs+AVRN4Jv3Jk2UfHfq6FiFoENVfNwuNeP
9bhCe9pQqLOR99x1Bi/adR27+I6jEhIJmgtbhhEsgZD4G4dAB334geSA3NFi0ssJ2RuD
9Im+/FIlAoMTf+6UcHA+DvqBtaTla4QiN0A2eD2o3Bp0qFIyXiWugldedMABRO7GJMxV
lDTEsFEGd+yLXsqRUfmy5yhgQHzqRYH2pbGCExVJFYp7fwBd+Uylsmzvt1xySYFMjh17
VrkuPjvUrp0o80A93762jPx14lA0qsZQAQ0HPlt3sIHx4F2Av8ADsaYUCqGwiLmNNXax
rZvQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
p1-20020a622901000000b0063b7c4435c0si6203650pfp.54.2023.04.17.07.40.11;
Mon, 17 Apr 2023 07:40:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230502AbjDQOey (ORCPT <rfc822;leviz.kernel.dev@gmail.com>
+ 99 others); Mon, 17 Apr 2023 10:34:54 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58656 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230458AbjDQOen (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 17 Apr 2023 10:34:43 -0400
Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58B859EE2
for <linux-kernel@vger.kernel.org>;
Mon, 17 Apr 2023 07:34:37 -0700 (PDT)
Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru
(195.54.195.159) with Microsoft SMTP Server (TLS) id 14.3.498.0; Mon, 17 Apr
2023 17:34:35 +0300
Received: from localhost (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Mon, 17 Apr
2023 17:34:35 +0300
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
To: Alex Deucher <alexander.deucher@amd.com>
CC: Nikita Zhandarovich <n.zhandarovich@fintech.ru>, =?utf-8?q?Christian_K?=
=?utf-8?q?=C3=B6nig?= <christian.koenig@amd.com>, "Pan,
Xinhui" <Xinhui.Pan@amd.com>, David Airlie <airlied@gmail.com>,
Daniel Vetter <daniel@ffwll.ch>, Jerome Glisse <jglisse@redhat.com>,
<amd-gfx@lists.freedesktop.org>, <dri-devel@lists.freedesktop.org>,
<linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>
Subject: [PATCH] drm/ttm: fix null-ptr-deref in radeon_ttm_tt_populate()
Date: Mon, 17 Apr 2023 07:34:31 -0700
Message-ID: <20230417143431.58858-1-n.zhandarovich@fintech.ru>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [10.0.253.138]
X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru
(10.0.10.18)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1763434744242706246?=
X-GMAIL-MSGID: =?utf-8?q?1763434744242706246?=
|
| Series |
drm/ttm: fix null-ptr-deref in radeon_ttm_tt_populate()
|
|
Commit Message
Nikita Zhandarovich
April 17, 2023, 2:34 p.m. UTC
Currently, drm_prime_sg_to_page_addr_arrays() dereferences 'gtt->ttm'
without ensuring that 'gtt' (and therefore 'gtt->tmm') is not NULL.
Fix this by testing 'gtt' for NULL value before dereferencing.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: 40f5cf996991 ("drm/radeon: add PRIME support (v2)")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
---
drivers/gpu/drm/radeon/radeon_ttm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Am 17.04.23 um 16:34 schrieb Nikita Zhandarovich: > Currently, drm_prime_sg_to_page_addr_arrays() dereferences 'gtt->ttm' > without ensuring that 'gtt' (and therefore 'gtt->tmm') is not NULL. > > Fix this by testing 'gtt' for NULL value before dereferencing. > > Found by Linux Verification Center (linuxtesting.org) with static > analysis tool SVACE. > > Fixes: 40f5cf996991 ("drm/radeon: add PRIME support (v2)") > Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> > --- > drivers/gpu/drm/radeon/radeon_ttm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c > index 1e8e287e113c..33d01c3bdee4 100644 > --- a/drivers/gpu/drm/radeon/radeon_ttm.c > +++ b/drivers/gpu/drm/radeon/radeon_ttm.c > @@ -553,7 +553,7 @@ static int radeon_ttm_tt_populate(struct ttm_device *bdev, > return 0; > } > > - if (slave && ttm->sg) { > + if (gtt && slave && ttm->sg) { The gtt variable is derived from the ttm variable and so never NULL here. The only case when this can be NULL is for AGP and IIRC we don't support DMA-buf in this case. > drm_prime_sg_to_dma_addr_array(ttm->sg, gtt->ttm.dma_address, Just use ttm->dma_addresses instead of gtt->ttm.dma_address here to make your automated checker happy. Regards, Christian. > ttm->num_pages); > return 0;
On 4/17/23 07:42, Christian König wrote: > > > Am 17.04.23 um 16:34 schrieb Nikita Zhandarovich: >> Currently, drm_prime_sg_to_page_addr_arrays() dereferences 'gtt->ttm' >> without ensuring that 'gtt' (and therefore 'gtt->tmm') is not NULL. >> >> Fix this by testing 'gtt' for NULL value before dereferencing. >> >> Found by Linux Verification Center (linuxtesting.org) with static >> analysis tool SVACE. >> >> Fixes: 40f5cf996991 ("drm/radeon: add PRIME support (v2)") >> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> >> --- >> drivers/gpu/drm/radeon/radeon_ttm.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c >> b/drivers/gpu/drm/radeon/radeon_ttm.c >> index 1e8e287e113c..33d01c3bdee4 100644 >> --- a/drivers/gpu/drm/radeon/radeon_ttm.c >> +++ b/drivers/gpu/drm/radeon/radeon_ttm.c >> @@ -553,7 +553,7 @@ static int radeon_ttm_tt_populate(struct >> ttm_device *bdev, >> return 0; >> } >> - if (slave && ttm->sg) { >> + if (gtt && slave && ttm->sg) { > > The gtt variable is derived from the ttm variable and so never NULL > here. The only case when this can be NULL is for AGP and IIRC we don't > support DMA-buf in this case. > >> drm_prime_sg_to_dma_addr_array(ttm->sg, gtt->ttm.dma_address, > > Just use ttm->dma_addresses instead of gtt->ttm.dma_address here to make > your automated checker happy. > > Regards, > Christian. > >> ttm->num_pages); >> return 0; > Thank you for your reply, you are absolutely right. Apologies for wasting your time. Nikita
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c index 1e8e287e113c..33d01c3bdee4 100644 --- a/drivers/gpu/drm/radeon/radeon_ttm.c +++ b/drivers/gpu/drm/radeon/radeon_ttm.c @@ -553,7 +553,7 @@ static int radeon_ttm_tt_populate(struct ttm_device *bdev, return 0; } - if (slave && ttm->sg) { + if (gtt && slave && ttm->sg) { drm_prime_sg_to_dma_addr_array(ttm->sg, gtt->ttm.dma_address, ttm->num_pages); return 0;