[v1,2/2] drm/gem: Check whether object is NULL in drm_gem_vunmap()

  The drm_gem_vunmap() will crash with a NULL dereference if the passed
object pointer is NULL. It wasn't a problem before we added the locking
support to drm_gem_vunmap function because the mapping argument was always
NULL together with the object. Make drm_gem_vunmap() functions to handle
the NULL pointers better.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/dri-devel/Y1kFEGxT8MVlf32V@kili/
Fixes: 79e2cf2e7a19 ("drm/gem: Take reservation lock for vmap/vunmap operations")
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
---
 drivers/gpu/drm/drm_gem.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
  

Am 27.10.22 um 00:46 schrieb Dmitry Osipenko:
> The drm_gem_vunmap() will crash with a NULL dereference if the passed
> object pointer is NULL. It wasn't a problem before we added the locking
> support to drm_gem_vunmap function because the mapping argument was always
> NULL together with the object. Make drm_gem_vunmap() functions to handle
> the NULL pointers better.
>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Link: https://lore.kernel.org/dri-devel/Y1kFEGxT8MVlf32V@kili/
> Fixes: 79e2cf2e7a19 ("drm/gem: Take reservation lock for vmap/vunmap operations")
> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> ---
>   drivers/gpu/drm/drm_gem.c | 9 ++++++---
>   1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index b8db675e7fb5..ee0a246ff4ac 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -1175,11 +1175,11 @@ EXPORT_SYMBOL(drm_gem_vmap);
>   
>   void drm_gem_vunmap(struct drm_gem_object *obj, struct iosys_map *map)
>   {
> -	dma_resv_assert_held(obj->resv);
> -
> -	if (iosys_map_is_null(map))
> +	if (!obj || iosys_map_is_null(map))
>   		return;

I'm not very keen about that. Calling a function with all parameters 
NULL doesn't make much sense and is clearly a coding error. Hiding that 
somehow doesn't help but rather makes things worse.

The only execption to that are things like kfree() or *_put() which work 
with the lifetime of objects.

Why is the static checker complaining about that in the first place?

Regards,
Christian.

>   
> +	dma_resv_assert_held(obj->resv);
> +
>   	if (obj->funcs->vunmap)
>   		obj->funcs->vunmap(obj, map);
>   
> @@ -1202,6 +1202,9 @@ EXPORT_SYMBOL(drm_gem_vmap_unlocked);
>   
>   void drm_gem_vunmap_unlocked(struct drm_gem_object *obj, struct iosys_map *map)
>   {
> +	if (!obj || iosys_map_is_null(map))
> +		return;
> +
>   	dma_resv_lock(obj->resv, NULL);
>   	drm_gem_vunmap(obj, map);
>   	dma_resv_unlock(obj->resv);
  

On Thu, Oct 27, 2022 at 08:17:31AM +0200, Christian König wrote:
> 
> 
> Am 27.10.22 um 00:46 schrieb Dmitry Osipenko:
> > The drm_gem_vunmap() will crash with a NULL dereference if the passed
> > object pointer is NULL. It wasn't a problem before we added the locking
> > support to drm_gem_vunmap function because the mapping argument was always
> > NULL together with the object. Make drm_gem_vunmap() functions to handle
> > the NULL pointers better.
> > 
> > Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Link: https://lore.kernel.org/dri-devel/Y1kFEGxT8MVlf32V@kili/  Fixes:
> > 79e2cf2e7a19 ("drm/gem: Take reservation lock for vmap/vunmap
> > operations")
> > Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> > ---
> >   drivers/gpu/drm/drm_gem.c | 9 ++++++---
> >   1 file changed, 6 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> > index b8db675e7fb5..ee0a246ff4ac 100644
> > --- a/drivers/gpu/drm/drm_gem.c
> > +++ b/drivers/gpu/drm/drm_gem.c
> > @@ -1175,11 +1175,11 @@ EXPORT_SYMBOL(drm_gem_vmap);
> >   void drm_gem_vunmap(struct drm_gem_object *obj, struct iosys_map *map)
> >   {
> > -	dma_resv_assert_held(obj->resv);
> > -
> > -	if (iosys_map_is_null(map))
> > +	if (!obj || iosys_map_is_null(map))
> >   		return;
> 
> I'm not very keen about that. Calling a function with all parameters NULL
> doesn't make much sense and is clearly a coding error. Hiding that somehow
> doesn't help but rather makes things worse.
> 
> The only execption to that are things like kfree() or *_put() which work
> with the lifetime of objects.
> 
> Why is the static checker complaining about that in the first place?
> 

drivers/gpu/drm/drm_client.c:240 drm_client_buffer_delete()
warn: variable dereferenced before check 'buffer->gem' (see line 238)

regards,
dan carpenter
  

Am 27.10.22 um 09:28 schrieb Dan Carpenter:
> On Thu, Oct 27, 2022 at 08:17:31AM +0200, Christian König wrote:
>>
>> Am 27.10.22 um 00:46 schrieb Dmitry Osipenko:
>>> The drm_gem_vunmap() will crash with a NULL dereference if the passed
>>> object pointer is NULL. It wasn't a problem before we added the locking
>>> support to drm_gem_vunmap function because the mapping argument was always
>>> NULL together with the object. Make drm_gem_vunmap() functions to handle
>>> the NULL pointers better.
>>>
>>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>>> Link: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fdri-devel%2FY1kFEGxT8MVlf32V%40kili%2F&amp;data=05%7C01%7Cchristian.koenig%40amd.com%7C50d3b7e10eca4c7fb72108dab7ecd646%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C638024525139985844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=ET0TRHscb1bQVVHgBkmYvTQyV2Q6WqcMC83LDlrY5ZM%3D&amp;reserved=0  Fixes:
>>> 79e2cf2e7a19 ("drm/gem: Take reservation lock for vmap/vunmap
>>> operations")
>>> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
>>> ---
>>>    drivers/gpu/drm/drm_gem.c | 9 ++++++---
>>>    1 file changed, 6 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
>>> index b8db675e7fb5..ee0a246ff4ac 100644
>>> --- a/drivers/gpu/drm/drm_gem.c
>>> +++ b/drivers/gpu/drm/drm_gem.c
>>> @@ -1175,11 +1175,11 @@ EXPORT_SYMBOL(drm_gem_vmap);
>>>    void drm_gem_vunmap(struct drm_gem_object *obj, struct iosys_map *map)
>>>    {
>>> -	dma_resv_assert_held(obj->resv);
>>> -
>>> -	if (iosys_map_is_null(map))
>>> +	if (!obj || iosys_map_is_null(map))
>>>    		return;
>> I'm not very keen about that. Calling a function with all parameters NULL
>> doesn't make much sense and is clearly a coding error. Hiding that somehow
>> doesn't help but rather makes things worse.
>>
>> The only execption to that are things like kfree() or *_put() which work
>> with the lifetime of objects.
>>
>> Why is the static checker complaining about that in the first place?
>>
> drivers/gpu/drm/drm_client.c:240 drm_client_buffer_delete()
> warn: variable dereferenced before check 'buffer->gem' (see line 238)

Well than rather modify drm_client_buffer_delete() instead.

Calling drm_gem_vunmap() with obj NULL is certainly not a good idea if 
we even check that for drm_gem_object_put().

Interesting that the static checkers complain about that :)

Regards,
Christian.

>
> regards,
> dan carpenter
>