| Message ID | 20210731080437.74539-1-islituo@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | drm/amdgpu: fix possible null-pointer dereference in amdgpu_ttm_tt_populate() | expand |
Am 31.07.21 um 10:04 schrieb Tuo Li: > The variable ttm is assigned to the variable gtt, and the variable gtt > is checked in: > if (gtt && gtt->userptr) > > This indicates that both ttm and gtt can be NULL. > If so, a null-pointer dereference will occur: > if (ttm->page_flags & TTM_PAGE_FLAG_SG) > > Also, some null-pointer dereferences will occur in the function > ttm_pool_alloc() which is called in: > return ttm_pool_alloc(&adev->mman.bdev.pool, ttm, ctx); > > To fix these possible null-pointer dereferences, the function returns > -EINVAL when ttm is NULL. NAK, the NULL test is just a leftover from when the objects where distinct. Please remove the NULL test instead. Regards, Christian. > > Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> > Signed-off-by: Tuo Li <islituo@gmail.com> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c > index 3a55f08e00e1..80440f799c09 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c > @@ -1120,8 +1120,11 @@ static int amdgpu_ttm_tt_populate(struct ttm_device *bdev, > struct amdgpu_device *adev = amdgpu_ttm_adev(bdev); > struct amdgpu_ttm_tt *gtt = (void *)ttm; > > + if (ttm == NULL) > + return -EINVAL; > + > /* user pages are bound by amdgpu_ttm_tt_pin_userptr() */ > - if (gtt && gtt->userptr) { > + if (gtt->userptr) { > ttm->sg = kzalloc(sizeof(struct sg_table), GFP_KERNEL); > if (!ttm->sg) > return -ENOMEM;
Thanks for your feedback! We will remove the null tests according to your advice and prepare a V2 patch. Best wishes, Tuo Li On 2021/8/2 1:19, Christian König wrote: > Am 31.07.21 um 10:04 schrieb Tuo Li: >> The variable ttm is assigned to the variable gtt, and the variable gtt >> is checked in: >> if (gtt && gtt->userptr) >> >> This indicates that both ttm and gtt can be NULL. >> If so, a null-pointer dereference will occur: >> if (ttm->page_flags & TTM_PAGE_FLAG_SG) >> >> Also, some null-pointer dereferences will occur in the function >> ttm_pool_alloc() which is called in: >> return ttm_pool_alloc(&adev->mman.bdev.pool, ttm, ctx); >> >> To fix these possible null-pointer dereferences, the function returns >> -EINVAL when ttm is NULL. > > NAK, the NULL test is just a leftover from when the objects where > distinct. > > Please remove the NULL test instead. > > Regards, > Christian. > >> >> Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> >> Signed-off-by: Tuo Li <islituo@gmail.com> >> --- >> drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 ++++- >> 1 file changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c >> b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c >> index 3a55f08e00e1..80440f799c09 100644 >> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c >> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c >> @@ -1120,8 +1120,11 @@ static int amdgpu_ttm_tt_populate(struct >> ttm_device *bdev, >> struct amdgpu_device *adev = amdgpu_ttm_adev(bdev); >> struct amdgpu_ttm_tt *gtt = (void *)ttm; >> + if (ttm == NULL) >> + return -EINVAL; >> + >> /* user pages are bound by amdgpu_ttm_tt_pin_userptr() */ >> - if (gtt && gtt->userptr) { >> + if (gtt->userptr) { >> ttm->sg = kzalloc(sizeof(struct sg_table), GFP_KERNEL); >> if (!ttm->sg) >> return -ENOMEM; >
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 3a55f08e00e1..80440f799c09 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -1120,8 +1120,11 @@ static int amdgpu_ttm_tt_populate(struct ttm_device *bdev, struct amdgpu_device *adev = amdgpu_ttm_adev(bdev); struct amdgpu_ttm_tt *gtt = (void *)ttm; + if (ttm == NULL) + return -EINVAL; + /* user pages are bound by amdgpu_ttm_tt_pin_userptr() */ - if (gtt && gtt->userptr) { + if (gtt->userptr) { ttm->sg = kzalloc(sizeof(struct sg_table), GFP_KERNEL); if (!ttm->sg) return -ENOMEM;
The variable ttm is assigned to the variable gtt, and the variable gtt is checked in: if (gtt && gtt->userptr) This indicates that both ttm and gtt can be NULL. If so, a null-pointer dereference will occur: if (ttm->page_flags & TTM_PAGE_FLAG_SG) Also, some null-pointer dereferences will occur in the function ttm_pool_alloc() which is called in: return ttm_pool_alloc(&adev->mman.bdev.pool, ttm, ctx); To fix these possible null-pointer dereferences, the function returns -EINVAL when ttm is NULL. Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> Signed-off-by: Tuo Li <islituo@gmail.com> --- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)