* [ti:ti-android-linux-4.14.y 8967/9999] drivers/gpu/drm/virtio/virtgpu_ioctl.c:636 virtio_gpu_resource_create_blob_ioctl() error: we previously assumed 'obj->pages' could be null (see line 627)
@ 2020-07-08 9:28 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2020-07-08 9:28 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 10494 bytes --]
tree: git://git.ti.com/ti-linux-kernel/ti-linux-kernel.git ti-android-linux-4.14.y
head: 9325afe9ea703ee9446dec68ad3b687d307d7a2f
commit: a14d324ee3d4b38164f0efa8f4d163e991370559 [8967/9999] Merge branch 'android-4.14-stable' of https://android.googlesource.com/kernel/common into android-feature-ti-linux-4.14.y
config: i386-randconfig-m021-20200707 (attached as .config)
compiler: gcc-7 (Ubuntu 7.5.0-6ubuntu2) 7.5.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/gpu/drm/virtio/virtgpu_ioctl.c:647 virtio_gpu_resource_create_blob_ioctl() error: potential null dereference 'ents'. (kzalloc returns null)
drivers/gpu/drm/virtio/virtgpu_ioctl.c:694 virtio_gpu_resource_create_blob_ioctl() warn: possible memory leak of 'ents'
Old smatch warnings:
drivers/gpu/drm/virtio/virtgpu_ioctl.c:661 virtio_gpu_resource_create_blob_ioctl() error: we previously assumed 'vfpriv' could be null (see line 606)
drivers/gpu/drm/virtio/virtgpu_ioctl.c:691 virtio_gpu_resource_create_blob_ioctl() error: uninitialized symbol 'buf'.
git remote add ti git://git.ti.com/ti-linux-kernel/ti-linux-kernel.git
git remote update ti
git checkout a14d324ee3d4b38164f0efa8f4d163e991370559
vim +636 drivers/gpu/drm/virtio/virtgpu_ioctl.c
4d701a3899580b Lingfeng Yang 2020-04-16 584 static int virtio_gpu_resource_create_blob_ioctl(struct drm_device *dev,
73738beaa7074c Lingfeng Yang 2020-04-16 585 void *data, struct drm_file *file)
73738beaa7074c Lingfeng Yang 2020-04-16 586 {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 587 void *buf;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 588 int ret, si, nents;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 589 uint32_t handle = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 590 struct scatterlist *sg;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 591 struct virtio_gpu_object *obj;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 592 struct virtio_gpu_fence *fence;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 593 struct virtio_gpu_mem_entry *ents;
4d701a3899580b Lingfeng Yang 2020-04-16 594 struct drm_virtgpu_resource_create_blob *rc_blob = data;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 595 struct virtio_gpu_object_params params = { 0 };
dc92d4ac179f5e Lingfeng Yang 2020-04-16 596 struct virtio_gpu_device *vgdev = dev->dev_private;
4d701a3899580b Lingfeng Yang 2020-04-16 597 struct virtio_gpu_fpriv *vfpriv = file->driver_priv;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 598 bool use_dma_api = !virtio_has_iommu_quirk(vgdev->vdev);
4d701a3899580b Lingfeng Yang 2020-04-16 599 bool mappable = rc_blob->flags & VIRTGPU_RES_BLOB_USE_MAPPABLE;
4d701a3899580b Lingfeng Yang 2020-04-16 600 bool guest = rc_blob->flags & VIRTGPU_RES_BLOB_GUEST_MASK;
4d701a3899580b Lingfeng Yang 2020-04-16 601
4d701a3899580b Lingfeng Yang 2020-04-16 602 params.size = rc_blob->size;
4d701a3899580b Lingfeng Yang 2020-04-16 603 params.blob_flags = rc_blob->flags;
4d701a3899580b Lingfeng Yang 2020-04-16 604 params.blob = true;
4d701a3899580b Lingfeng Yang 2020-04-16 605
4d701a3899580b Lingfeng Yang 2020-04-16 606 if (rc_blob->cmd_size && vfpriv) {
^^^^^^
If "vfpriv" is ever NULL then we are toasted later.
4d701a3899580b Lingfeng Yang 2020-04-16 607 void *buf;
4d701a3899580b Lingfeng Yang 2020-04-16 608 void __user *cmd = u64_to_user_ptr(rc_blob->cmd);
4d701a3899580b Lingfeng Yang 2020-04-16 609
4d701a3899580b Lingfeng Yang 2020-04-16 610 buf = kzalloc(rc_blob->cmd_size, GFP_KERNEL);
4d701a3899580b Lingfeng Yang 2020-04-16 611 if (!buf)
4d701a3899580b Lingfeng Yang 2020-04-16 612 return -ENOMEM;
4d701a3899580b Lingfeng Yang 2020-04-16 613
4d701a3899580b Lingfeng Yang 2020-04-16 614 if (copy_from_user(buf, cmd, rc_blob->cmd_size)) {
4d701a3899580b Lingfeng Yang 2020-04-16 615 kfree(buf);
4d701a3899580b Lingfeng Yang 2020-04-16 616 return -EFAULT;
4d701a3899580b Lingfeng Yang 2020-04-16 617 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 618
4d701a3899580b Lingfeng Yang 2020-04-16 619 virtio_gpu_cmd_submit(vgdev, buf, rc_blob->cmd_size,
4d701a3899580b Lingfeng Yang 2020-04-16 620 vfpriv->ctx_id, NULL);
4d701a3899580b Lingfeng Yang 2020-04-16 621 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 622
dc92d4ac179f5e Lingfeng Yang 2020-04-16 623 obj = virtio_gpu_alloc_object(dev, ¶ms, NULL);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 624 if (IS_ERR(obj))
dc92d4ac179f5e Lingfeng Yang 2020-04-16 625 return PTR_ERR(obj);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 626
dc92d4ac179f5e Lingfeng Yang 2020-04-16 627 if (!obj->pages) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 628 ret = virtio_gpu_object_get_sg_table(vgdev, obj);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 629 if (ret)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 630 goto err_free_obj;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 631 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 632
4d701a3899580b Lingfeng Yang 2020-04-16 633 if (!guest) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 634 nents = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 635 } else if (use_dma_api) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 636 obj->mapped = dma_map_sg(vgdev->vdev->dev.parent,
dc92d4ac179f5e Lingfeng Yang 2020-04-16 637 obj->pages->sgl, obj->pages->nents,
dc92d4ac179f5e Lingfeng Yang 2020-04-16 638 DMA_TO_DEVICE);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 639 nents = obj->mapped;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 640 } else {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 641 nents = obj->pages->nents;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 642 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 643
4d701a3899580b Lingfeng Yang 2020-04-16 644 ents = kzalloc(nents * sizeof(struct virtio_gpu_mem_entry), GFP_KERNEL);
^^^^^^^^^^^^^^
No check for NULL.
4d701a3899580b Lingfeng Yang 2020-04-16 645 if (guest) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 646 for_each_sg(obj->pages->sgl, sg, nents, si) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 @647 ents[si].addr = cpu_to_le64(use_dma_api
dc92d4ac179f5e Lingfeng Yang 2020-04-16 648 ? sg_dma_address(sg)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 649 : sg_phys(sg));
dc92d4ac179f5e Lingfeng Yang 2020-04-16 650 ents[si].length = cpu_to_le32(sg->length);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 651 ents[si].padding = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 652 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 653 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 654
dc92d4ac179f5e Lingfeng Yang 2020-04-16 655 fence = virtio_gpu_fence_alloc(vgdev);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 656 if (!fence) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 657 ret = -ENOMEM;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 658 goto err_free_buf;
This error path needs to free "ents".
dc92d4ac179f5e Lingfeng Yang 2020-04-16 659 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 660
4d701a3899580b Lingfeng Yang 2020-04-16 661 virtio_gpu_cmd_resource_create_blob(vgdev, obj, vfpriv->ctx_id,
^^^^^^^^^^^^^^
Potentially NULL dereference is "vfpriv".
4d701a3899580b Lingfeng Yang 2020-04-16 662 rc_blob->flags, rc_blob->size,
4d701a3899580b Lingfeng Yang 2020-04-16 663 rc_blob->memory_id, nents,
4d701a3899580b Lingfeng Yang 2020-04-16 664 ents);
4d701a3899580b Lingfeng Yang 2020-04-16 665
dc92d4ac179f5e Lingfeng Yang 2020-04-16 666 ret = drm_gem_handle_create(file, &obj->gem_base, &handle);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 667 if (ret)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 668 goto err_fence_put;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 669
4d701a3899580b Lingfeng Yang 2020-04-16 670 if (!guest && mappable) {
4d701a3899580b Lingfeng Yang 2020-04-16 671 virtio_gpu_cmd_map(vgdev, obj, obj->tbo.offset, fence);
4d701a3899580b Lingfeng Yang 2020-04-16 672 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 673
dc92d4ac179f5e Lingfeng Yang 2020-04-16 674 /*
dc92d4ac179f5e Lingfeng Yang 2020-04-16 675 * No need to call virtio_gpu_object_reserve since the buffer is not
dc92d4ac179f5e Lingfeng Yang 2020-04-16 676 * being used for ttm validation and no other processes can access
dc92d4ac179f5e Lingfeng Yang 2020-04-16 677 * the reservation object at this point.
dc92d4ac179f5e Lingfeng Yang 2020-04-16 678 */
dc92d4ac179f5e Lingfeng Yang 2020-04-16 679 reservation_object_add_excl_fence(obj->tbo.resv, &fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 680
dc92d4ac179f5e Lingfeng Yang 2020-04-16 681 dma_fence_put(&fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 682 drm_gem_object_put_unlocked(&obj->gem_base);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 683
4d701a3899580b Lingfeng Yang 2020-04-16 684 rc_blob->res_handle = obj->hw_res_handle;
4d701a3899580b Lingfeng Yang 2020-04-16 685 rc_blob->bo_handle = handle;
73738beaa7074c Lingfeng Yang 2020-04-16 686 return 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 687
dc92d4ac179f5e Lingfeng Yang 2020-04-16 688 err_fence_put:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 689 dma_fence_put(&fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 690 err_free_buf:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 691 kfree(buf);
^^^
Potentially uninitialized.
dc92d4ac179f5e Lingfeng Yang 2020-04-16 692 err_free_obj:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 693 drm_gem_object_release(&obj->gem_base);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 @694 return ret;
73738beaa7074c Lingfeng Yang 2020-04-16 695 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
_______________________________________________
kbuild mailing list -- kbuild(a)lists.01.org
To unsubscribe send an email to kbuild-leave(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 31089 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [kbuild] [ti:ti-android-linux-4.14.y 8967/9999] drivers/gpu/drm/virtio/virtgpu_ioctl.c:636 virtio_gpu_resource_create_blob_ioctl() error: we previously assumed 'obj->pages' could be null (see line 627)
@ 2020-07-08 9:28 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2020-07-08 9:28 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 10494 bytes --]
tree: git://git.ti.com/ti-linux-kernel/ti-linux-kernel.git ti-android-linux-4.14.y
head: 9325afe9ea703ee9446dec68ad3b687d307d7a2f
commit: a14d324ee3d4b38164f0efa8f4d163e991370559 [8967/9999] Merge branch 'android-4.14-stable' of https://android.googlesource.com/kernel/common into android-feature-ti-linux-4.14.y
config: i386-randconfig-m021-20200707 (attached as .config)
compiler: gcc-7 (Ubuntu 7.5.0-6ubuntu2) 7.5.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/gpu/drm/virtio/virtgpu_ioctl.c:647 virtio_gpu_resource_create_blob_ioctl() error: potential null dereference 'ents'. (kzalloc returns null)
drivers/gpu/drm/virtio/virtgpu_ioctl.c:694 virtio_gpu_resource_create_blob_ioctl() warn: possible memory leak of 'ents'
Old smatch warnings:
drivers/gpu/drm/virtio/virtgpu_ioctl.c:661 virtio_gpu_resource_create_blob_ioctl() error: we previously assumed 'vfpriv' could be null (see line 606)
drivers/gpu/drm/virtio/virtgpu_ioctl.c:691 virtio_gpu_resource_create_blob_ioctl() error: uninitialized symbol 'buf'.
git remote add ti git://git.ti.com/ti-linux-kernel/ti-linux-kernel.git
git remote update ti
git checkout a14d324ee3d4b38164f0efa8f4d163e991370559
vim +636 drivers/gpu/drm/virtio/virtgpu_ioctl.c
4d701a3899580b Lingfeng Yang 2020-04-16 584 static int virtio_gpu_resource_create_blob_ioctl(struct drm_device *dev,
73738beaa7074c Lingfeng Yang 2020-04-16 585 void *data, struct drm_file *file)
73738beaa7074c Lingfeng Yang 2020-04-16 586 {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 587 void *buf;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 588 int ret, si, nents;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 589 uint32_t handle = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 590 struct scatterlist *sg;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 591 struct virtio_gpu_object *obj;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 592 struct virtio_gpu_fence *fence;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 593 struct virtio_gpu_mem_entry *ents;
4d701a3899580b Lingfeng Yang 2020-04-16 594 struct drm_virtgpu_resource_create_blob *rc_blob = data;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 595 struct virtio_gpu_object_params params = { 0 };
dc92d4ac179f5e Lingfeng Yang 2020-04-16 596 struct virtio_gpu_device *vgdev = dev->dev_private;
4d701a3899580b Lingfeng Yang 2020-04-16 597 struct virtio_gpu_fpriv *vfpriv = file->driver_priv;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 598 bool use_dma_api = !virtio_has_iommu_quirk(vgdev->vdev);
4d701a3899580b Lingfeng Yang 2020-04-16 599 bool mappable = rc_blob->flags & VIRTGPU_RES_BLOB_USE_MAPPABLE;
4d701a3899580b Lingfeng Yang 2020-04-16 600 bool guest = rc_blob->flags & VIRTGPU_RES_BLOB_GUEST_MASK;
4d701a3899580b Lingfeng Yang 2020-04-16 601
4d701a3899580b Lingfeng Yang 2020-04-16 602 params.size = rc_blob->size;
4d701a3899580b Lingfeng Yang 2020-04-16 603 params.blob_flags = rc_blob->flags;
4d701a3899580b Lingfeng Yang 2020-04-16 604 params.blob = true;
4d701a3899580b Lingfeng Yang 2020-04-16 605
4d701a3899580b Lingfeng Yang 2020-04-16 606 if (rc_blob->cmd_size && vfpriv) {
^^^^^^
If "vfpriv" is ever NULL then we are toasted later.
4d701a3899580b Lingfeng Yang 2020-04-16 607 void *buf;
4d701a3899580b Lingfeng Yang 2020-04-16 608 void __user *cmd = u64_to_user_ptr(rc_blob->cmd);
4d701a3899580b Lingfeng Yang 2020-04-16 609
4d701a3899580b Lingfeng Yang 2020-04-16 610 buf = kzalloc(rc_blob->cmd_size, GFP_KERNEL);
4d701a3899580b Lingfeng Yang 2020-04-16 611 if (!buf)
4d701a3899580b Lingfeng Yang 2020-04-16 612 return -ENOMEM;
4d701a3899580b Lingfeng Yang 2020-04-16 613
4d701a3899580b Lingfeng Yang 2020-04-16 614 if (copy_from_user(buf, cmd, rc_blob->cmd_size)) {
4d701a3899580b Lingfeng Yang 2020-04-16 615 kfree(buf);
4d701a3899580b Lingfeng Yang 2020-04-16 616 return -EFAULT;
4d701a3899580b Lingfeng Yang 2020-04-16 617 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 618
4d701a3899580b Lingfeng Yang 2020-04-16 619 virtio_gpu_cmd_submit(vgdev, buf, rc_blob->cmd_size,
4d701a3899580b Lingfeng Yang 2020-04-16 620 vfpriv->ctx_id, NULL);
4d701a3899580b Lingfeng Yang 2020-04-16 621 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 622
dc92d4ac179f5e Lingfeng Yang 2020-04-16 623 obj = virtio_gpu_alloc_object(dev, ¶ms, NULL);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 624 if (IS_ERR(obj))
dc92d4ac179f5e Lingfeng Yang 2020-04-16 625 return PTR_ERR(obj);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 626
dc92d4ac179f5e Lingfeng Yang 2020-04-16 627 if (!obj->pages) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 628 ret = virtio_gpu_object_get_sg_table(vgdev, obj);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 629 if (ret)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 630 goto err_free_obj;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 631 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 632
4d701a3899580b Lingfeng Yang 2020-04-16 633 if (!guest) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 634 nents = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 635 } else if (use_dma_api) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 636 obj->mapped = dma_map_sg(vgdev->vdev->dev.parent,
dc92d4ac179f5e Lingfeng Yang 2020-04-16 637 obj->pages->sgl, obj->pages->nents,
dc92d4ac179f5e Lingfeng Yang 2020-04-16 638 DMA_TO_DEVICE);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 639 nents = obj->mapped;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 640 } else {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 641 nents = obj->pages->nents;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 642 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 643
4d701a3899580b Lingfeng Yang 2020-04-16 644 ents = kzalloc(nents * sizeof(struct virtio_gpu_mem_entry), GFP_KERNEL);
^^^^^^^^^^^^^^
No check for NULL.
4d701a3899580b Lingfeng Yang 2020-04-16 645 if (guest) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 646 for_each_sg(obj->pages->sgl, sg, nents, si) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 @647 ents[si].addr = cpu_to_le64(use_dma_api
dc92d4ac179f5e Lingfeng Yang 2020-04-16 648 ? sg_dma_address(sg)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 649 : sg_phys(sg));
dc92d4ac179f5e Lingfeng Yang 2020-04-16 650 ents[si].length = cpu_to_le32(sg->length);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 651 ents[si].padding = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 652 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 653 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 654
dc92d4ac179f5e Lingfeng Yang 2020-04-16 655 fence = virtio_gpu_fence_alloc(vgdev);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 656 if (!fence) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 657 ret = -ENOMEM;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 658 goto err_free_buf;
This error path needs to free "ents".
dc92d4ac179f5e Lingfeng Yang 2020-04-16 659 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 660
4d701a3899580b Lingfeng Yang 2020-04-16 661 virtio_gpu_cmd_resource_create_blob(vgdev, obj, vfpriv->ctx_id,
^^^^^^^^^^^^^^
Potentially NULL dereference is "vfpriv".
4d701a3899580b Lingfeng Yang 2020-04-16 662 rc_blob->flags, rc_blob->size,
4d701a3899580b Lingfeng Yang 2020-04-16 663 rc_blob->memory_id, nents,
4d701a3899580b Lingfeng Yang 2020-04-16 664 ents);
4d701a3899580b Lingfeng Yang 2020-04-16 665
dc92d4ac179f5e Lingfeng Yang 2020-04-16 666 ret = drm_gem_handle_create(file, &obj->gem_base, &handle);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 667 if (ret)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 668 goto err_fence_put;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 669
4d701a3899580b Lingfeng Yang 2020-04-16 670 if (!guest && mappable) {
4d701a3899580b Lingfeng Yang 2020-04-16 671 virtio_gpu_cmd_map(vgdev, obj, obj->tbo.offset, fence);
4d701a3899580b Lingfeng Yang 2020-04-16 672 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 673
dc92d4ac179f5e Lingfeng Yang 2020-04-16 674 /*
dc92d4ac179f5e Lingfeng Yang 2020-04-16 675 * No need to call virtio_gpu_object_reserve since the buffer is not
dc92d4ac179f5e Lingfeng Yang 2020-04-16 676 * being used for ttm validation and no other processes can access
dc92d4ac179f5e Lingfeng Yang 2020-04-16 677 * the reservation object at this point.
dc92d4ac179f5e Lingfeng Yang 2020-04-16 678 */
dc92d4ac179f5e Lingfeng Yang 2020-04-16 679 reservation_object_add_excl_fence(obj->tbo.resv, &fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 680
dc92d4ac179f5e Lingfeng Yang 2020-04-16 681 dma_fence_put(&fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 682 drm_gem_object_put_unlocked(&obj->gem_base);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 683
4d701a3899580b Lingfeng Yang 2020-04-16 684 rc_blob->res_handle = obj->hw_res_handle;
4d701a3899580b Lingfeng Yang 2020-04-16 685 rc_blob->bo_handle = handle;
73738beaa7074c Lingfeng Yang 2020-04-16 686 return 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 687
dc92d4ac179f5e Lingfeng Yang 2020-04-16 688 err_fence_put:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 689 dma_fence_put(&fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 690 err_free_buf:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 691 kfree(buf);
^^^
Potentially uninitialized.
dc92d4ac179f5e Lingfeng Yang 2020-04-16 692 err_free_obj:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 693 drm_gem_object_release(&obj->gem_base);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 @694 return ret;
73738beaa7074c Lingfeng Yang 2020-04-16 695 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
_______________________________________________
kbuild mailing list -- kbuild(a)lists.01.org
To unsubscribe send an email to kbuild-leave(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 31089 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ti:ti-android-linux-4.14.y 8967/9999] drivers/gpu/drm/virtio/virtgpu_ioctl.c:636 virtio_gpu_resource_create_blob_ioctl() error: we previously assumed 'obj->pages' could be null (see line 627)
@ 2020-07-08 5:52 kernel test robot
0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2020-07-08 5:52 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 10482 bytes --]
CC: kbuild-all(a)lists.01.org
TO: Praneeth Bajjuri <praneeth@ti.com>
tree: git://git.ti.com/ti-linux-kernel/ti-linux-kernel.git ti-android-linux-4.14.y
head: 9325afe9ea703ee9446dec68ad3b687d307d7a2f
commit: a14d324ee3d4b38164f0efa8f4d163e991370559 [8967/9999] Merge branch 'android-4.14-stable' of https://android.googlesource.com/kernel/common into android-feature-ti-linux-4.14.y
:::::: branch date: 14 hours ago
:::::: commit date: 2 months ago
config: i386-randconfig-m021-20200707 (attached as .config)
compiler: gcc-7 (Ubuntu 7.5.0-6ubuntu2) 7.5.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/gpu/drm/virtio/virtgpu_ioctl.c:636 virtio_gpu_resource_create_blob_ioctl() error: we previously assumed 'obj->pages' could be null (see line 627)
drivers/gpu/drm/virtio/virtgpu_ioctl.c:647 virtio_gpu_resource_create_blob_ioctl() error: potential null dereference 'ents'. (kzalloc returns null)
drivers/gpu/drm/virtio/virtgpu_ioctl.c:694 virtio_gpu_resource_create_blob_ioctl() warn: possible memory leak of 'ents'
Old smatch warnings:
drivers/gpu/drm/virtio/virtgpu_ioctl.c:661 virtio_gpu_resource_create_blob_ioctl() error: we previously assumed 'vfpriv' could be null (see line 606)
drivers/gpu/drm/virtio/virtgpu_ioctl.c:691 virtio_gpu_resource_create_blob_ioctl() error: uninitialized symbol 'buf'.
git remote add ti git://git.ti.com/ti-linux-kernel/ti-linux-kernel.git
git remote update ti
git checkout a14d324ee3d4b38164f0efa8f4d163e991370559
vim +636 drivers/gpu/drm/virtio/virtgpu_ioctl.c
62fb7a5e10962a Gerd Hoffmann 2014-10-28 583
4d701a3899580b Lingfeng Yang 2020-04-16 584 static int virtio_gpu_resource_create_blob_ioctl(struct drm_device *dev,
73738beaa7074c Lingfeng Yang 2020-04-16 585 void *data, struct drm_file *file)
73738beaa7074c Lingfeng Yang 2020-04-16 586 {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 587 void *buf;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 588 int ret, si, nents;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 589 uint32_t handle = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 590 struct scatterlist *sg;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 591 struct virtio_gpu_object *obj;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 592 struct virtio_gpu_fence *fence;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 593 struct virtio_gpu_mem_entry *ents;
4d701a3899580b Lingfeng Yang 2020-04-16 594 struct drm_virtgpu_resource_create_blob *rc_blob = data;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 595 struct virtio_gpu_object_params params = { 0 };
dc92d4ac179f5e Lingfeng Yang 2020-04-16 596 struct virtio_gpu_device *vgdev = dev->dev_private;
4d701a3899580b Lingfeng Yang 2020-04-16 597 struct virtio_gpu_fpriv *vfpriv = file->driver_priv;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 598 bool use_dma_api = !virtio_has_iommu_quirk(vgdev->vdev);
4d701a3899580b Lingfeng Yang 2020-04-16 599 bool mappable = rc_blob->flags & VIRTGPU_RES_BLOB_USE_MAPPABLE;
4d701a3899580b Lingfeng Yang 2020-04-16 600 bool guest = rc_blob->flags & VIRTGPU_RES_BLOB_GUEST_MASK;
4d701a3899580b Lingfeng Yang 2020-04-16 601
4d701a3899580b Lingfeng Yang 2020-04-16 602 params.size = rc_blob->size;
4d701a3899580b Lingfeng Yang 2020-04-16 603 params.blob_flags = rc_blob->flags;
4d701a3899580b Lingfeng Yang 2020-04-16 604 params.blob = true;
4d701a3899580b Lingfeng Yang 2020-04-16 605
4d701a3899580b Lingfeng Yang 2020-04-16 606 if (rc_blob->cmd_size && vfpriv) {
4d701a3899580b Lingfeng Yang 2020-04-16 607 void *buf;
4d701a3899580b Lingfeng Yang 2020-04-16 608 void __user *cmd = u64_to_user_ptr(rc_blob->cmd);
4d701a3899580b Lingfeng Yang 2020-04-16 609
4d701a3899580b Lingfeng Yang 2020-04-16 610 buf = kzalloc(rc_blob->cmd_size, GFP_KERNEL);
4d701a3899580b Lingfeng Yang 2020-04-16 611 if (!buf)
4d701a3899580b Lingfeng Yang 2020-04-16 612 return -ENOMEM;
4d701a3899580b Lingfeng Yang 2020-04-16 613
4d701a3899580b Lingfeng Yang 2020-04-16 614 if (copy_from_user(buf, cmd, rc_blob->cmd_size)) {
4d701a3899580b Lingfeng Yang 2020-04-16 615 kfree(buf);
4d701a3899580b Lingfeng Yang 2020-04-16 616 return -EFAULT;
4d701a3899580b Lingfeng Yang 2020-04-16 617 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 618
4d701a3899580b Lingfeng Yang 2020-04-16 619 virtio_gpu_cmd_submit(vgdev, buf, rc_blob->cmd_size,
4d701a3899580b Lingfeng Yang 2020-04-16 620 vfpriv->ctx_id, NULL);
4d701a3899580b Lingfeng Yang 2020-04-16 621 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 622
dc92d4ac179f5e Lingfeng Yang 2020-04-16 623 obj = virtio_gpu_alloc_object(dev, ¶ms, NULL);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 624 if (IS_ERR(obj))
dc92d4ac179f5e Lingfeng Yang 2020-04-16 625 return PTR_ERR(obj);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 626
dc92d4ac179f5e Lingfeng Yang 2020-04-16 @627 if (!obj->pages) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 628 ret = virtio_gpu_object_get_sg_table(vgdev, obj);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 629 if (ret)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 630 goto err_free_obj;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 631 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 632
4d701a3899580b Lingfeng Yang 2020-04-16 633 if (!guest) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 634 nents = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 635 } else if (use_dma_api) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 @636 obj->mapped = dma_map_sg(vgdev->vdev->dev.parent,
dc92d4ac179f5e Lingfeng Yang 2020-04-16 637 obj->pages->sgl, obj->pages->nents,
dc92d4ac179f5e Lingfeng Yang 2020-04-16 638 DMA_TO_DEVICE);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 639 nents = obj->mapped;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 640 } else {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 641 nents = obj->pages->nents;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 642 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 643
4d701a3899580b Lingfeng Yang 2020-04-16 644 ents = kzalloc(nents * sizeof(struct virtio_gpu_mem_entry), GFP_KERNEL);
4d701a3899580b Lingfeng Yang 2020-04-16 645 if (guest) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 646 for_each_sg(obj->pages->sgl, sg, nents, si) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 @647 ents[si].addr = cpu_to_le64(use_dma_api
dc92d4ac179f5e Lingfeng Yang 2020-04-16 648 ? sg_dma_address(sg)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 649 : sg_phys(sg));
dc92d4ac179f5e Lingfeng Yang 2020-04-16 650 ents[si].length = cpu_to_le32(sg->length);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 651 ents[si].padding = 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 652 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 653 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 654
dc92d4ac179f5e Lingfeng Yang 2020-04-16 655 fence = virtio_gpu_fence_alloc(vgdev);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 656 if (!fence) {
dc92d4ac179f5e Lingfeng Yang 2020-04-16 657 ret = -ENOMEM;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 658 goto err_free_buf;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 659 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 660
4d701a3899580b Lingfeng Yang 2020-04-16 661 virtio_gpu_cmd_resource_create_blob(vgdev, obj, vfpriv->ctx_id,
4d701a3899580b Lingfeng Yang 2020-04-16 662 rc_blob->flags, rc_blob->size,
4d701a3899580b Lingfeng Yang 2020-04-16 663 rc_blob->memory_id, nents,
4d701a3899580b Lingfeng Yang 2020-04-16 664 ents);
4d701a3899580b Lingfeng Yang 2020-04-16 665
dc92d4ac179f5e Lingfeng Yang 2020-04-16 666 ret = drm_gem_handle_create(file, &obj->gem_base, &handle);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 667 if (ret)
dc92d4ac179f5e Lingfeng Yang 2020-04-16 668 goto err_fence_put;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 669
4d701a3899580b Lingfeng Yang 2020-04-16 670 if (!guest && mappable) {
4d701a3899580b Lingfeng Yang 2020-04-16 671 virtio_gpu_cmd_map(vgdev, obj, obj->tbo.offset, fence);
4d701a3899580b Lingfeng Yang 2020-04-16 672 }
dc92d4ac179f5e Lingfeng Yang 2020-04-16 673
dc92d4ac179f5e Lingfeng Yang 2020-04-16 674 /*
dc92d4ac179f5e Lingfeng Yang 2020-04-16 675 * No need to call virtio_gpu_object_reserve since the buffer is not
dc92d4ac179f5e Lingfeng Yang 2020-04-16 676 * being used for ttm validation and no other processes can access
dc92d4ac179f5e Lingfeng Yang 2020-04-16 677 * the reservation object at this point.
dc92d4ac179f5e Lingfeng Yang 2020-04-16 678 */
dc92d4ac179f5e Lingfeng Yang 2020-04-16 679 reservation_object_add_excl_fence(obj->tbo.resv, &fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 680
dc92d4ac179f5e Lingfeng Yang 2020-04-16 681 dma_fence_put(&fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 682 drm_gem_object_put_unlocked(&obj->gem_base);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 683
4d701a3899580b Lingfeng Yang 2020-04-16 684 rc_blob->res_handle = obj->hw_res_handle;
4d701a3899580b Lingfeng Yang 2020-04-16 685 rc_blob->bo_handle = handle;
73738beaa7074c Lingfeng Yang 2020-04-16 686 return 0;
dc92d4ac179f5e Lingfeng Yang 2020-04-16 687
dc92d4ac179f5e Lingfeng Yang 2020-04-16 688 err_fence_put:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 689 dma_fence_put(&fence->f);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 690 err_free_buf:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 691 kfree(buf);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 692 err_free_obj:
dc92d4ac179f5e Lingfeng Yang 2020-04-16 693 drm_gem_object_release(&obj->gem_base);
dc92d4ac179f5e Lingfeng Yang 2020-04-16 @694 return ret;
73738beaa7074c Lingfeng Yang 2020-04-16 695 }
73738beaa7074c Lingfeng Yang 2020-04-16 696
:::::: The code at line 636 was first introduced by commit
:::::: dc92d4ac179f5e6a766616af82827e6c0a17d276 CHROMIUM: drm/virtgpu: implement DRM_VIRTGPU_RESOURCE_CREATE_V2
:::::: TO: Lingfeng Yang <lfy@google.com>
:::::: CC: Alistair Delva <adelva@google.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 31089 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-08 9:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-08 9:28 [ti:ti-android-linux-4.14.y 8967/9999] drivers/gpu/drm/virtio/virtgpu_ioctl.c:636 virtio_gpu_resource_create_blob_ioctl() error: we previously assumed 'obj->pages' could be null (see line 627) Dan Carpenter
2020-07-08 9:28 ` [kbuild] " Dan Carpenter
-- strict thread matches above, loose matches on Subject: below --
2020-07-08 5:52 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.