All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] drm/ttm: fix invalid NULL deref
@ 2021-03-25 15:27 Christian König
  2021-03-25 15:31 ` Colin Ian King
  0 siblings, 1 reply; 3+ messages in thread
From: Christian König @ 2021-03-25 15:27 UTC (permalink / raw)
  To: colin.king, dri-devel

The BO might be NULL in this function, use the bdev directly.

Signed-off-by: Christian König <christian.koenig@amd.com>
Reported-by: Colin Ian King <colin.king@canonical.com>
Fixes: a1f091f8ef2b ("drm/ttm: switch to per device LRU lock")
---
 drivers/gpu/drm/ttm/ttm_bo.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index 2d2ac532987e..6ab7b66ce36d 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -625,7 +625,7 @@ int ttm_mem_evict_first(struct ttm_device *bdev,
 	unsigned i;
 	int ret;
 
-	spin_lock(&bo->bdev->lru_lock);
+	spin_lock(&bdev->lru_lock);
 	for (i = 0; i < TTM_MAX_BO_PRIORITY; ++i) {
 		list_for_each_entry(bo, &man->lru[i], lru) {
 			bool busy;
@@ -662,7 +662,7 @@ int ttm_mem_evict_first(struct ttm_device *bdev,
 	if (!bo) {
 		if (busy_bo && !ttm_bo_get_unless_zero(busy_bo))
 			busy_bo = NULL;
-		spin_unlock(&bo->bdev->lru_lock);
+		spin_unlock(&bdev->lru_lock);
 		ret = ttm_mem_evict_wait_busy(busy_bo, ctx, ticket);
 		if (busy_bo)
 			ttm_bo_put(busy_bo);
@@ -676,7 +676,7 @@ int ttm_mem_evict_first(struct ttm_device *bdev,
 		return ret;
 	}
 
-	spin_unlock(&bo->bdev->lru_lock);
+	spin_unlock(&bdev->lru_lock);
 
 	ret = ttm_bo_evict(bo, ctx);
 	if (locked)
-- 
2.25.1

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] drm/ttm: fix invalid NULL deref
  2021-03-25 15:27 [PATCH] drm/ttm: fix invalid NULL deref Christian König
@ 2021-03-25 15:31 ` Colin Ian King
  0 siblings, 0 replies; 3+ messages in thread
From: Colin Ian King @ 2021-03-25 15:31 UTC (permalink / raw)
  To: Christian König, dri-devel

On 25/03/2021 15:27, Christian König wrote:
> The BO might be NULL in this function, use the bdev directly.
> 
> Signed-off-by: Christian König <christian.koenig@amd.com>
> Reported-by: Colin Ian King <colin.king@canonical.com>
> Fixes: a1f091f8ef2b ("drm/ttm: switch to per device LRU lock")
> ---
>  drivers/gpu/drm/ttm/ttm_bo.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
> index 2d2ac532987e..6ab7b66ce36d 100644
> --- a/drivers/gpu/drm/ttm/ttm_bo.c
> +++ b/drivers/gpu/drm/ttm/ttm_bo.c
> @@ -625,7 +625,7 @@ int ttm_mem_evict_first(struct ttm_device *bdev,
>  	unsigned i;
>  	int ret;
>  
> -	spin_lock(&bo->bdev->lru_lock);
> +	spin_lock(&bdev->lru_lock);
>  	for (i = 0; i < TTM_MAX_BO_PRIORITY; ++i) {
>  		list_for_each_entry(bo, &man->lru[i], lru) {
>  			bool busy;
> @@ -662,7 +662,7 @@ int ttm_mem_evict_first(struct ttm_device *bdev,
>  	if (!bo) {
>  		if (busy_bo && !ttm_bo_get_unless_zero(busy_bo))
>  			busy_bo = NULL;
> -		spin_unlock(&bo->bdev->lru_lock);
> +		spin_unlock(&bdev->lru_lock);
>  		ret = ttm_mem_evict_wait_busy(busy_bo, ctx, ticket);
>  		if (busy_bo)
>  			ttm_bo_put(busy_bo);
> @@ -676,7 +676,7 @@ int ttm_mem_evict_first(struct ttm_device *bdev,
>  		return ret;
>  	}
>  
> -	spin_unlock(&bo->bdev->lru_lock);
> +	spin_unlock(&bdev->lru_lock);
>  
>  	ret = ttm_bo_evict(bo, ctx);
>  	if (locked)
> 
Looks good to me. Thanks.

Reviewed-by: Colin Ian King <colin.king@canonical.com>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] drm/ttm: fix invalid NULL deref
@ 2021-03-26  0:01 kernel test robot
  0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2021-03-26  0:01 UTC (permalink / raw)
  To: kbuild

[-- Attachment #1: Type: text/plain, Size: 6879 bytes --]

CC: kbuild-all(a)lists.01.org
In-Reply-To: <20210325152740.82633-1-christian.koenig@amd.com>
References: <20210325152740.82633-1-christian.koenig@amd.com>
TO: "Christian König" <ckoenig.leichtzumerken@gmail.com>
TO: colin.king(a)canonical.com
TO: dri-devel(a)lists.freedesktop.org

Hi "Christian,

I love your patch! Perhaps something to improve:

[auto build test WARNING on drm-tip/drm-tip]
[also build test WARNING on next-20210325]
[cannot apply to drm-intel/for-linux-next drm-exynos/exynos-drm-next tegra-drm/drm/tegra/for-next linus/master drm/drm-next v5.12-rc4]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Christian-K-nig/drm-ttm-fix-invalid-NULL-deref/20210325-232852
base:   git://anongit.freedesktop.org/drm/drm-tip drm-tip
:::::: branch date: 8 hours ago
:::::: commit date: 8 hours ago
config: x86_64-randconfig-m031-20210325 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
drivers/gpu/drm/ttm/ttm_bo.c:686 ttm_mem_evict_first() warn: inconsistent returns '&bdev->lru_lock'.

vim +686 drivers/gpu/drm/ttm/ttm_bo.c

d367bd2a5e2b12 Christian König   2019-05-22  616  
8af8a109b34fa8 Christian König   2020-10-01  617  int ttm_mem_evict_first(struct ttm_device *bdev,
9de59bc201496f Dave Airlie       2020-08-04  618  			struct ttm_resource_manager *man,
e300180f71037f Michel Dänzer     2014-10-09  619  			const struct ttm_place *place,
d367bd2a5e2b12 Christian König   2019-05-22  620  			struct ttm_operation_ctx *ctx,
d367bd2a5e2b12 Christian König   2019-05-22  621  			struct ww_acquire_ctx *ticket)
ba4e7d973dd09b Thomas Hellstrom  2009-06-10  622  {
d367bd2a5e2b12 Christian König   2019-05-22  623  	struct ttm_buffer_object *bo = NULL, *busy_bo = NULL;
6ba435812e0d85 Christian König   2017-11-08  624  	bool locked = false;
cf6c467d67d319 Christian König   2017-01-10  625  	unsigned i;
6ba435812e0d85 Christian König   2017-11-08  626  	int ret;
ba4e7d973dd09b Thomas Hellstrom  2009-06-10  627  
d4b5264300510f Christian König   2021-03-25  628  	spin_lock(&bdev->lru_lock);
cf6c467d67d319 Christian König   2017-01-10  629  	for (i = 0; i < TTM_MAX_BO_PRIORITY; ++i) {
cf6c467d67d319 Christian König   2017-01-10  630  		list_for_each_entry(bo, &man->lru[i], lru) {
d367bd2a5e2b12 Christian König   2019-05-22  631  			bool busy;
d367bd2a5e2b12 Christian König   2019-05-22  632  
d367bd2a5e2b12 Christian König   2019-05-22  633  			if (!ttm_bo_evict_swapout_allowable(bo, ctx, &locked,
d367bd2a5e2b12 Christian König   2019-05-22  634  							    &busy)) {
0dbd555a011c2d Christian König   2019-07-31  635  				if (busy && !busy_bo && ticket !=
52791eeec1d9f4 Christian König   2019-08-11  636  				    dma_resv_locking_ctx(bo->base.resv))
d367bd2a5e2b12 Christian König   2019-05-22  637  					busy_bo = bo;
6ba435812e0d85 Christian König   2017-11-08  638  				continue;
d367bd2a5e2b12 Christian König   2019-05-22  639  			}
a2ab19fed9d1dc Christian König   2016-08-30  640  
8af8a109b34fa8 Christian König   2020-10-01  641  			if (place && !bdev->funcs->eviction_valuable(bo,
cf6c467d67d319 Christian König   2017-01-10  642  								      place)) {
6ba435812e0d85 Christian König   2017-11-08  643  				if (locked)
52791eeec1d9f4 Christian König   2019-08-11  644  					dma_resv_unlock(bo->base.resv);
e300180f71037f Michel Dänzer     2014-10-09  645  				continue;
e300180f71037f Michel Dänzer     2014-10-09  646  			}
1ec39923ef24f5 Christian König   2019-11-11  647  			if (!ttm_bo_get_unless_zero(bo)) {
1ec39923ef24f5 Christian König   2019-11-11  648  				if (locked)
1ec39923ef24f5 Christian König   2019-11-11  649  					dma_resv_unlock(bo->base.resv);
1ec39923ef24f5 Christian König   2019-11-11  650  				continue;
1ec39923ef24f5 Christian König   2019-11-11  651  			}
e7ab20197be3ee Maarten Lankhorst 2012-11-28  652  			break;
e7ab20197be3ee Maarten Lankhorst 2012-11-28  653  		}
e7ab20197be3ee Maarten Lankhorst 2012-11-28  654  
6ba435812e0d85 Christian König   2017-11-08  655  		/* If the inner loop terminated early, we have our candidate */
6ba435812e0d85 Christian König   2017-11-08  656  		if (&bo->lru != &man->lru[i])
cf6c467d67d319 Christian König   2017-01-10  657  			break;
6ba435812e0d85 Christian König   2017-11-08  658  
6ba435812e0d85 Christian König   2017-11-08  659  		bo = NULL;
cf6c467d67d319 Christian König   2017-01-10  660  	}
cf6c467d67d319 Christian König   2017-01-10  661  
6ba435812e0d85 Christian König   2017-11-08  662  	if (!bo) {
1ec39923ef24f5 Christian König   2019-11-11  663  		if (busy_bo && !ttm_bo_get_unless_zero(busy_bo))
1ec39923ef24f5 Christian König   2019-11-11  664  			busy_bo = NULL;
d4b5264300510f Christian König   2021-03-25  665  		spin_unlock(&bdev->lru_lock);
d367bd2a5e2b12 Christian König   2019-05-22  666  		ret = ttm_mem_evict_wait_busy(busy_bo, ctx, ticket);
d367bd2a5e2b12 Christian König   2019-05-22  667  		if (busy_bo)
1ec39923ef24f5 Christian König   2019-11-11  668  			ttm_bo_put(busy_bo);
d367bd2a5e2b12 Christian König   2019-05-22  669  		return ret;
9c51ba1db37cab Thomas Hellstrom  2009-12-02  670  	}
9c51ba1db37cab Thomas Hellstrom  2009-12-02  671  
1ec39923ef24f5 Christian König   2019-11-11  672  	if (bo->deleted) {
83876c1bed8c91 Christian König   2017-04-12  673  		ret = ttm_bo_cleanup_refs(bo, ctx->interruptible,
83876c1bed8c91 Christian König   2017-04-12  674  					  ctx->no_wait_gpu, locked);
1ec39923ef24f5 Christian König   2019-11-11  675  		ttm_bo_put(bo);
ba4e7d973dd09b Thomas Hellstrom  2009-06-10  676  		return ret;
9c51ba1db37cab Thomas Hellstrom  2009-12-02  677  	}
9c51ba1db37cab Thomas Hellstrom  2009-12-02  678  
d4b5264300510f Christian König   2021-03-25  679  	spin_unlock(&bdev->lru_lock);
9c51ba1db37cab Thomas Hellstrom  2009-12-02  680  
83876c1bed8c91 Christian König   2017-04-12  681  	ret = ttm_bo_evict(bo, ctx);
9165fb879f62a7 Christian König   2019-09-19  682  	if (locked)
ca262a9998d461 Jerome Glisse     2009-12-08  683  		ttm_bo_unreserve(bo);
9c51ba1db37cab Thomas Hellstrom  2009-12-02  684  
1ec39923ef24f5 Christian König   2019-11-11  685  	ttm_bo_put(bo);
ca262a9998d461 Jerome Glisse     2009-12-08 @686  	return ret;
ca262a9998d461 Jerome Glisse     2009-12-08  687  }
ba4e7d973dd09b Thomas Hellstrom  2009-06-10  688  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 36793 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-26  0:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-25 15:27 [PATCH] drm/ttm: fix invalid NULL deref Christian König
2021-03-25 15:31 ` Colin Ian King
2021-03-26  0:01 kernel test robot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.