From: Colin King <colin.king@canonical.com>
To: Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
"Michael J . Ruhl" <michael.j.ruhl@intel.com>,
Chris Wilson <chris@chris-wilson.co.uk>,
Tvrtko Ursulin <tvrtko.ursulin@intel.com>,
intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH][next] drm/i915/gem: fix null pointer dereference on vm
Date: Thu, 23 Jan 2020 15:14:06 +0000 [thread overview]
Message-ID: <20200123151406.51679-1-colin.king@canonical.com> (raw)
From: Colin Ian King <colin.king@canonical.com>
Currently if the call to function context_get_vm_rcu returns
a null pointer for vm then the error exit path via label err_put
will call i915_vm_put on the null vm, causing a null pointer
dereference. Fix this by adding a null check on vm and returning
without calling the i915_vm_put.
Fixes: 5dbd2b7be61e ("drm/i915/gem: Convert vm idr to xarray")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/gpu/drm/i915/gem/i915_gem_context.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c b/drivers/gpu/drm/i915/gem/i915_gem_context.c
index 5d4157e1ccf7..3e6e34ec9fa8 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_context.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c
@@ -1005,9 +1005,12 @@ static int get_ppgtt(struct drm_i915_file_private *file_priv,
err = -ENODEV;
rcu_read_lock();
vm = context_get_vm_rcu(ctx);
- if (vm)
- err = xa_alloc(&file_priv->vm_xa, &id, vm,
- xa_limit_32b, GFP_KERNEL);
+ if (!vm) {
+ rcu_read_unlock();
+ return err;
+ }
+ err = xa_alloc(&file_priv->vm_xa, &id, vm,
+ xa_limit_32b, GFP_KERNEL);
rcu_read_unlock();
if (err)
goto err_put;
--
2.24.0
WARNING: multiple messages have this Message-ID (diff)
From: Colin King <colin.king@canonical.com>
To: Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
"Michael J . Ruhl" <michael.j.ruhl@intel.com>,
Chris Wilson <chris@chris-wilson.co.uk>,
Tvrtko Ursulin <tvrtko.ursulin@intel.com>,
intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH][next] drm/i915/gem: fix null pointer dereference on vm
Date: Thu, 23 Jan 2020 15:14:06 +0000 [thread overview]
Message-ID: <20200123151406.51679-1-colin.king@canonical.com> (raw)
From: Colin Ian King <colin.king@canonical.com>
Currently if the call to function context_get_vm_rcu returns
a null pointer for vm then the error exit path via label err_put
will call i915_vm_put on the null vm, causing a null pointer
dereference. Fix this by adding a null check on vm and returning
without calling the i915_vm_put.
Fixes: 5dbd2b7be61e ("drm/i915/gem: Convert vm idr to xarray")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/gpu/drm/i915/gem/i915_gem_context.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c b/drivers/gpu/drm/i915/gem/i915_gem_context.c
index 5d4157e1ccf7..3e6e34ec9fa8 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_context.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c
@@ -1005,9 +1005,12 @@ static int get_ppgtt(struct drm_i915_file_private *file_priv,
err = -ENODEV;
rcu_read_lock();
vm = context_get_vm_rcu(ctx);
- if (vm)
- err = xa_alloc(&file_priv->vm_xa, &id, vm,
- xa_limit_32b, GFP_KERNEL);
+ if (!vm) {
+ rcu_read_unlock();
+ return err;
+ }
+ err = xa_alloc(&file_priv->vm_xa, &id, vm,
+ xa_limit_32b, GFP_KERNEL);
rcu_read_unlock();
if (err)
goto err_put;
--
2.24.0
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Colin King <colin.king@canonical.com>
To: Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
"Michael J . Ruhl" <michael.j.ruhl@intel.com>,
Chris Wilson <chris@chris-wilson.co.uk>,
Tvrtko Ursulin <tvrtko.ursulin@intel.com>,
intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [Intel-gfx] [PATCH][next] drm/i915/gem: fix null pointer dereference on vm
Date: Thu, 23 Jan 2020 15:14:06 +0000 [thread overview]
Message-ID: <20200123151406.51679-1-colin.king@canonical.com> (raw)
From: Colin Ian King <colin.king@canonical.com>
Currently if the call to function context_get_vm_rcu returns
a null pointer for vm then the error exit path via label err_put
will call i915_vm_put on the null vm, causing a null pointer
dereference. Fix this by adding a null check on vm and returning
without calling the i915_vm_put.
Fixes: 5dbd2b7be61e ("drm/i915/gem: Convert vm idr to xarray")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/gpu/drm/i915/gem/i915_gem_context.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c b/drivers/gpu/drm/i915/gem/i915_gem_context.c
index 5d4157e1ccf7..3e6e34ec9fa8 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_context.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c
@@ -1005,9 +1005,12 @@ static int get_ppgtt(struct drm_i915_file_private *file_priv,
err = -ENODEV;
rcu_read_lock();
vm = context_get_vm_rcu(ctx);
- if (vm)
- err = xa_alloc(&file_priv->vm_xa, &id, vm,
- xa_limit_32b, GFP_KERNEL);
+ if (!vm) {
+ rcu_read_unlock();
+ return err;
+ }
+ err = xa_alloc(&file_priv->vm_xa, &id, vm,
+ xa_limit_32b, GFP_KERNEL);
rcu_read_unlock();
if (err)
goto err_put;
--
2.24.0
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next reply other threads:[~2020-01-23 15:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-23 15:14 Colin King [this message]
2020-01-23 15:14 ` [Intel-gfx] [PATCH][next] drm/i915/gem: fix null pointer dereference on vm Colin King
2020-01-23 15:14 ` Colin King
2020-01-23 15:24 ` Chris Wilson
2020-01-23 15:24 ` [Intel-gfx] " Chris Wilson
2020-01-23 15:24 ` Chris Wilson
2020-01-23 15:26 ` [Intel-gfx] [PATCH] drm/i915/gem: Prevent NULL pointer dereference on missing ctx->vm Chris Wilson
2020-01-23 15:27 ` Colin Ian King
2020-01-24 10:17 ` Joonas Lahtinen
2020-01-24 1:45 ` [Intel-gfx] ✓ Fi.CI.BAT: success for drm/i915/gem: fix null pointer dereference on vm (rev2) Patchwork
2020-01-25 17:54 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200123151406.51679-1-colin.king@canonical.com \
--to=colin.king@canonical.com \
--cc=airlied@linux.ie \
--cc=chris@chris-wilson.co.uk \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jani.nikula@linux.intel.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.j.ruhl@intel.com \
--cc=rodrigo.vivi@intel.com \
--cc=tvrtko.ursulin@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.