Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp770045ybl; Thu, 23 Jan 2020 07:26:23 -0800 (PST) X-Google-Smtp-Source: APXvYqyTS3dCg/5hVinOh6Mqx9L2O0Gc/bd5DFDBnatNKJsAiEaIxa6ymrU/337MsKHS6q62Uwhi X-Received: by 2002:a9d:4796:: with SMTP id b22mr11219063otf.353.1579793183226; Thu, 23 Jan 2020 07:26:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579793183; cv=none; d=google.com; s=arc-20160816; b=ovz3+QKO5pZwv2C0EIvL1G4KpF+PlVXFONGWojh5foNWOxmdE4X95djrjLqinhwVUp iBda/uuqNCIFH9Gc1No+//neeg7ArQIrewmeJPlyrnA4t/Sqpnw9582pvwKCFBurRnb1 1wAet1midVNM7xfQfRw+xBsE64tyB+0waybC2xv2OT12hyHdh5t5lsFfwxzBQutyJIRx 4wl4WINAQqSuHY8ESbbuyZGzQauVaSfMG3yg3G7pLL0GneNqp3QzSf5cG8rrcxzZP9ga dhCtbTEW2UqeH7NO1U1kswmfCpa2waWuoXuk7bJN0r2SQ5PfZilEVIsBt3fv8nPGf2dZ HqlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:date:subject:user-agent:message-id :references:cc:in-reply-to:from:to:content-transfer-encoding :mime-version; bh=wR3BW1iVBTKUvbqjSkbFakoBNHa8Eqzl/Z04OwyjFxk=; b=B8eHx6EwSaGnrhDwOsJ2FbqG/BlIBDu2SAGvFnWp+TUBkm61/9002gyQkxMVErG42s aykeW6FammoR1AHr67poufjnuuCjwKmHgSxtGWK8gxo+knXTuAPgyFikm7jTUpxGbERc r+T4IjiNnvo+nXnrP26cl6NytYs/UMBeqEinB8braEhnkP7YVSZYnpaG/z9wEL+beEPo Lw28ZZGqEc2Tnz21jOo7s8ygjgXoaCF2VyONkKCfP1C9shJqWFQ0md0w6QuesbHfo10u wlsqmstbsgydXDuEo9y/GxyVDXfOmOOs9oMwy2y63dXX8XiKdKqD4Iyb+jXT/nIu4KoQ jU3A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e13si1245872otp.164.2020.01.23.07.26.11; Thu, 23 Jan 2020 07:26:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728899AbgAWPYu convert rfc822-to-8bit (ORCPT + 99 others); Thu, 23 Jan 2020 10:24:50 -0500 Received: from mail.fireflyinternet.com ([109.228.58.192]:50517 "EHLO fireflyinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726968AbgAWPYu (ORCPT ); Thu, 23 Jan 2020 10:24:50 -0500 X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138; Received: from localhost (unverified [78.156.65.138]) by fireflyinternet.com (Firefly Internet (M1)) with ESMTP (TLS) id 19984240-1500050 for multiple; Thu, 23 Jan 2020 15:24:46 +0000 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT To: "Michael J . Ruhl" , Colin King , Daniel Vetter , David Airlie , Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , Tvrtko Ursulin , dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org From: Chris Wilson In-Reply-To: <20200123151406.51679-1-colin.king@canonical.com> Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org References: <20200123151406.51679-1-colin.king@canonical.com> Message-ID: <157979308341.19995.6106728840274572701@skylake-alporthouse-com> User-Agent: alot/0.6 Subject: Re: [PATCH][next] drm/i915/gem: fix null pointer dereference on vm Date: Thu, 23 Jan 2020 15:24:43 +0000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Colin King (2020-01-23 15:14:06) > From: Colin Ian King > > Currently if the call to function context_get_vm_rcu returns > a null pointer for vm then the error exit path via label err_put > will call i915_vm_put on the null vm, causing a null pointer > dereference. Fix this by adding a null check on vm and returning > without calling the i915_vm_put. > > Fixes: 5dbd2b7be61e ("drm/i915/gem: Convert vm idr to xarray") > Signed-off-by: Colin Ian King Hmm. Actually, we can drop the rcu_read_lock as soon as we've acquire the local ref to ctx->vm. So something like, if (!rcu_access_pointer(ctx->vm)) return -ENODEV; - err = -ENODEV; rcu_read_lock(); vm = context_get_vm_rcu(ctx); - if (vm) - err = xa_alloc(&file_priv->vm_xa, &id, vm, - xa_limit_32b, GFP_KERNEL); rcu_read_unlock(); + if (!vm) + return -ENODEV; + + err = xa_alloc(&file_priv->vm_xa, &id, vm, + xa_limit_32b, GFP_KERNEL); if (err) goto err_put; would work. -Chris