Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp770045ybl;
        Thu, 23 Jan 2020 07:26:23 -0800 (PST)
X-Google-Smtp-Source: APXvYqyTS3dCg/5hVinOh6Mqx9L2O0Gc/bd5DFDBnatNKJsAiEaIxa6ymrU/337MsKHS6q62Uwhi
X-Received: by 2002:a9d:4796:: with SMTP id b22mr11219063otf.353.1579793183226;
        Thu, 23 Jan 2020 07:26:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579793183; cv=none;
        d=google.com; s=arc-20160816;
        b=ovz3+QKO5pZwv2C0EIvL1G4KpF+PlVXFONGWojh5foNWOxmdE4X95djrjLqinhwVUp
         iBda/uuqNCIFH9Gc1No+//neeg7ArQIrewmeJPlyrnA4t/Sqpnw9582pvwKCFBurRnb1
         1wAet1midVNM7xfQfRw+xBsE64tyB+0waybC2xv2OT12hyHdh5t5lsFfwxzBQutyJIRx
         4wl4WINAQqSuHY8ESbbuyZGzQauVaSfMG3yg3G7pLL0GneNqp3QzSf5cG8rrcxzZP9ga
         dhCtbTEW2UqeH7NO1U1kswmfCpa2waWuoXuk7bJN0r2SQ5PfZilEVIsBt3fv8nPGf2dZ
         HqlA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:date:subject:user-agent:message-id
         :references:cc:in-reply-to:from:to:content-transfer-encoding
         :mime-version;
        bh=wR3BW1iVBTKUvbqjSkbFakoBNHa8Eqzl/Z04OwyjFxk=;
        b=B8eHx6EwSaGnrhDwOsJ2FbqG/BlIBDu2SAGvFnWp+TUBkm61/9002gyQkxMVErG42s
         aykeW6FammoR1AHr67poufjnuuCjwKmHgSxtGWK8gxo+knXTuAPgyFikm7jTUpxGbERc
         r+T4IjiNnvo+nXnrP26cl6NytYs/UMBeqEinB8braEhnkP7YVSZYnpaG/z9wEL+beEPo
         Lw28ZZGqEc2Tnz21jOo7s8ygjgXoaCF2VyONkKCfP1C9shJqWFQ0md0w6QuesbHfo10u
         wlsqmstbsgydXDuEo9y/GxyVDXfOmOOs9oMwy2y63dXX8XiKdKqD4Iyb+jXT/nIu4KoQ
         jU3A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e13si1245872otp.164.2020.01.23.07.26.11;
        Thu, 23 Jan 2020 07:26:23 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728899AbgAWPYu convert rfc822-to-8bit (ORCPT
        <rfc822;lans.zhang2008@gmail.com> + 99 others);
        Thu, 23 Jan 2020 10:24:50 -0500
Received: from mail.fireflyinternet.com ([109.228.58.192]:50517 "EHLO
        fireflyinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1726968AbgAWPYu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Jan 2020 10:24:50 -0500
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138;
Received: from localhost (unverified [78.156.65.138]) 
        by fireflyinternet.com (Firefly Internet (M1)) with ESMTP (TLS) id 19984240-1500050 
        for multiple; Thu, 23 Jan 2020 15:24:46 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8BIT
To:     "Michael J . Ruhl" <michael.j.ruhl@intel.com>,
        Colin King <colin.king@canonical.com>,
        Daniel Vetter <daniel@ffwll.ch>,
        David Airlie <airlied@linux.ie>,
        Jani Nikula <jani.nikula@linux.intel.com>,
        Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@intel.com>,
        Tvrtko Ursulin <tvrtko.ursulin@intel.com>,
        dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org
From:   Chris Wilson <chris@chris-wilson.co.uk>
In-Reply-To: <20200123151406.51679-1-colin.king@canonical.com>
Cc:     kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20200123151406.51679-1-colin.king@canonical.com>
Message-ID: <157979308341.19995.6106728840274572701@skylake-alporthouse-com>
User-Agent: alot/0.6
Subject: Re: [PATCH][next] drm/i915/gem: fix null pointer dereference on vm
Date:   Thu, 23 Jan 2020 15:24:43 +0000
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Colin King (2020-01-23 15:14:06)
> From: Colin Ian King <colin.king@canonical.com>
> 
> Currently if the call to function context_get_vm_rcu returns
> a null pointer for vm then the error exit path via label err_put
> will call i915_vm_put on the null vm, causing a null pointer
> dereference.  Fix this by adding a null check on vm and returning
> without calling the i915_vm_put.
> 
> Fixes: 5dbd2b7be61e ("drm/i915/gem: Convert vm idr to xarray")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Hmm. Actually, we can drop the rcu_read_lock as soon as we've acquire
the local ref to ctx->vm. So something like,

        if (!rcu_access_pointer(ctx->vm))
                return -ENODEV;

-       err = -ENODEV;
        rcu_read_lock();
        vm = context_get_vm_rcu(ctx);
-       if (vm)
-               err = xa_alloc(&file_priv->vm_xa, &id, vm,
-                              xa_limit_32b, GFP_KERNEL);
        rcu_read_unlock();
+       if (!vm)
+               return -ENODEV;
+
+       err = xa_alloc(&file_priv->vm_xa, &id, vm,
+                      xa_limit_32b, GFP_KERNEL);
        if (err)
                goto err_put;

would work.
-Chris