Subject: Re: [PATCH v2] drm/radeon/radeon_kms: Fix a NULL pointer dereference
 in radeon_driver_open_kms()
To:     Zhou Qingyang <zhou1615@umn.edu>
Cc:     kjlu@umn.edu, Alex Deucher <alexander.deucher@amd.com>,
        "Pan, Xinhui" <Xinhui.Pan@amd.com>,
        David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>, amd-gfx@lists.freedesktop.org,
        dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
References: <dc81cea8-f0f2-12c4-bb7b-a6e65dfe6f10@amd.com>
 <20211130153400.174047-1-zhou1615@umn.edu>
From:   =?UTF-8?Q?Christian_K=c3=b6nig?= <christian.koenig@amd.com>
Message-ID: <f776cb6f-d599-a543-9177-dac7d08cf7d4@amd.com>
Date:   Tue, 30 Nov 2021 16:37:37 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.14.0
In-Reply-To: <20211130153400.174047-1-zhou1615@umn.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?bHNyNjcvRXJ6dlg2VCtEN2VWRllBdU9Fa0NuVkxhRHRtUkRuOE9TdzJ6R2R0?=
 =?utf-8?B?c2Vhd2ViTWhzY3FFRzAvMU50MEx5SktUeUtrbjFEenRkOGVvMThnRkpvOGkv?=
 =?utf-8?B?bThIbWdaYVdzeWloMjBJN2V6UVRlVzFyRWZRQk1CaytyN3M0WUdGMFpwSVFi?=
 =?utf-8?B?UmY0Tm80SDlYYk96Vzc4UjltdkJmejNUSnZqUFNIbGY1V3A2QzlUYkFURnZD?=
 =?utf-8?B?UXhKRTByVWN6S0dQT3VLak1DU3paR3lVTUFEQldwUHhTS2xjUGZtaTR4djVr?=
 =?utf-8?B?eTRrbXEwVm01ekMxVWRyWlcveE82c3VPb1k0UXpvV3luVFVCNURHenNQVVVX?=
 =?utf-8?B?WkZ0dVQ1YWY0NUp1K1RPUHRUc3JDSUR4Z2dLQ3ZQUHdTN0w1N2hiZzRVYmNu?=
 =?utf-8?B?SFh1N2djVENNa3ROV3VVRTZQMGErbzI4ekRoOGFpM1Q0ZnVSdktQZllNWCtN?=
 =?utf-8?B?cE42dW15d0I0L21oK0U1b0V4UGM1ZEljZVdtalpibExDMWJyOUtETEk2cXJI?=
 =?utf-8?B?SHBmOXM4UzdBS3VXQlZoRzNPRTVBdC9NUFc4YjhFK1ViNW5LZzdGUlZIRWhx?=
 =?utf-8?B?OXpPQ3NQM3NhYnl4Q1NJcHZPZ25nQjEwczl6bXFiWnlMVHloYTdTL3JOV3RH?=
 =?utf-8?B?NlF0UFlNTXNsKzdZcm5PN0ovaW8vM3FlUEFhSkhXekdlQllaQTBRNG1EdDZl?=
 =?utf-8?B?cU43U2tRbWhXQzdSVEVvR0Q1aWdiSFhrak5FR2NmTDI0KzVuUnJoWDVsTldH?=
 =?utf-8?B?UFpUb1ZkZm16OUI4SGRVbGtsZmVrb2FJWVBGclVuZ1h0Wi9wdGhOdWRrSGEv?=
 =?utf-8?B?dTFZQUpOWlU4RXdsQWt1d2hCQ3Evbk8xNGwzelM0MDJETXd0NVFwYk9HaUsy?=
 =?utf-8?B?bjg5NW8vZTcvb3pZYTRCVGkvaysxRTVJRFM1UnltSlY2QTJRRDMrcjN1U2Jr?=
 =?utf-8?B?TFZCalRGT0t1WjdrNTl0NGxqU3ltUDN3RVVnVDR5TUJPVFRXQzBwTEFrSXg2?=
 =?utf-8?B?UkVuZkpWMjdNSlhUblZKaXN2Wlpoa0dHbGZDU2tsVzZQbUNvQWRTVjRGQm8r?=
 =?utf-8?B?YTRjTmVzRWg5QjdJdzRrTnA1d1BqVFNkUGNaRHkyYnllNWx4TXNrak5YTFUv?=
 =?utf-8?B?TXlMMFhhb0JUblUzUkFVcm9VbytiUlA1enN4Sm81S3JqaEdTRUVTeVVoeERi?=
 =?utf-8?B?dUJOb3d3THUwNmY2a0l1bFFvbEwvTExHckxqaDhkN0twYlowSWFVdTRudGRl?=
 =?utf-8?B?a2lDN3puT3VzQ1pMWDl1eWd0Rm1uUm5TcnIxY3g3Qk56Z0phbjg3eGp4N3M2?=
 =?utf-8?B?UlZlK1J1QnlSbEUzSldVb0tveWpENi92ZzM3eGU4LzFLM2xtMHNFb2xFU0gr?=
 =?utf-8?B?VVMyZ2F5TmZ3WWRHYlE5ZVdrdWcvMGNGbVpUNzVaUkJXb21ZWFhzTzRTcko3?=
 =?utf-8?B?WmxyN1FIUFRoM0Q4dXp4MXVyYlR4NG5zWXJ3NlU5UjAvOFhQK2YrVGJ5aEgx?=
 =?utf-8?B?RmFqaUN5cjR6UXdmem5Oa1RyT1AvT0FibzM5TFVxWWZGTGROR1kvd0tsY3NO?=
 =?utf-8?B?ZTRleHNFUFE0RU93b0s2RjI4ZENPU0l1T0p5ek14cnh6a3V6Z0JYK05SV2cw?=
 =?utf-8?B?djQxdnNHeERQQk9zejFKYUtFLzhmdEplSkdSQXk2bUhBVmdvUUhMeTEwVzFT?=
 =?utf-8?B?cDU5bUVWWkdEeXBzVkwzU2x6MnVpMmpaQkJQWTBIbzRhQytFVGIzZjZSb1pL?=
 =?utf-8?B?b2JhbUY3bytyOTZJK3F4U3RjNHY5U2RFbzBTR0kyVEx2cy9uenlvOWxEUEtR?=
 =?utf-8?B?c2NWQUZPd3kyUGdjOHNEbVpxODlnZElrTTQ5QUlOVkRBeHowTkxVeXZKT0dz?=
 =?utf-8?B?V2U0MHY3UU1IRFJ2emNLMWRZczcrQW5KZlBCR1B2RkRGVWU1K1p3WDB3L3ZO?=
 =?utf-8?B?b2x1U245YTdHaHBKay8wbzRaaFQxMnltMDdoWHpSb215VG01MjcrZlBrc1BQ?=
 =?utf-8?B?Z1Z5bGJoOEE5SDZobjVBNXE2UGFQWldmd1NZTkQxa2RqRVBwTzl3bXZNQlc3?=
 =?utf-8?B?ZyticHI3UlFBOGl5R2xRZ1VaNk9ZVit4MHBVY2hOMndFNGZQVmxreWRMem1i?=
 =?utf-8?B?Z0xRZU9DaVNROGZObi9QOU5YRUduMFFLTmErNHJNcytYMitONG9zbmNjQUE1?=
 =?utf-8?Q?MU2/yuLMVVPdydc3fn1YzSE=3D?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d80b2255-6b33-48bc-4ddb-08d9b4175b39
X-MS-Exchange-CrossTenant-AuthSource: MWHPR1201MB0192.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Nov 2021 15:37:46.0913
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 3crQEeUD+CtqD+oYyc9Dhhii3w9KIV9VWoLZu6GWYwFGPVrTNQ9JGWxaAIOag3j6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR12MB1408
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Am 30.11.21 um 16:33 schrieb Zhou Qingyang:
> In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
> vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
> radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
> which could lead to a NULL pointer dereference on failure of
> radeon_vm_bo_add().
>
> Fix this bug by adding a check of vm->ib_bo_va.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_RADEON=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> Changes in v2:
>    -  Improve the error handling into goto style
>
>   drivers/gpu/drm/radeon/radeon_kms.c | 24 ++++++++++++++----------
>   1 file changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
> index 482fb0ae6cb5..e49a9d160e52 100644
> --- a/drivers/gpu/drm/radeon/radeon_kms.c
> +++ b/drivers/gpu/drm/radeon/radeon_kms.c
> @@ -649,6 +649,8 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
>   {
>   	struct radeon_device *rdev = dev->dev_private;
>   	int r;
> +	struct radeon_fpriv *fpriv;
> +	struct radeon_vm *vm;

Please keep variables like "i" or "r" declared last.

>   
>   	file_priv->driver_priv = NULL;
>   
> @@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
>   
>   	/* new gpu have virtual address space support */
>   	if (rdev->family >= CHIP_CAYMAN) {
> -		struct radeon_fpriv *fpriv;
> -		struct radeon_vm *vm;
>   
>   		fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
>   		if (unlikely(!fpriv)) {
> @@ -673,34 +673,38 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
>   			vm = &fpriv->vm;
>   			r = radeon_vm_init(rdev, vm);
>   			if (r) {
> -				kfree(fpriv);
> -				goto out_suspend;
> +				goto out_fpriv;
>   			}
>   
>   			r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
>   			if (r) {
> -				radeon_vm_fini(rdev, vm);
> -				kfree(fpriv);
> -				goto out_suspend;
> +				goto out_vm_fini;
>   			}
>   
>   			/* map the ib pool buffer read only into
>   			 * virtual address space */
>   			vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
>   							rdev->ring_tmp_bo.bo);
> +			if (!vm->ib_bo_va) {
> +				r = -ENOMEM;
> +				goto out_vm_fini;
> +			}
> +
>   			r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
>   						  RADEON_VA_IB_OFFSET,
>   						  RADEON_VM_PAGE_READABLE |
>   						  RADEON_VM_PAGE_SNOOPED);
>   			if (r) {
> -				radeon_vm_fini(rdev, vm);
> -				kfree(fpriv);
> -				goto out_suspend;
> +				goto out_vm_fini;
>   			}
>   		}
>   		file_priv->driver_priv = fpriv;
>   	}
>   

That here won't work.

> +out_vm_fini:
> +	radeon_vm_fini(rdev, vm);
> +out_fpriv:
> +	kfree(fpriv);

You are finishing the VM and freeing up the memory in the good case now 
as well.

Christian.

>   out_suspend:
>   	pm_runtime_mark_last_busy(dev->dev);
>   	pm_runtime_put_autosuspend(dev->dev);