Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp229748pxp; Sat, 19 Mar 2022 00:29:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx9Dv+Knc1mEtdXTnFHRIPbZ63xAQG/p77f5JtClluGaFchJQOCTVBMncKtBvwZCRxvqL46 X-Received: by 2002:a17:907:869f:b0:6da:888b:4258 with SMTP id qa31-20020a170907869f00b006da888b4258mr12331448ejc.720.1647674970032; Sat, 19 Mar 2022 00:29:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647674970; cv=none; d=google.com; s=arc-20160816; b=Y1KVO/UxiYFbv1Zrolu6YDqqJ0zFWAXfZf4gO31glSJZ+n1KVcuXJsHfRkPtvLv5YT Toqkb/MTp86deo7PLZEer6HpVy0/ACsha0MReCpPqjs4w6AliDp7nS7OdiRk8WaZy/oz 1KoxpOWFi+mwhDdBXljYSelddR+tZUlUvUsvQff6F3otNcmLh5brXBmnK//RfBuyuHma arQm5v+3mpKZcPwg1rI+kipLz/bHlw9l2eZjYoYllAaaJHOi2f5bD9i+yKzE3nybokIF JcPI+mJNGm66pXyCsjoVTZZmYFjIo+LAE9BIFjNXPK1imQxACxWzEcCDASIysYk4RrC+ hAIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=eZyTFlTtLcxZ2zAqdRHMs6azBzP708zULPuYWA56MJ4=; b=mfG3wcpnX5EitMbfvtkKvCI3yGqeEfSSZ6M47fbTS8naC+YjtumgAElE7WJtcj5xhD P447AUsQbOsvz25SCrpqFJB4cuqYg4qaacqeMR8CmTZg9Y0U4ddYmly/Ffj0cxRZdQUu DnLWG6yvEJ+UG31FCYSLzez4jiI1sGTiWw8+bCmTk03dq+mL9LSjXzvuaxiu7+BFk4nP oxv9B1VnMMBCJg8+IFEc13V2blT0/oMCFg92zQxPf31jA7Ga6/Nq7t7MBkUAQr9zk2XU XQYbfKFIrxBPta70PDsMHt7QF1KuuN3ciwEVdPTpTaQ3AQsSjW8w1jIXXOOa2IIziS76 TjyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=gDqPOrSj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l2-20020a50d6c2000000b00418f168126bsi5035887edj.134.2022.03.19.00.28.53; Sat, 19 Mar 2022 00:29:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=gDqPOrSj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240421AbiCRTwA (ORCPT + 99 others); Fri, 18 Mar 2022 15:52:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230302AbiCRTv7 (ORCPT ); Fri, 18 Mar 2022 15:51:59 -0400 Received: from bhuna.collabora.co.uk (bhuna.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e3e3]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0382D2E8435 for ; Fri, 18 Mar 2022 12:50:32 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: bbeckett) with ESMTPSA id 9A2AE1F45B08 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1647633030; bh=9bigV/sYB4FUqshAYJdxs+cHARVqE00dOiOAg3Egs9Y=; h=From:To:Cc:Subject:Date:From; b=gDqPOrSjJ86k3/PKnd8PPM1RMLwNcZ91aYkmOXXsSFBIn8gTvQ/FZXK08Katx/ZiZ I8O3uG04Kq3RwGkO2127RrkM5BKVP+aiLSBRF1dneFE5QTaZi7yoOEkkviTJ9vLrSz 7qHjX7+sDOKZz7JLeqodv+QtFd/kTxMQ3s9aHnOv4xJoH7/FdA0qzwmlf0CipF3zcB uv64JtT1fhiJUGvraQaRCDlgfhio7TD2iX6Zg1jrd3TqVQZKxJQuMwibHnvQC3CWlC DE0qHvObvxA1dcS4sL96zUgi6JgoKE1EUEwjhDFT6+TomJpFjbd0L0kdTXNO3L46df edaJbSf6GkoHg== From: Robert Beckett To: dri-devel@lists.freedesktop.org, Christian Koenig , Huang Rui , David Airlie , Daniel Vetter , Matthew Auld Cc: Robert Beckett , linux-kernel@vger.kernel.org Subject: [PATCH] drm/ttm: fix potential null ptr deref in when mem space alloc fails Date: Fri, 18 Mar 2022 19:50:04 +0000 Message-Id: <20220318195004.416539-1-bob.beckett@collabora.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org when allocating a resource in place it is common to free the buffer's resource, then allocate a new resource in a different placement. e.g. amdgpu_bo_create_kernel_at calls ttm_resource_free, then calls ttm_bo_mem_space. In this situation, bo->resource will be null as it is cleared during the initial freeing of the previous resource. This leads to a null deref. Fixes: d3116756a710 (drm/ttm: rename bo->mem and make it a pointer) Signed-off-by: Robert Beckett --- drivers/gpu/drm/ttm/ttm_bo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c index db3dc7ef5382..62b29ee7d040 100644 --- a/drivers/gpu/drm/ttm/ttm_bo.c +++ b/drivers/gpu/drm/ttm/ttm_bo.c @@ -875,7 +875,7 @@ int ttm_bo_mem_space(struct ttm_buffer_object *bo, } error: - if (bo->resource->mem_type == TTM_PL_SYSTEM && !bo->pin_count) + if (bo->resource && bo->resource->mem_type == TTM_PL_SYSTEM && !bo->pin_count) ttm_bo_move_to_lru_tail_unlocked(bo); return ret; -- 2.25.1