Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp1422094imw; Tue, 5 Jul 2022 09:10:01 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sUbS70NJBopHA3Dk0SG1ufkEK6GhzuCKptc7xQmH0QZclwUYgNYmJNKrQMPV2ZQvGpxK0i X-Received: by 2002:a05:6402:40ca:b0:439:6b10:daa0 with SMTP id z10-20020a05640240ca00b004396b10daa0mr35180565edb.387.1657037401707; Tue, 05 Jul 2022 09:10:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657037401; cv=none; d=google.com; s=arc-20160816; b=qhgbs4DvAI2XlIGUOpcZyMso4JF/GD6xA0fhQoVVdzb0n0fZBzZq1JjYC92H1aDkyn zCu+6FA/D12Gk84D3L/qx7Rfta8ItT7S2DkW2nKFAdYKo1mVOHKwwcK39gQQxeumbyx0 entSDc0wzvhUsuYo6dcK25pjMgELhVufXG05fyupFN2oLpddTOW/Wp16IliMkGPWdSKR 7yS8Gc+Sr/t0a11Td6EtT+Nnz6A+N21OGekutxJxafKjJx6VI3cf+mdbwAc8LkRR1WON X4HKS/hhMCuAkpRpyeE4T8+XwFZw8jHVp4BKmPP92OU1kZcOJLmREgCgAM/amFmG6lIH KPFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:date:cc:to:from:subject:message-id; bh=UUEcf7i/ZSVx4v0WkXSMG0PybFdbyAEEntYNlaPM8bY=; b=JZ4LtsQLGCo2IcEz46g+fO9M8MmC8y18kg1NxsuC4Zlcbw1CoutGrLu2KZks2gulwF s66JS+JSpgewDQYqrEBLkFQQ0XJghXkdlr6e4VFZyYypaYgVs8GQ+mgLOCfc796bwriv 9KXMMOA81AkJvKUCs6/mP6dP9TDykny0kcuhH9HTorDFpK31wff/GewOwC4YF5EN6At7 l2YeMt+VbT+7U4YLcWdSYX0GKc57fVfzZF6UNZocAIn4odWLYR+w8+U0bptPNllGBxEQ 8tST+ZvilFsl5BL28ApG/hBqKBnp53MAR1mV5jRNcOArKS1jVJNf8b2I4Shhbh+s00z3 GRkA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hv20-20020a17090760d400b00726d06852besi15927002ejc.148.2022.07.05.09.09.36; Tue, 05 Jul 2022 09:10:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231949AbiGEPyZ (ORCPT + 99 others); Tue, 5 Jul 2022 11:54:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46532 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232825AbiGEPyI (ORCPT ); Tue, 5 Jul 2022 11:54:08 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 268251B794 for ; Tue, 5 Jul 2022 08:52:55 -0700 (PDT) Received: from rustam-GF63-Thin-9RCX (unknown [83.149.199.65]) by mail.ispras.ru (Postfix) with ESMTPS id AC12440737BD; Tue, 5 Jul 2022 15:52:51 +0000 (UTC) Message-ID: Subject: [POSSIBLE BUG] Unreachable code or possible dereferencing of NULL pointer From: Subkhankulov Rustam To: David Airlie Cc: Daniel Vetter , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov Date: Tue, 05 Jul 2022 18:52:45 +0300 Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5-0ubuntu1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Version: 5.19-rc5 In function 'via_do_init_map' (drivers/gpu/drm/via/via_map.c: 54) 'drm_legacy_findmap' can return NULL pointer. If that happens,it calls 'via_do_cleanup_map' (drivers/gpu/drm/via/via_map.c: 58). --------------------------------------------------------------------- 54 dev_priv->mmio = drm_legacy_findmap(dev, init->mmio_offset); 55 if (!dev_priv->mmio) { 56 DRM_ERROR("could not find mmio region!\n"); 57 dev->dev_private = (void *)dev_priv; 58 via_do_cleanup_map(dev); 59 return -EINVAL; 60 } --------------------------------------------------------------------- 'via_do_cleanup' functions calls 'via_dma_cleanup'(drivers/gpu/drm/via/via_map.c: 78). --------------------------------------------------------------------- 76 int via_do_cleanup_map(struct drm_device *dev) 77 { 78 via_dma_cleanup(dev); 79 80 return 0; 81 } --------------------------------------------------------------------- In 'via_dma_cleanup' there is another conditional construction (drivers/gpu/drm/via/via_dma.c: 168). --------------------------------------------------------------------- 168 if (dev_priv->ring.virtual_start) { 169 via_cmdbuf_reset(dev_priv); 170 171 drm_legacy_ioremapfree(&dev_priv->ring.map, dev); 172 dev_priv->ring.virtual_start = NULL; 173 } --------------------------------------------------------------------- It seems like there are two possible ways: 1) dev_priv->ring.virtual_start != 0. In that case function call chain happens: 'via_cmdbuf_reset', 'via_cmdbuf_flush', 'via_hook_segment' and 'via_read' (drivers/gpu/drm/via/via_drv.h: 124). In 'via_read' dereferencing of "dev_priv->mmio" happens, which is NULL. --------------------------------------------------------------------- 124 static inline u32 via_read(struct drm_via_private *dev_priv, u32 reg) 125 { 126 return readl((void __iomem *)(dev_priv->mmio->handle + reg)); 127 } --------------------------------------------------------------------- 2) dev_priv->ring.virtual_start == 0. Then all function calls located inside conditional construction (drivers/gpu/drm/via/via_dma.c: 168) do not happen. Thus, if dev_priv->mmio == NULL, call of 'via_do_cleanup_map' (drivers/gpu/drm/via/via_map.c: 58) may result in either an error or nothing at all. Should we remove call to via_do_cleanup_map(dev) or should we somehow avoid NULL pointer dereference in 'via_read'? Found by Linux Verification Center (linuxtesting.org) with SVACE. regards, Rustam Subkhankulov