Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp4097881rwe; Mon, 17 Apr 2023 07:59:19 -0700 (PDT) X-Google-Smtp-Source: AKy350YQj6996tn3k5i6gl31aXD3SbFDCNnzWJH9agSL6n/ELvsmFOYtILLFJNS0QPd2tx4FVRtc X-Received: by 2002:a17:903:187:b0:1a6:dd9a:62c5 with SMTP id z7-20020a170903018700b001a6dd9a62c5mr3506813plg.10.1681743559655; Mon, 17 Apr 2023 07:59:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681743559; cv=none; d=google.com; s=arc-20160816; b=zvO4wQGnTU/T+9wVZooWJLkstcVp8lGMuOon6+S1wvrx+EUj42Q8zmD4kqp9iXsRo0 xoNYCk+1pvnuK4y6aOa5L+njsvEaqJZaEYXcbPYA55UQMnn2jGETPA1SaZoLQ+DuVvRp WqPJt0X/Ik4jZo6KY6mC0ExWZq9p0smD1EQMmopl9TVBSqgjfXnoH5Ku10OqFOE856Rq SmtDiGfQyVbSIX/2HQcF0UpZI/Y8xp7a1NYvlyL5u/0nVUEPiMDTNrKRPUk2Zg8lJtXz 9tZw427H6RAFiEswLK2UkyJhsuwg7mzqNH/pRRFwHruJqm1y1t766U7Ry9sl6mB80b0A 6z5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id; bh=Cy3tswXVtrUlo+8um9X8DnQA9bcZITnboties2KuoC0=; b=hbJ6qKLirrRXIdbPCN3bURVHf7Fy33E3P3rODBEXS0zfiiHGgnIb7KiEeHq2SFaxxc +SLDLTFnI45yrVJr+7ugZpK2MVXfRdQb0/HmRSdk1vLVFVsIyTn4/I9XZna754Jujrzj yEB3AOqfXVjxCC+50kr0LXS6sVTRmvZvxXYS5AueQel80OB4Vt5nFNKAqTEvc6ipcgQE xRHXOmJ/zHYsk5x+B6mHJY7T6D3lTgCU13Rk/5YDRhJXlQhb8m9N7oj/alsJt2HO2An1 SVR0E4PmobA94gKUYRY/SSME1W9lZjIVLQ59FDtcmshWRIcScA3Xj/Gz1fQhWHEN+GGG 9PZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q6-20020a17090a9f4600b002299b06dca9si7805669pjv.83.2023.04.17.07.59.08; Mon, 17 Apr 2023 07:59:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230450AbjDQO6p (ORCPT + 99 others); Mon, 17 Apr 2023 10:58:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229485AbjDQO6m (ORCPT ); Mon, 17 Apr 2023 10:58:42 -0400 Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E854ABBAC for ; Mon, 17 Apr 2023 07:58:22 -0700 (PDT) Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.159) with Microsoft SMTP Server (TLS) id 14.3.498.0; Mon, 17 Apr 2023 17:58:06 +0300 Received: from [192.168.211.128] (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Mon, 17 Apr 2023 17:58:06 +0300 Message-ID: <04cce0d9-33b7-b6d5-e75e-581e3fdad530@fintech.ru> Date: Mon, 17 Apr 2023 07:58:00 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH] drm/ttm: fix null-ptr-deref in radeon_ttm_tt_populate() To: =?UTF-8?Q?Christian_K=c3=b6nig?= , Alex Deucher CC: "Pan, Xinhui" , David Airlie , Daniel Vetter , Jerome Glisse , , , , References: <20230417143431.58858-1-n.zhandarovich@fintech.ru> Content-Language: en-US From: Nikita Zhandarovich In-Reply-To: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Originating-IP: [10.0.253.138] X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru (10.0.10.18) X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/17/23 07:42, Christian König wrote: > > > Am 17.04.23 um 16:34 schrieb Nikita Zhandarovich: >> Currently, drm_prime_sg_to_page_addr_arrays() dereferences 'gtt->ttm' >> without ensuring that 'gtt' (and therefore 'gtt->tmm') is not NULL. >> >> Fix this by testing 'gtt' for NULL value before dereferencing. >> >> Found by Linux Verification Center (linuxtesting.org) with static >> analysis tool SVACE. >> >> Fixes: 40f5cf996991 ("drm/radeon: add PRIME support (v2)") >> Signed-off-by: Nikita Zhandarovich >> --- >>   drivers/gpu/drm/radeon/radeon_ttm.c | 2 +- >>   1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c >> b/drivers/gpu/drm/radeon/radeon_ttm.c >> index 1e8e287e113c..33d01c3bdee4 100644 >> --- a/drivers/gpu/drm/radeon/radeon_ttm.c >> +++ b/drivers/gpu/drm/radeon/radeon_ttm.c >> @@ -553,7 +553,7 @@ static int radeon_ttm_tt_populate(struct >> ttm_device *bdev, >>           return 0; >>       } >>   -    if (slave && ttm->sg) { >> +    if (gtt && slave && ttm->sg) { > > The gtt variable is derived from the ttm variable and so never NULL > here. The only case when this can be NULL is for AGP and IIRC we don't > support DMA-buf in this case. > >>           drm_prime_sg_to_dma_addr_array(ttm->sg, gtt->ttm.dma_address, > > Just use ttm->dma_addresses instead of gtt->ttm.dma_address here to make > your automated checker happy. > > Regards, > Christian. > >>                              ttm->num_pages); >>           return 0; > Thank you for your reply, you are absolutely right. Apologies for wasting your time. Nikita