diff mbox series

[RESEND] drm/amd/display: avoid using null object of framebuffer

Message ID 20240821042724.1391169-1-make24@iscas.ac.cn (mailing list archive)
State New, archived
Headers show
Series [RESEND] drm/amd/display: avoid using null object of framebuffer | expand

Commit Message

Ma Ke Aug. 21, 2024, 4:27 a.m. UTC 
Instead of using state->fb->obj[0] directly, get object from framebuffer
by calling drm_gem_fb_get_obj() and return error code when object is
null to avoid using null object of framebuffer.

Cc: stable@vger.kernel.org
Fixes: 5d945cbcd4b1 ("drm/amd/display: Create a file dedicated to planes")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Comments

Alex Deucher Aug. 21, 2024, 8:22 p.m. UTC | #1 
On Wed, Aug 21, 2024 at 3:45 AM Ma Ke <make24@iscas.ac.cn> wrote:
>
> Instead of using state->fb->obj[0] directly, get object from framebuffer
> by calling drm_gem_fb_get_obj() and return error code when object is
> null to avoid using null object of framebuffer.
>
> Cc: stable@vger.kernel.org
> Fixes: 5d945cbcd4b1 ("drm/amd/display: Create a file dedicated to planes")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> index a83bd0331c3b..5cb11cc2d063 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> @@ -28,6 +28,7 @@
>  #include <drm/drm_blend.h>
>  #include <drm/drm_gem_atomic_helper.h>
>  #include <drm/drm_plane_helper.h>
> +#include <drm/drm_gem_framebuffer_helper.h>
>  #include <drm/drm_fourcc.h>
>
>  #include "amdgpu.h"
> @@ -935,10 +936,14 @@ static int amdgpu_dm_plane_helper_prepare_fb(struct drm_plane *plane,
>         }
>
>         afb = to_amdgpu_framebuffer(new_state->fb);
> -       obj = new_state->fb->obj[0];
> +       obj = drm_gem_fb_get_obj(new_state->fb, 0);

Is it possible for obj to be NULL here?

Alex

> +       if (!obj) {
> +               DRM_ERROR("Failed to get obj from framebuffer\n");
> +               return -EINVAL;
> +       }
> +
>         rbo = gem_to_amdgpu_bo(obj);
>         adev = amdgpu_ttm_adev(rbo->tbo.bdev);
> -
>         r = amdgpu_bo_reserve(rbo, true);
>         if (r) {
>                 dev_err(adev->dev, "fail to reserve bo (%d)\n", r);
> --
> 2.25.1
>
Ma Ke Aug. 22, 2024, 7:32 a.m. UTC | #2 
Alex Deucher<alexdeucher@gmail.com> wrote:
> On Wed, Aug 21, 2024 at 3:45 AM Ma Ke <make24@iscas.ac.cn> wrote:
> >
> > Instead of using state->fb->obj[0] directly, get object from framebuffer
> > by calling drm_gem_fb_get_obj() and return error code when object is
> > null to avoid using null object of framebuffer.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: 5d945cbcd4b1 ("drm/amd/display: Create a file dedicated to planes")
> > Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> > ---
> >  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 9 +++++++--
> >  1 file changed, 7 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> > index a83bd0331c3b..5cb11cc2d063 100644
> > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> > @@ -28,6 +28,7 @@
> >  #include <drm/drm_blend.h>
> >  #include <drm/drm_gem_atomic_helper.h>
> >  #include <drm/drm_plane_helper.h>
> > +#include <drm/drm_gem_framebuffer_helper.h>
> >  #include <drm/drm_fourcc.h>
> >
> >  #include "amdgpu.h"
> > @@ -935,10 +936,14 @@ static int amdgpu_dm_plane_helper_prepare_fb(struct drm_plane *plane,
> >         }
> >
> >         afb = to_amdgpu_framebuffer(new_state->fb);
> > -       obj = new_state->fb->obj[0];
> > +       obj = drm_gem_fb_get_obj(new_state->fb, 0);
> 
> Is it possible for obj to be NULL here?
> 
> Alex
Thank you for your response to the vulnerability I submitted. Yes, we 
believe there is a similar issue. As described in CVE-2024-41093, the obj 
will return as NULL and lead to a dereferencing problem, and a similar 
issue exists in this code. The discovery of this problem was confirmed 
through manual review of the code and compilation testing.
--
Regards,

Ma Ke
Alex Deucher Aug. 22, 2024, 5:55 p.m. UTC | #3 
Applied.  Thanks!

On Wed, Aug 21, 2024 at 3:45 AM Ma Ke <make24@iscas.ac.cn> wrote:
>
> Instead of using state->fb->obj[0] directly, get object from framebuffer
> by calling drm_gem_fb_get_obj() and return error code when object is
> null to avoid using null object of framebuffer.
>
> Cc: stable@vger.kernel.org
> Fixes: 5d945cbcd4b1 ("drm/amd/display: Create a file dedicated to planes")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> index a83bd0331c3b..5cb11cc2d063 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> @@ -28,6 +28,7 @@
>  #include <drm/drm_blend.h>
>  #include <drm/drm_gem_atomic_helper.h>
>  #include <drm/drm_plane_helper.h>
> +#include <drm/drm_gem_framebuffer_helper.h>
>  #include <drm/drm_fourcc.h>
>
>  #include "amdgpu.h"
> @@ -935,10 +936,14 @@ static int amdgpu_dm_plane_helper_prepare_fb(struct drm_plane *plane,
>         }
>
>         afb = to_amdgpu_framebuffer(new_state->fb);
> -       obj = new_state->fb->obj[0];
> +       obj = drm_gem_fb_get_obj(new_state->fb, 0);
> +       if (!obj) {
> +               DRM_ERROR("Failed to get obj from framebuffer\n");
> +               return -EINVAL;
> +       }
> +
>         rbo = gem_to_amdgpu_bo(obj);
>         adev = amdgpu_ttm_adev(rbo->tbo.bdev);
> -
>         r = amdgpu_bo_reserve(rbo, true);
>         if (r) {
>                 dev_err(adev->dev, "fail to reserve bo (%d)\n", r);
> --
> 2.25.1
>
diff mbox series

Patch

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
index a83bd0331c3b..5cb11cc2d063 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
@@ -28,6 +28,7 @@ 
 #include <drm/drm_blend.h>
 #include <drm/drm_gem_atomic_helper.h>
 #include <drm/drm_plane_helper.h>
+#include <drm/drm_gem_framebuffer_helper.h>
 #include <drm/drm_fourcc.h>
 
 #include "amdgpu.h"
@@ -935,10 +936,14 @@  static int amdgpu_dm_plane_helper_prepare_fb(struct drm_plane *plane,
 	}
 
 	afb = to_amdgpu_framebuffer(new_state->fb);
-	obj = new_state->fb->obj[0];
+	obj = drm_gem_fb_get_obj(new_state->fb, 0);
+	if (!obj) {
+		DRM_ERROR("Failed to get obj from framebuffer\n");
+		return -EINVAL;
+	}
+
 	rbo = gem_to_amdgpu_bo(obj);
 	adev = amdgpu_ttm_adev(rbo->tbo.bdev);
-
 	r = amdgpu_bo_reserve(rbo, true);
 	if (r) {
 		dev_err(adev->dev, "fail to reserve bo (%d)\n", r);