From patchwork Thu Aug 22 00:10:14 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ilia Mirkin X-Patchwork-Id: 2847964 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 7D7489F271 for ; Thu, 22 Aug 2013 00:10:40 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8CF75202C7 for ; Thu, 22 Aug 2013 00:10:39 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 0081820181 for ; Thu, 22 Aug 2013 00:10:37 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id C8B99E5EDE for ; Wed, 21 Aug 2013 17:10:37 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by gabe.freedesktop.org (Postfix) with ESMTP id 2E80DE5C56; Wed, 21 Aug 2013 17:10:24 -0700 (PDT) Received: by mail-qa0-f51.google.com with SMTP id f11so820626qae.3 for ; Wed, 21 Aug 2013 17:10:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding; bh=QNrYBBLTdWo/IRaaG++f+68mqnCTpwbwW2o9KL4xQ9I=; b=hRBCdr+vyKfDiQ6mKcloRX8KboMKrnXGyiWVBNmbQDzNYuKMv6JKM7A7kBHC7Yxpkt NFX0nl46ZATh+HJ5YwhcE3XuvEMTyty9sYYap+6usYalnsuRa11m0Q0vrKVQwnv9+n62 2HkmB+2km/uoFiVcouXgE9A6DyjWQ0CWVvviPQ7F8/D6kPgzNRFfOxZgzzdi/x7fHwKs /PJ7zudYNgDLIXRSmjUUJjV6Gbc21SIrTAN2akoC2xrTcJsoPdP4JH4Wlf5R8mMWrsYi iPMdR+jKpHbdJzmXZkiQgMsmFHTgAvBhv5/5EQQLx0rO76zJ0o17xs6ORz0p7qjNu6zD 8yJw== X-Received: by 10.224.166.197 with SMTP id n5mr5752605qay.98.1377130223376; Wed, 21 Aug 2013 17:10:23 -0700 (PDT) Received: from localhost.localdomain (cpe-74-66-24-174.nyc.res.rr.com. [74.66.24.174]) by mx.google.com with ESMTPSA id j11sm14488104qaa.7.1969.12.31.16.00.00 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 Aug 2013 17:10:22 -0700 (PDT) From: Ilia Mirkin To: Ben Skeggs Subject: [PATCH] drm/nouveau: avoid null deref on bad arguments to nouveau_vma_getmap Date: Wed, 21 Aug 2013 20:10:14 -0400 Message-Id: <1377130214-17522-1-git-send-email-imirkin@alum.mit.edu> X-Mailer: git-send-email 1.8.1.5 MIME-Version: 1.0 Cc: nouveau@lists.freedesktop.org, Maarten Lankhorst , dri-devel@lists.freedesktop.org, =?UTF-8?q?Pasi=20K=C3=A4rkk=C3=A4inen?= X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The code expects non-VRAM mem nodes to have a pages list. If that's not set, it will do a null deref down the line. Warn on that condition and return an error. See https://bugs.freedesktop.org/show_bug.cgi?id=64774 Reported-by: Pasi Kärkkäinen Tested-by: Pasi Kärkkäinen Signed-off-by: Ilia Mirkin Cc: # 3.8+ --- I don't exactly understand what's going on, but this is just a straightforward way to avoid a null deref that you see happens in the bug. I haven't figured out the root cause of this, but it's getting well into the "I have no idea how TTM works" space. However this seems like a bit of defensive programming -- nouveau_vm_map_sg will pass node->pages as a list down, which will be dereferenced by nvc0_vm_map_sg. Perhaps the other arguments should make that dereferencing not happen, but it definitely was happening here, as you can see in the bug. Ben/Maarten, I'll let you judge whether this check is appropriate, since like I hope I was able to convey above, I'm just not really sure :) drivers/gpu/drm/nouveau/nouveau_bo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c index cdc3282..191145d 100644 --- a/drivers/gpu/drm/nouveau/nouveau_bo.c +++ b/drivers/gpu/drm/nouveau/nouveau_bo.c @@ -963,6 +963,12 @@ nouveau_vma_getmap(struct nouveau_channel *chan, struct nouveau_bo *nvbo, struct nouveau_mem *node = mem->mm_node; int ret; + /* If we ever get here for a non-vram mem node that doesn't + * have pages, we will end up doing a null deref in + * nouveau_vm_map_sg. */ + if (WARN_ON(mem->mem_type != TTM_PL_VRAM && !node->pages)) + return -EINVAL; + ret = nouveau_vm_get(nv_client(chan->cli)->vm, mem->num_pages << PAGE_SHIFT, node->page_shift, NV_MEM_ACCESS_RW, vma);