drm/vmwgfx: avoid null pointer dereference at failure paths

Message ID	1393622418-6515-1-git-send-email-khoroshilov@ispras.ru (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> From: Alexey Khoroshilov <khoroshilov@ispras.ru> To: David Airlie <airlied@linux.ie>, Thomas Hellstrom <thellstrom@vmware.com> Subject: [PATCH] drm/vmwgfx: avoid null pointer dereference at failure paths Date: Sat, 1 Mar 2014 01:20:18 +0400 Message-Id: <1393622418-6515-1-git-send-email-khoroshilov@ispras.ru> Cc: ldv-project@linuxtesting.org, dri-devel@lists.freedesktop.org, Alexey Khoroshilov <khoroshilov@ispras.ru>, linux-kernel@vger.kernel.org Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: dri-devel-bounces@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org

Message ID

1393622418-6515-1-git-send-email-khoroshilov@ispras.ru (mailing list archive)

State

New, archived

Headers

From: Alexey Khoroshilov <khoroshilov@ispras.ru>
To: David Airlie <airlied@linux.ie>, Thomas Hellstrom <thellstrom@vmware.com>
Subject: [PATCH] drm/vmwgfx: avoid null pointer dereference at failure paths
Date: Sat,  1 Mar 2014 01:20:18 +0400
Message-Id: <1393622418-6515-1-git-send-email-khoroshilov@ispras.ru>
Cc: ldv-project@linuxtesting.org, dri-devel@lists.freedesktop.org,
	Alexey Khoroshilov <khoroshilov@ispras.ru>, linux-kernel@vger.kernel.org
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dri-devel-bounces@lists.freedesktop.org
Errors-To: dri-devel-bounces@lists.freedesktop.org

Commit Message

Alexey Khoroshilov Feb. 28, 2014, 9:20 p.m. UTC

vmw_takedown_otable_base() and vmw_mob_unbind() check for
potential vmw_fifo_reserve() failure and print error message,
but then immediately dereference NULL pointer.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_mob.c | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

Comments

Thomas Hellstrom March 1, 2014, 4:29 p.m. UTC | #1

On 02/28/2014 10:20 PM, Alexey Khoroshilov wrote:

> vmw_takedown_otable_base() and vmw_mob_unbind() check for
> potential vmw_fifo_reserve() failure and print error message,
> but then immediately dereference NULL pointer.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_mob.c | 35 +++++++++++++++++++----------------
>  1 file changed, 19 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
> index d4a5a19cb8c3..04a64b8cd3cd 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
> @@ -188,18 +188,20 @@ static void vmw_takedown_otable_base(struct vmw_private *dev_priv,
>  
>  	bo = otable->page_table->pt_bo;
>  	cmd = vmw_fifo_reserve(dev_priv, sizeof(*cmd));
> -	if (unlikely(cmd == NULL))
> -		DRM_ERROR("Failed reserving FIFO space for OTable setup.\n");
> -
> -	memset(cmd, 0, sizeof(*cmd));
> -	cmd->header.id = SVGA_3D_CMD_SET_OTABLE_BASE;
> -	cmd->header.size = sizeof(cmd->body);
> -	cmd->body.type = type;
> -	cmd->body.baseAddress = 0;
> -	cmd->body.sizeInBytes = 0;
> -	cmd->body.validSizeInBytes = 0;
> -	cmd->body.ptDepth = SVGA3D_MOBFMT_INVALID;
> -	vmw_fifo_commit(dev_priv, sizeof(*cmd));
> +	if (unlikely(cmd == NULL)) {
> +		DRM_ERROR("Failed reserving FIFO space for OTable "
> +			  "takedown.\n");
> +	} else {
> +		memset(cmd, 0, sizeof(*cmd));
> +		cmd->header.id = SVGA_3D_CMD_SET_OTABLE_BASE;
> +		cmd->header.size = sizeof(cmd->body);
> +		cmd->body.type = type;
> +		cmd->body.baseAddress = 0;
> +		cmd->body.sizeInBytes = 0;
> +		cmd->body.validSizeInBytes = 0;
> +		cmd->body.ptDepth = SVGA3D_MOBFMT_INVALID;
> +		vmw_fifo_commit(dev_priv, sizeof(*cmd));
> +	}
>  
>  	if (bo) {
>  		int ret;
> @@ -562,11 +564,12 @@ void vmw_mob_unbind(struct vmw_private *dev_priv,
>  	if (unlikely(cmd == NULL)) {
>  		DRM_ERROR("Failed reserving FIFO space for Memory "
>  			  "Object unbinding.\n");
> +	} else {
> +		cmd->header.id = SVGA_3D_CMD_DESTROY_GB_MOB;
> +		cmd->header.size = sizeof(cmd->body);
> +		cmd->body.mobid = mob->id;
> +		vmw_fifo_commit(dev_priv, sizeof(*cmd));
>  	}
> -	cmd->header.id = SVGA_3D_CMD_DESTROY_GB_MOB;
> -	cmd->header.size = sizeof(cmd->body);
> -	cmd->body.mobid = mob->id;
> -	vmw_fifo_commit(dev_priv, sizeof(*cmd));
>  	if (bo) {
>  		vmw_fence_single_bo(bo, NULL);
>  		ttm_bo_unreserve(bo);
Thanks. I'll queue this for the next vmwgfx-fixes PULL.

/Thomas

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
index d4a5a19cb8c3..04a64b8cd3cd 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
@@ -188,18 +188,20 @@  static void vmw_takedown_otable_base(struct vmw_private *dev_priv,
 
 	bo = otable->page_table->pt_bo;
 	cmd = vmw_fifo_reserve(dev_priv, sizeof(*cmd));
-	if (unlikely(cmd == NULL))
-		DRM_ERROR("Failed reserving FIFO space for OTable setup.\n");
-
-	memset(cmd, 0, sizeof(*cmd));
-	cmd->header.id = SVGA_3D_CMD_SET_OTABLE_BASE;
-	cmd->header.size = sizeof(cmd->body);
-	cmd->body.type = type;
-	cmd->body.baseAddress = 0;
-	cmd->body.sizeInBytes = 0;
-	cmd->body.validSizeInBytes = 0;
-	cmd->body.ptDepth = SVGA3D_MOBFMT_INVALID;
-	vmw_fifo_commit(dev_priv, sizeof(*cmd));
+	if (unlikely(cmd == NULL)) {
+		DRM_ERROR("Failed reserving FIFO space for OTable "
+			  "takedown.\n");
+	} else {
+		memset(cmd, 0, sizeof(*cmd));
+		cmd->header.id = SVGA_3D_CMD_SET_OTABLE_BASE;
+		cmd->header.size = sizeof(cmd->body);
+		cmd->body.type = type;
+		cmd->body.baseAddress = 0;
+		cmd->body.sizeInBytes = 0;
+		cmd->body.validSizeInBytes = 0;
+		cmd->body.ptDepth = SVGA3D_MOBFMT_INVALID;
+		vmw_fifo_commit(dev_priv, sizeof(*cmd));
+	}
 
 	if (bo) {
 		int ret;
@@ -562,11 +564,12 @@  void vmw_mob_unbind(struct vmw_private *dev_priv,
 	if (unlikely(cmd == NULL)) {
 		DRM_ERROR("Failed reserving FIFO space for Memory "
 			  "Object unbinding.\n");
+	} else {
+		cmd->header.id = SVGA_3D_CMD_DESTROY_GB_MOB;
+		cmd->header.size = sizeof(cmd->body);
+		cmd->body.mobid = mob->id;
+		vmw_fifo_commit(dev_priv, sizeof(*cmd));
 	}
-	cmd->header.id = SVGA_3D_CMD_DESTROY_GB_MOB;
-	cmd->header.size = sizeof(cmd->body);
-	cmd->body.mobid = mob->id;
-	vmw_fifo_commit(dev_priv, sizeof(*cmd));
 	if (bo) {
 		vmw_fence_single_bo(bo, NULL);
 		ttm_bo_unreserve(bo);

drm/vmwgfx: avoid null pointer dereference at failure paths

Commit Message

Comments

Patch