| Message ID | 20211012132549.260089-1-colin.king@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [next] drm/i915: Fix dereference of pointer backup before it is null checked | expand |
Hi, On 10/12/21 15:25, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > The assignment of pointer backup_bo dereferences pointer backup before > backup is null checked, this could lead to a null pointer dereference > issue. Fix this by only assigning backup_bo after backup has been null > checked. > > Addresses-Coverity: ("Dereference before null check") > Fixes: c56ce9565374 ("drm/i915 Implement LMEM backup and restore for suspend / resume") > Signed-off-by: Colin Ian King <colin.king@canonical.com> There's not really a pointer dereference here, just pointer arithmetics, so the code should be safe (but admittedly fragile), so to keep Coverity happy, Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> > --- > drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c > index 3b6d14b5c604..4ec6c557083a 100644 > --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c > +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c > @@ -149,7 +149,7 @@ static int i915_ttm_restore(struct i915_gem_apply_to_region *apply, > struct i915_gem_ttm_pm_apply *pm_apply = > container_of(apply, typeof(*pm_apply), base); > struct drm_i915_gem_object *backup = obj->ttm.backup; > - struct ttm_buffer_object *backup_bo = i915_gem_to_ttm(backup); > + struct ttm_buffer_object *backup_bo; > struct ttm_operation_ctx ctx = {}; > int err; > > @@ -163,6 +163,8 @@ static int i915_ttm_restore(struct i915_gem_apply_to_region *apply, > if (err) > return err; > > + backup_bo = i915_gem_to_ttm(backup); > + > /* Content may have been swapped. */ > err = ttm_tt_populate(backup_bo->bdev, backup_bo->ttm, &ctx); > if (!err) {
On Tue, Oct 12, 2021 at 04:47:24PM +0200, Thomas Hellström wrote: > Hi, > > On 10/12/21 15:25, Colin King wrote: > > From: Colin Ian King <colin.king@canonical.com> > > > > The assignment of pointer backup_bo dereferences pointer backup before > > backup is null checked, this could lead to a null pointer dereference > > issue. Fix this by only assigning backup_bo after backup has been null > > checked. > > > > Addresses-Coverity: ("Dereference before null check") > > Fixes: c56ce9565374 ("drm/i915 Implement LMEM backup and restore for suspend / resume") > > Signed-off-by: Colin Ian King <colin.king@canonical.com> > > There's not really a pointer dereference here, just pointer arithmetics, so > the code should be safe (but admittedly fragile), so to keep Coverity happy, > > Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Yeah. I kind of feel like we shouldn't work around static checker bugs. But when we do then there shouldn't be a Fixes tag. regards, dan carpenter
diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c index 3b6d14b5c604..4ec6c557083a 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm_pm.c @@ -149,7 +149,7 @@ static int i915_ttm_restore(struct i915_gem_apply_to_region *apply, struct i915_gem_ttm_pm_apply *pm_apply = container_of(apply, typeof(*pm_apply), base); struct drm_i915_gem_object *backup = obj->ttm.backup; - struct ttm_buffer_object *backup_bo = i915_gem_to_ttm(backup); + struct ttm_buffer_object *backup_bo; struct ttm_operation_ctx ctx = {}; int err; @@ -163,6 +163,8 @@ static int i915_ttm_restore(struct i915_gem_apply_to_region *apply, if (err) return err; + backup_bo = i915_gem_to_ttm(backup); + /* Content may have been swapped. */ err = ttm_tt_populate(backup_bo->bdev, backup_bo->ttm, &ctx); if (!err) {