| Message ID | 20211116014623.633687-1-harish.chegondi@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/i915: Add checks to prevent NULL pointer dereference | expand |
Hi, Harish, On 11/16/21 02:46, Harish Chegondi wrote: > __sg_next() returns NULL if the input sg entry is the last entry in the > list. Check the return pointer from __sg_next() to prevent NULL pointer > dereference. Did you actually hit a NULL pointer dereference here? I can't see how we could hit the last entry in the list in this way since sg_alloc_table() will either ensure we have sufficient entries or fail? Thomas > Cc: Matthew Auld <matthew.auld@intel.com> > Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> > Signed-off-by: Harish Chegondi <harish.chegondi@intel.com> > --- > drivers/gpu/drm/i915/i915_scatterlist.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/drivers/gpu/drm/i915/i915_scatterlist.c b/drivers/gpu/drm/i915/i915_scatterlist.c > index 41f2adb6a583..da9322c5d5f7 100644 > --- a/drivers/gpu/drm/i915/i915_scatterlist.c > +++ b/drivers/gpu/drm/i915/i915_scatterlist.c > @@ -112,6 +112,11 @@ struct i915_refct_sgt *i915_rsgt_from_mm_node(const struct drm_mm_node *node, > if (st->nents) > sg = __sg_next(sg); > > + if (!sg) { > + sg_free_table(st); > + i915_refct_sgt_put(rsgt); > + return ERR_PTR(-EFAULT); > + } > sg_dma_address(sg) = region_start + offset; > sg_dma_len(sg) = 0; > sg->length = 0; > @@ -191,6 +196,11 @@ struct i915_refct_sgt *i915_rsgt_from_buddy_resource(struct ttm_resource *res, > if (st->nents) > sg = __sg_next(sg); > > + if (!sg) { > + sg_free_table(st); > + i915_refct_sgt_put(rsgt); > + return ERR_PTR(-EFAULT); > + } > sg_dma_address(sg) = region_start + offset; > sg_dma_len(sg) = 0; > sg->length = 0;
diff --git a/drivers/gpu/drm/i915/i915_scatterlist.c b/drivers/gpu/drm/i915/i915_scatterlist.c index 41f2adb6a583..da9322c5d5f7 100644 --- a/drivers/gpu/drm/i915/i915_scatterlist.c +++ b/drivers/gpu/drm/i915/i915_scatterlist.c @@ -112,6 +112,11 @@ struct i915_refct_sgt *i915_rsgt_from_mm_node(const struct drm_mm_node *node, if (st->nents) sg = __sg_next(sg); + if (!sg) { + sg_free_table(st); + i915_refct_sgt_put(rsgt); + return ERR_PTR(-EFAULT); + } sg_dma_address(sg) = region_start + offset; sg_dma_len(sg) = 0; sg->length = 0; @@ -191,6 +196,11 @@ struct i915_refct_sgt *i915_rsgt_from_buddy_resource(struct ttm_resource *res, if (st->nents) sg = __sg_next(sg); + if (!sg) { + sg_free_table(st); + i915_refct_sgt_put(rsgt); + return ERR_PTR(-EFAULT); + } sg_dma_address(sg) = region_start + offset; sg_dma_len(sg) = 0; sg->length = 0;
__sg_next() returns NULL if the input sg entry is the last entry in the list. Check the return pointer from __sg_next() to prevent NULL pointer dereference. Cc: Matthew Auld <matthew.auld@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Signed-off-by: Harish Chegondi <harish.chegondi@intel.com> --- drivers/gpu/drm/i915/i915_scatterlist.c | 10 ++++++++++ 1 file changed, 10 insertions(+)