| Message ID | 20241009184951.4991-1-everestkc@everestkc.com.np (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [next] drm/xe/guc: Fix dereference before Null check | expand |
On Wed, Oct 09, 2024 at 12:49:49PM -0600, Everest K.C. wrote: > The pointer list->list was derefrenced before the Null check > resulting in possibility of Null pointer derefrencing. > This patch moves the Null check outside the for loop, so that > the check is performed before the derefrencing. > > This issue was reported by Coverity Scan. > > Signed-off-by: Everest K.C. <everestkc@everestkc.com.np> You need to add a Fixes tag. > --- > drivers/gpu/drm/xe/xe_guc_capture.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/xe/xe_guc_capture.c b/drivers/gpu/drm/xe/xe_guc_capture.c > index 41262bda20ed..de63c622747d 100644 > --- a/drivers/gpu/drm/xe/xe_guc_capture.c > +++ b/drivers/gpu/drm/xe/xe_guc_capture.c > @@ -1537,13 +1537,13 @@ read_reg_to_node(struct xe_hw_engine *hwe, const struct __guc_mmio_reg_descr_gro > if (!regs) > return; > > + if (!list->list) > + return; Could you merge this with the other sanity checks at the start of the function. - if (!list || list->num_regs == 0) + if (!list || !list->list || list->num_regs == 0) The list->list pointer can't actually be NULL. It comes from guc_capture_get_one_list(), so if the reglists[i].list pointer is NULL it returns NULL. However, obviously checking for NULL after a dereference is not the correct so it's worth fixing and probably deserves a Fixes tag. Although it doesn't affect runtime, adding a Fixes tag helps backporters know they can automatically ignore this one because the commit it's fixing is very recent. regards, dan carpenter
On Wed, Oct 9, 2024 at 2:35 PM Dan Carpenter <dan.carpenter@linaro.org> wrote: > > On Wed, Oct 09, 2024 at 12:49:49PM -0600, Everest K.C. wrote: > > The pointer list->list was derefrenced before the Null check > > resulting in possibility of Null pointer derefrencing. > > This patch moves the Null check outside the for loop, so that > > the check is performed before the derefrencing. > > > > This issue was reported by Coverity Scan. > > > > Signed-off-by: Everest K.C. <everestkc@everestkc.com.np> > > You need to add a Fixes tag. Will add it and send a V2. > > --- > > drivers/gpu/drm/xe/xe_guc_capture.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/gpu/drm/xe/xe_guc_capture.c b/drivers/gpu/drm/xe/xe_guc_capture.c > > index 41262bda20ed..de63c622747d 100644 > > --- a/drivers/gpu/drm/xe/xe_guc_capture.c > > +++ b/drivers/gpu/drm/xe/xe_guc_capture.c > > @@ -1537,13 +1537,13 @@ read_reg_to_node(struct xe_hw_engine *hwe, const struct __guc_mmio_reg_descr_gro > > if (!regs) > > return; > > > > + if (!list->list) > > + return; > > Could you merge this with the other sanity checks at the start of the function. > > - if (!list || list->num_regs == 0) > + if (!list || !list->list || list->num_regs == 0) That looks better. Will do that in V2 and send it. > The list->list pointer can't actually be NULL. It comes from > guc_capture_get_one_list(), so if the reglists[i].list pointer is NULL it > returns NULL. However, obviously checking for NULL after a dereference is not > the correct so it's worth fixing and probably deserves a Fixes tag. Although it > doesn't affect runtime, adding a Fixes tag helps backporters know they can > automatically ignore this one because the commit it's fixing is very recent. > > regards, > dan carpenter >
diff --git a/drivers/gpu/drm/xe/xe_guc_capture.c b/drivers/gpu/drm/xe/xe_guc_capture.c index 41262bda20ed..de63c622747d 100644 --- a/drivers/gpu/drm/xe/xe_guc_capture.c +++ b/drivers/gpu/drm/xe/xe_guc_capture.c @@ -1537,13 +1537,13 @@ read_reg_to_node(struct xe_hw_engine *hwe, const struct __guc_mmio_reg_descr_gro if (!regs) return; + if (!list->list) + return; + for (i = 0; i < list->num_regs; i++) { struct __guc_mmio_reg_descr desc = list->list[i]; u32 value; - if (!list->list) - return; - if (list->type == GUC_STATE_CAPTURE_TYPE_ENGINE_INSTANCE) { value = xe_hw_engine_mmio_read32(hwe, desc.reg); } else {
The pointer list->list was derefrenced before the Null check resulting in possibility of Null pointer derefrencing. This patch moves the Null check outside the for loop, so that the check is performed before the derefrencing. This issue was reported by Coverity Scan. Signed-off-by: Everest K.C. <everestkc@everestkc.com.np> --- drivers/gpu/drm/xe/xe_guc_capture.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)