From patchwork Wed Feb 15 16:13:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Thomas Hellstrom X-Patchwork-Id: 13141860 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id EB734C636D4 for ; Wed, 15 Feb 2023 16:14:39 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id F038F10E82D; Wed, 15 Feb 2023 16:14:38 +0000 (UTC) Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31]) by gabe.freedesktop.org (Postfix) with ESMTPS id EC41E10EB15; Wed, 15 Feb 2023 16:14:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1676477676; x=1708013676; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=f+jziJqtg2tHO1sm8YICg4x70AohpDQ+/WN+2ra+cxA=; b=hGzxEyCoRV9XSb+cgq05kFe2dsTNMKFXnyxk5+fNKTWL7L7gVDAE+BPX DTv5Sq3rv9SSFfBdueRHl9sQ1+jHaTmoLSe8jqO4JJ2Ow+EvzqIK1T2Z2 uLTho31N3bEPMaG0yd+MD62kQpKI4vIasrE46dmYa9pDSGpu4S4e4GQKQ XLb26qMmpVSfR2yhQuzACjLjzwwQCwEcDgvV5S0diYxjLe4BRr4ZGOufO QajVgroHb/uRBHaRwJq/Vreu/LJXzzcJctbXUW2eWP/21QECq6zMeUsK1 aVy3EpRuxOd+55iRAAMuZxG439Jeadazqht+U8fJn+f2nKutZ9vfO1uMy g==; X-IronPort-AV: E=McAfee;i="6500,9779,10622"; a="393870669" X-IronPort-AV: E=Sophos;i="5.97,300,1669104000"; d="scan'208";a="393870669" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Feb 2023 08:14:34 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10622"; a="758471994" X-IronPort-AV: E=Sophos;i="5.97,300,1669104000"; d="scan'208";a="758471994" Received: from auliel-mobl1.ger.corp.intel.com (HELO thellstr-mobl1.intel.com) ([10.249.254.14]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Feb 2023 08:14:27 -0800 From: =?utf-8?q?Thomas_Hellstr=C3=B6m?= To: dri-devel@lists.freedesktop.org Subject: [RFC PATCH 01/16] drm/ttm: Fix a NULL pointer dereference Date: Wed, 15 Feb 2023 17:13:50 +0100 Message-Id: <20230215161405.187368-2-thomas.hellstrom@linux.intel.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230215161405.187368-1-thomas.hellstrom@linux.intel.com> References: <20230215161405.187368-1-thomas.hellstrom@linux.intel.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Miaohe Lin , Philip Yang , NeilBrown , Daniel Vetter , Peter Xu , linux-mm@kvack.org, Dave Hansen , Huang Rui , David Hildenbrand , "Matthew Wilcox \(Oracle\)" , linux-graphics-maintainer@vmware.com, Matthew Auld , Ramalingam C , Dave Airlie , =?utf-8?q?Thomas_Hellstr=C3=B6m?= , Arunpravin Paneer Selvam , Anshuman Gupta , intel-gfx@lists.freedesktop.org, Qiang Yu , Tvrtko Ursulin , Felix Kuehling , Johannes Weiner , Alex Deucher , Andrew Morton , =?utf-8?q?Christian_K=C3=B6nig?= , Nirmoy Das Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The LRU mechanism may look up a resource in the process of being removed from an object. The locking rules here are a bit unclear but it looks currently like res->bo assignment is protected by the LRU lock, whereas bo->resource is protected by the object lock, while *clearing* of bo->resource is also protected by the LRU lock. This means that if we check that bo->resource points to the LRU resource under the LRU lock we should be safe. So perform that check before deciding to swap out a bo. That avoids dereferencing a NULL bo->resource in ttm_bo_swapout(). Fixes: 6a9b02899402 ("drm/ttm: move the LRU into resource handling v4") Cc: Christian König Cc: Daniel Vetter Cc: Christian Koenig Cc: Huang Rui Cc: Alex Deucher Cc: Felix Kuehling Cc: Philip Yang Cc: Qiang Yu Cc: Matthew Auld Cc: Nirmoy Das Cc: Tvrtko Ursulin Cc: "Thomas Hellström" Cc: Anshuman Gupta Cc: Ramalingam C Cc: Arunpravin Paneer Selvam Cc: dri-devel@lists.freedesktop.org Signed-off-by: Thomas Hellström Reviewed-by: Christian König --- drivers/gpu/drm/ttm/ttm_device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ttm/ttm_device.c b/drivers/gpu/drm/ttm/ttm_device.c index c7a1862f322a..ae2f19dc9f81 100644 --- a/drivers/gpu/drm/ttm/ttm_device.c +++ b/drivers/gpu/drm/ttm/ttm_device.c @@ -158,7 +158,7 @@ int ttm_device_swapout(struct ttm_device *bdev, struct ttm_operation_ctx *ctx, struct ttm_buffer_object *bo = res->bo; uint32_t num_pages; - if (!bo) + if (!bo || bo->resource != res) continue; num_pages = PFN_UP(bo->base.size);