Re: [PATCH] drm/amdgpu: Fix null pointer access of BO

[Christian König <christian.koenig@xxxxxxx>]

Am 02.12.21 um 05:55 schrieb xinhui pan:
> TTM want bo->resource to be valid during BO's life.
> But ttm_bo_mem_space might fail and bo->resource point to NULL. Many code
> touch bo->resource and hit panic then.
>
> As old and new mem might overlap, move ttm_resource_free after
> ttm_bo_mem_space is not an option.
> We could assign one sysmem node to BO to make bo->resource valid.
>
> Signed-off-by: xinhui pan <xinhui.pan@xxxxxxx>
> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 14 ++++++++++++--
>   1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> index c4317343967f..697fac0b82a3 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> @@ -359,6 +359,7 @@ int amdgpu_bo_create_kernel_at(struct amdgpu_device *adev,
>   			       struct amdgpu_bo **bo_ptr, void **cpu_addr)
>   {
>   	struct ttm_operation_ctx ctx = { false, false };
> +	struct ttm_resource *tmp_res;
>   	unsigned int i;
>   	int r;
>   
> @@ -380,17 +381,26 @@ int amdgpu_bo_create_kernel_at(struct amdgpu_device *adev,
>   	if (cpu_addr)
>   		amdgpu_bo_kunmap(*bo_ptr);
>   
> -	ttm_resource_free(&(*bo_ptr)->tbo, &(*bo_ptr)->tbo.resource);
> +	/* Assign one sysmem node to BO as we want bo->resource to be valid. */
> +	amdgpu_bo_placement_from_domain(*bo_ptr, AMDGPU_GEM_DOMAIN_CPU);
> +	r = ttm_bo_mem_space(&(*bo_ptr)->tbo, &(*bo_ptr)->placement,
> +			     &tmp_res, &ctx);
> +	if (r)
> +		goto error;
> +
> +	ttm_bo_move_null(&(*bo_ptr)->tbo, tmp_res);

That's much easier fixable if you just create the BO in the CPU domain 
in the first place.

E.g. modify the call to amdgpu_bo_create_reserved() above to use 
AMDGPU_GEM_DOMAIN_CPU instead of the provided one.

This way you can indeed move the ttm_resource_free() after the assignment.

Regards,
Christian.

>   
>   	for (i = 0; i < (*bo_ptr)->placement.num_placement; ++i) {
>   		(*bo_ptr)->placements[i].fpfn = offset >> PAGE_SHIFT;
>   		(*bo_ptr)->placements[i].lpfn = (offset + size) >> PAGE_SHIFT;
>   	}
>   	r = ttm_bo_mem_space(&(*bo_ptr)->tbo, &(*bo_ptr)->placement,
> -			     &(*bo_ptr)->tbo.resource, &ctx);
> +			     &tmp_res, &ctx);
>   	if (r)
>   		goto error;
>   
> +	ttm_bo_move_null(&(*bo_ptr)->tbo, tmp_res);
> +
>   	if (cpu_addr) {
>   		r = amdgpu_bo_kmap(*bo_ptr, cpu_addr);
>   		if (r)