Re: [PATCH] drm/ttm: check null pointer before accessing when swapping

Alex Deucher <alexdeucher@xxxxxxxxx> · Mon, 24 Jul 2023 09:36:01 -0400



On Sun, Jul 23, 2023 at 10:43 PM Guchun Chen <guchun.chen@xxxxxxx> wrote:
>
> Add a check to avoid null pointer dereference as below:
>
> [   90.002283] general protection fault, probably for non-canonical
> address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
> [   90.002292] KASAN: null-ptr-deref in range
> [0x0000000000000000-0x0000000000000007]
> [   90.002346]  ? exc_general_protection+0x159/0x240
> [   90.002352]  ? asm_exc_general_protection+0x26/0x30
> [   90.002357]  ? ttm_bo_evict_swapout_allowable+0x322/0x5e0 [ttm]
> [   90.002365]  ? ttm_bo_evict_swapout_allowable+0x42e/0x5e0 [ttm]
> [   90.002373]  ttm_bo_swapout+0x134/0x7f0 [ttm]
> [   90.002383]  ? __pfx_ttm_bo_swapout+0x10/0x10 [ttm]
> [   90.002391]  ? lock_acquire+0x44d/0x4f0
> [   90.002398]  ? ttm_device_swapout+0xa5/0x260 [ttm]
> [   90.002412]  ? lock_acquired+0x355/0xa00
> [   90.002416]  ? do_raw_spin_trylock+0xb6/0x190
> [   90.002421]  ? __pfx_lock_acquired+0x10/0x10
> [   90.002426]  ? ttm_global_swapout+0x25/0x210 [ttm]
> [   90.002442]  ttm_device_swapout+0x198/0x260 [ttm]
> [   90.002456]  ? __pfx_ttm_device_swapout+0x10/0x10 [ttm]
> [   90.002472]  ttm_global_swapout+0x75/0x210 [ttm]
> [   90.002486]  ttm_tt_populate+0x187/0x3f0 [ttm]
> [   90.002501]  ttm_bo_handle_move_mem+0x437/0x590 [ttm]
> [   90.002517]  ttm_bo_validate+0x275/0x430 [ttm]
> [   90.002530]  ? __pfx_ttm_bo_validate+0x10/0x10 [ttm]
> [   90.002544]  ? kasan_save_stack+0x33/0x60
> [   90.002550]  ? kasan_set_track+0x25/0x30
> [   90.002554]  ? __kasan_kmalloc+0x8f/0xa0
> [   90.002558]  ? amdgpu_gtt_mgr_new+0x81/0x420 [amdgpu]
> [   90.003023]  ? ttm_resource_alloc+0xf6/0x220 [ttm]
> [   90.003038]  amdgpu_bo_pin_restricted+0x2dd/0x8b0 [amdgpu]
> [   90.003210]  ? __x64_sys_ioctl+0x131/0x1a0
> [   90.003210]  ? do_syscall_64+0x60/0x90
>
> Fixes: a2848d08742c ("drm/ttm: never consider pinned BOs for eviction&swap")
> Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@xxxxxxxxx>
> Signed-off-by: Guchun Chen <guchun.chen@xxxxxxx>

Reviewed-by: Alex Deucher <alexander.deucher@xxxxxxx>

> ---
>  drivers/gpu/drm/ttm/ttm_bo.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
> index 7139a522b2f3..54e3083076b7 100644
> --- a/drivers/gpu/drm/ttm/ttm_bo.c
> +++ b/drivers/gpu/drm/ttm/ttm_bo.c
> @@ -519,7 +519,8 @@ static bool ttm_bo_evict_swapout_allowable(struct ttm_buffer_object *bo,
>
>         if (bo->pin_count) {
>                 *locked = false;
> -               *busy = false;
> +               if (busy)
> +                       *busy = false;
>                 return false;
>         }
>
> --
> 2.25.1
>