Re: [PATCH] drm/vmwgfx: avoid null pointer dereference at failure paths

Thomas Hellstrom <thellstrom@xxxxxxxxxx> · Sat, 01 Mar 2014 17:29:45 +0100

On 02/28/2014 10:20 PM, Alexey Khoroshilov wrote:

> vmw_takedown_otable_base() and vmw_mob_unbind() check for
> potential vmw_fifo_reserve() failure and print error message,
> but then immediately dereference NULL pointer.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_mob.c | 35 +++++++++++++++++++----------------
>  1 file changed, 19 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
> index d4a5a19cb8c3..04a64b8cd3cd 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
> @@ -188,18 +188,20 @@ static void vmw_takedown_otable_base(struct vmw_private *dev_priv,
>  
>  	bo = otable->page_table->pt_bo;
>  	cmd = vmw_fifo_reserve(dev_priv, sizeof(*cmd));
> -	if (unlikely(cmd == NULL))
> -		DRM_ERROR("Failed reserving FIFO space for OTable setup.\n");
> -
> -	memset(cmd, 0, sizeof(*cmd));
> -	cmd->header.id = SVGA_3D_CMD_SET_OTABLE_BASE;
> -	cmd->header.size = sizeof(cmd->body);
> -	cmd->body.type = type;
> -	cmd->body.baseAddress = 0;
> -	cmd->body.sizeInBytes = 0;
> -	cmd->body.validSizeInBytes = 0;
> -	cmd->body.ptDepth = SVGA3D_MOBFMT_INVALID;
> -	vmw_fifo_commit(dev_priv, sizeof(*cmd));
> +	if (unlikely(cmd == NULL)) {
> +		DRM_ERROR("Failed reserving FIFO space for OTable "
> +			  "takedown.\n");
> +	} else {
> +		memset(cmd, 0, sizeof(*cmd));
> +		cmd->header.id = SVGA_3D_CMD_SET_OTABLE_BASE;
> +		cmd->header.size = sizeof(cmd->body);
> +		cmd->body.type = type;
> +		cmd->body.baseAddress = 0;
> +		cmd->body.sizeInBytes = 0;
> +		cmd->body.validSizeInBytes = 0;
> +		cmd->body.ptDepth = SVGA3D_MOBFMT_INVALID;
> +		vmw_fifo_commit(dev_priv, sizeof(*cmd));
> +	}
>  
>  	if (bo) {
>  		int ret;
> @@ -562,11 +564,12 @@ void vmw_mob_unbind(struct vmw_private *dev_priv,
>  	if (unlikely(cmd == NULL)) {
>  		DRM_ERROR("Failed reserving FIFO space for Memory "
>  			  "Object unbinding.\n");
> +	} else {
> +		cmd->header.id = SVGA_3D_CMD_DESTROY_GB_MOB;
> +		cmd->header.size = sizeof(cmd->body);
> +		cmd->body.mobid = mob->id;
> +		vmw_fifo_commit(dev_priv, sizeof(*cmd));
>  	}
> -	cmd->header.id = SVGA_3D_CMD_DESTROY_GB_MOB;
> -	cmd->header.size = sizeof(cmd->body);
> -	cmd->body.mobid = mob->id;
> -	vmw_fifo_commit(dev_priv, sizeof(*cmd));
>  	if (bo) {
>  		vmw_fence_single_bo(bo, NULL);
>  		ttm_bo_unreserve(bo);
Thanks. I'll queue this for the next vmwgfx-fixes PULL.

/Thomas
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel