Hi, Harish,
On 11/16/21 02:46, Harish Chegondi wrote:
__sg_next() returns NULL if the input sg entry is the last entry in the
list. Check the return pointer from __sg_next() to prevent NULL pointer
dereference.
Did you actually hit a NULL pointer dereference here? I can't see how we
could hit the last entry in the list in this way since sg_alloc_table()
will either ensure we have sufficient entries or fail?
Thomas
Cc: Matthew Auld <matthew.auld@xxxxxxxxx>
Cc: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>
Signed-off-by: Harish Chegondi <harish.chegondi@xxxxxxxxx>
---
drivers/gpu/drm/i915/i915_scatterlist.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/i915/i915_scatterlist.c b/drivers/gpu/drm/i915/i915_scatterlist.c
index 41f2adb6a583..da9322c5d5f7 100644
--- a/drivers/gpu/drm/i915/i915_scatterlist.c
+++ b/drivers/gpu/drm/i915/i915_scatterlist.c
@@ -112,6 +112,11 @@ struct i915_refct_sgt *i915_rsgt_from_mm_node(const struct drm_mm_node *node,
if (st->nents)
sg = __sg_next(sg);
+ if (!sg) {
+ sg_free_table(st);
+ i915_refct_sgt_put(rsgt);
+ return ERR_PTR(-EFAULT);
+ }
sg_dma_address(sg) = region_start + offset;
sg_dma_len(sg) = 0;
sg->length = 0;
@@ -191,6 +196,11 @@ struct i915_refct_sgt *i915_rsgt_from_buddy_resource(struct ttm_resource *res,
if (st->nents)
sg = __sg_next(sg);
+ if (!sg) {
+ sg_free_table(st);
+ i915_refct_sgt_put(rsgt);
+ return ERR_PTR(-EFAULT);
+ }
sg_dma_address(sg) = region_start + offset;
sg_dma_len(sg) = 0;
sg->length = 0;
