Patch "drm/msm: prevent NULL dereference in msm_gpu_crashstate_capture()" has been added to the 5.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 14 Nov 2021 22:12:25 -0500

This is a note to let you know that I've just added the patch titled

    drm/msm: prevent NULL dereference in msm_gpu_crashstate_capture()

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-msm-prevent-null-dereference-in-msm_gpu_crashsta.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 65a7895d34ef35d11fc7a67b48896d182836e422
Author: Tim Gardner <tim.gardner@xxxxxxxxxxxxx>
Date:   Wed Sep 29 10:25:54 2021 -0600

    drm/msm: prevent NULL dereference in msm_gpu_crashstate_capture()
    
    [ Upstream commit b220c154832c5cd0df34cbcbcc19d7135c16e823 ]
    
    Coverity complains of a possible NULL dereference:
    
    CID 120718 (#1 of 1): Dereference null return value (NULL_RETURNS)
    23. dereference: Dereferencing a pointer that might be NULL state->bos when
        calling msm_gpu_crashstate_get_bo. [show details]
    301                        msm_gpu_crashstate_get_bo(state, submit->bos[i].obj,
    302                                submit->bos[i].iova, submit->bos[i].flags);
    
    Fix this by employing the same state->bos NULL check as is used in the next
    for loop.
    
    Cc: Rob Clark <robdclark@xxxxxxxxx>
    Cc: Sean Paul <sean@xxxxxxxxxx>
    Cc: David Airlie <airlied@xxxxxxxx>
    Cc: Daniel Vetter <daniel@xxxxxxxx>
    Cc: linux-arm-msm@xxxxxxxxxxxxxxx
    Cc: dri-devel@xxxxxxxxxxxxxxxxxxxxx
    Cc: freedreno@xxxxxxxxxxxxxxxxxxxxx
    Cc: linux-kernel@xxxxxxxxxxxxxxx
    Signed-off-by: Tim Gardner <tim.gardner@xxxxxxxxxxxxx>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20210929162554.14295-1-tim.gardner@xxxxxxxxxxxxx
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
    Signed-off-by: Rob Clark <robdclark@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c
index 0ebf7bc6ad097..8236989828ba3 100644
--- a/drivers/gpu/drm/msm/msm_gpu.c
+++ b/drivers/gpu/drm/msm/msm_gpu.c
@@ -404,7 +404,7 @@ static void msm_gpu_crashstate_capture(struct msm_gpu *gpu,
 		state->bos = kcalloc(nr,
 			sizeof(struct msm_gpu_state_bo), GFP_KERNEL);
 
-		for (i = 0; i < submit->nr_bos; i++) {
+		for (i = 0; state->bos && i < submit->nr_bos; i++) {
 			if (should_dump(submit, i)) {
 				msm_gpu_crashstate_get_bo(state, submit->bos[i].obj,
 					submit->bos[i].iova, submit->bos[i].flags);






