Hi,
On 01/03/23 11:38 pm, Greg Kroah-Hartman wrote:
From: Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx>
commit 64b88afbd92fbf434759d1896a7cf705e1c00e79 upstream.
Previous commit fixed checking of the ERR_PTR value returned by
drm_gem_shmem_get_sg_table(), but it missed to zero out the shmem->pages,
which will crash virtio_gpu_cleanup_object(). Add the missing zeroing of
the shmem->pages.
Fixes: c24968734abf ("drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init")
Reviewed-by: Emil Velikov <emil.l.velikov@xxxxxxxxx>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx>
Link: https://urldefense.com/v3/__http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-2-dmitry.osipenko@collabora.com__;!!ACWV5N9M2RV99hQ!KAxF_UJ7x6SleCxrpYd8Huyt4Zj4e08fd9IUL6fl1Wneipk6_LKBnYuqQ2LK0bnvWHC6dxungVXptuvz5-4QQ2zjcq_JT1ub$
Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Ovidiu Panait <ovidiu.panait@xxxxxxxxxxxxx>
---
drivers/gpu/drm/virtio/virtgpu_object.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/virtio/virtgpu_object.c
+++ b/drivers/gpu/drm/virtio/virtgpu_object.c
@@ -159,6 +159,7 @@ static int virtio_gpu_object_shmem_init(
shmem->pages = drm_gem_shmem_get_sg_table(&bo->base.base);
if (IS_ERR(shmem->pages)) {
drm_gem_shmem_unpin(&bo->base.base);
+ shmem->pages = NULL;
return PTR_ERR(shmem->pages);
}
While doing static analysis with smatch on LTS-rc series I found this bug.
PTR_ERR(NULL) is 1/success, so we are returning success in this case,
which looks wrong.
Only 5.10.y and 5.15.y are effected. Upstream commit b5c9ed70d1a9
("drm/virtio: Improve DMA API usage for shmem BOs")
deleted this code, is present in linux-6.1.y and
linux-6.2.y, so this problem is not in 6.1.y and 6.2.y stable releases.
I have prepared a patch for fixing this, will send it out.
Thanks,
Harshit
