• Pavel Skripkin's avatar
    drm/ttm: add missing NULL checks · 2dbd9c27
    Pavel Skripkin authored
    My local syzbot instance hit GPF in ttm_bo_release().
    Unfortunately, syzbot didn't produce a reproducer for this, but I
    found out possible scenario:
    
    drm_gem_vram_create()            <-- drm_gem_vram_object kzalloced
    				     (bo embedded in this object)
      ttm_bo_init()
        ttm_bo_init_reserved()
          ttm_resource_alloc()
            man->func->alloc()       <-- allocation failure
          ttm_bo_put()
    	ttm_bo_release()
    	  ttm_mem_io_free()      <-- bo->resource == NULL passed
    				     as second argument
    	     *GPF*
    
    Added NULL check inside ttm_mem_io_free() to prevent reported GPF and
    make this function NULL save in future.
    
    Same problem was in ttm_bo_move_to_lru_tail() as Christian reported.
    ttm_bo_move_to_lru_tail() is called in ttm_bo_release() and mem pointer
    can be NULL as well as in ttm_mem_io_free().
    
    Fail log:
    
    KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
    ...
    RIP: 0010:ttm_mem_io_free+0x28/0x170 drivers/gpu/drm/ttm/ttm_bo_util.c:66
    ..
    Call Trace:
     ttm_bo_release+0xd94/0x10a0 drivers/gpu/drm/ttm/ttm_bo.c:422
     kref_put include/linux/kref.h:65 [inline]
     ttm_bo_put drivers/gpu/drm/ttm/ttm_bo.c:470 [inline]
     ttm_bo_init_reserved+0x7cb/0x960 drivers/gpu/drm/ttm/ttm_bo.c:1050
     ttm_bo_init+0x105/0x270 drivers/gpu/drm/ttm/ttm_bo.c:1074
     drm_gem_vram_create+0x332/0x4c0 drivers/gpu/drm/drm_gem_vram_helper.c:228
    
    Fixes: d3116756 ("drm/ttm: rename bo->mem and make it a pointer")
    Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
    Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
    Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210708112518.17271-1-paskripkin@gmail.com
    2dbd9c27
ttm_bo.c 29.2 KB