Re: [PATCH] drm/via: Add new condition to via_dma_cleanup()
On Fri, Jul 29, 2022 at 12:06:43PM +0300, Alisa Khabibrakhmanova wrote: > Pointer dev_priv->mmio, which was checked for NULL at via_do_init_map(), > is passed to via_do_cleanup_map() and is dereferenced there without check. > > The patch adds the condition in via_dma_cleanup() which prevents potential > NULL > pointer dereference. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 22f579c621e2 ("drm: Add via unichrome support") > Signed-off-by: Alisa Khabibrakhmanova This seems to have fallen through cracks, I applied it to drm-misc-next now. Thanks for your patch. -Daniel > --- > drivers/gpu/drm/via/via_dri1.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/via/via_dri1.c b/drivers/gpu/drm/via/via_dri1.c > index d695d9291ece..691e3ceb0062 100644 > --- a/drivers/gpu/drm/via/via_dri1.c > +++ b/drivers/gpu/drm/via/via_dri1.c > @@ -2961,7 +2961,7 @@ int via_dma_cleanup(struct drm_device *dev) > drm_via_private_t *dev_priv = > (drm_via_private_t *) dev->dev_private; > > - if (dev_priv->ring.virtual_start) { > + if (dev_priv->ring.virtual_start && dev_priv->mmio) { > via_cmdbuf_reset(dev_priv); > > drm_legacy_ioremapfree(&dev_priv->ring.map, dev); > -- > 2.34.1 > -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
[PATCH] drm/via: Add new condition to via_dma_cleanup()
Pointer dev_priv->mmio, which was checked for NULL at via_do_init_map(), is passed to via_do_cleanup_map() and is dereferenced there without check. The patch adds the condition in via_dma_cleanup() which prevents potential NULL pointer dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 22f579c621e2 ("drm: Add via unichrome support") Signed-off-by: Alisa Khabibrakhmanova --- drivers/gpu/drm/via/via_dri1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/via/via_dri1.c b/drivers/gpu/drm/via/via_dri1.c index d695d9291ece..691e3ceb0062 100644 --- a/drivers/gpu/drm/via/via_dri1.c +++ b/drivers/gpu/drm/via/via_dri1.c @@ -2961,7 +2961,7 @@ int via_dma_cleanup(struct drm_device *dev) drm_via_private_t *dev_priv = (drm_via_private_t *) dev->dev_private; - if (dev_priv->ring.virtual_start) { + if (dev_priv->ring.virtual_start && dev_priv->mmio) { via_cmdbuf_reset(dev_priv); drm_legacy_ioremapfree(&dev_priv->ring.map, dev); -- 2.34.1
Re: [PATCH] drm/via: Add new condition to via_dma_cleanup()
Hi Alisa, On Mon, Jul 25, 2022 at 01:45:55PM +0300, Alisa Khabibrakhmanova wrote: > Pointer dev_priv->mmio, which was checked for NULL at via_do_init_map(), > is passed to via_do_cleanup_map() and is dereferenced there without check. > > The patch adds the condition in via_dma_cleanup() which prevents potential > NULL > pointer dereference. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 22f579c621e2 ("drm: Add via unichrome support") > Signed-off-by: Alisa Khabibrakhmanova Thanks for your patch. Due to other changes in drm-misc where we maintain the via driver this patch fails to apply. It would be great if you could redo the patch after -rc2 - on top of -next. Then we can apply it to drm-misc. You will see that the individual files for the driver is merged to a single file, and this change does not hit -next until later. Sam
[PATCH] drm/via: Add new condition to via_dma_cleanup()
Pointer dev_priv->mmio, which was checked for NULL at via_do_init_map(), is passed to via_do_cleanup_map() and is dereferenced there without check. The patch adds the condition in via_dma_cleanup() which prevents potential NULL pointer dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 22f579c621e2 ("drm: Add via unichrome support") Signed-off-by: Alisa Khabibrakhmanova --- drivers/gpu/drm/via/via_dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/via/via_dma.c b/drivers/gpu/drm/via/via_dma.c index 177b0499abf1..56bcbbf4ed54 100644 --- a/drivers/gpu/drm/via/via_dma.c +++ b/drivers/gpu/drm/via/via_dma.c @@ -164,7 +164,7 @@ int via_dma_cleanup(struct drm_device *dev) drm_via_private_t *dev_priv = (drm_via_private_t *) dev->dev_private; - if (dev_priv->ring.virtual_start) { + if (dev_priv->ring.virtual_start && dev_priv->mmio) { via_cmdbuf_reset(dev_priv); drm_legacy_ioremapfree(&dev_priv->ring.map, dev); -- 2.34.1