[PATCH] drm/amdgpu: Fix null pointer access of BO
Christian König
christian.koenig at amd.com
Thu Dec 2 08:10:48 UTC 2021
Am 02.12.21 um 05:55 schrieb xinhui pan:
> TTM want bo->resource to be valid during BO's life.
> But ttm_bo_mem_space might fail and bo->resource point to NULL. Many code
> touch bo->resource and hit panic then.
>
> As old and new mem might overlap, move ttm_resource_free after
> ttm_bo_mem_space is not an option.
> We could assign one sysmem node to BO to make bo->resource valid.
>
> Signed-off-by: xinhui pan <xinhui.pan at amd.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 14 ++++++++++++--
> 1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> index c4317343967f..697fac0b82a3 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
> @@ -359,6 +359,7 @@ int amdgpu_bo_create_kernel_at(struct amdgpu_device *adev,
> struct amdgpu_bo **bo_ptr, void **cpu_addr)
> {
> struct ttm_operation_ctx ctx = { false, false };
> + struct ttm_resource *tmp_res;
> unsigned int i;
> int r;
>
> @@ -380,17 +381,26 @@ int amdgpu_bo_create_kernel_at(struct amdgpu_device *adev,
> if (cpu_addr)
> amdgpu_bo_kunmap(*bo_ptr);
>
> - ttm_resource_free(&(*bo_ptr)->tbo, &(*bo_ptr)->tbo.resource);
> + /* Assign one sysmem node to BO as we want bo->resource to be valid. */
> + amdgpu_bo_placement_from_domain(*bo_ptr, AMDGPU_GEM_DOMAIN_CPU);
> + r = ttm_bo_mem_space(&(*bo_ptr)->tbo, &(*bo_ptr)->placement,
> + &tmp_res, &ctx);
> + if (r)
> + goto error;
> +
> + ttm_bo_move_null(&(*bo_ptr)->tbo, tmp_res);
That's much easier fixable if you just create the BO in the CPU domain
in the first place.
E.g. modify the call to amdgpu_bo_create_reserved() above to use
AMDGPU_GEM_DOMAIN_CPU instead of the provided one.
This way you can indeed move the ttm_resource_free() after the assignment.
Regards,
Christian.
>
> for (i = 0; i < (*bo_ptr)->placement.num_placement; ++i) {
> (*bo_ptr)->placements[i].fpfn = offset >> PAGE_SHIFT;
> (*bo_ptr)->placements[i].lpfn = (offset + size) >> PAGE_SHIFT;
> }
> r = ttm_bo_mem_space(&(*bo_ptr)->tbo, &(*bo_ptr)->placement,
> - &(*bo_ptr)->tbo.resource, &ctx);
> + &tmp_res, &ctx);
> if (r)
> goto error;
>
> + ttm_bo_move_null(&(*bo_ptr)->tbo, tmp_res);
> +
> if (cpu_addr) {
> r = amdgpu_bo_kmap(*bo_ptr, cpu_addr);
> if (r)
More information about the amd-gfx
mailing list