[PATCH v2] drm/amdgpu: Fix null pointer access of BO

xinhui pan xinhui.pan at amd.com
Fri Dec 3 01:39:33 UTC 2021 

TTM want bo->resource to be valid during BO's life.
But ttm_bo_mem_space might fail and bo->resource point to NULL. Many code
touch bo->resource and hit panic then.

As old and new mem might overlap, move ttm_resource_free after
ttm_bo_mem_space is not an option.
Lets create BO in CPU domain first then alloc memory from specific
domain.

Suggested-by: Christian König <christian.koenig at amd.com>
Signed-off-by: xinhui pan <xinhui.pan at amd.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
index c4317343967f..46036ea79335 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
@@ -359,13 +359,15 @@ int amdgpu_bo_create_kernel_at(struct amdgpu_device *adev,
 			       struct amdgpu_bo **bo_ptr, void **cpu_addr)
 {
 	struct ttm_operation_ctx ctx = { false, false };
+	struct ttm_resource *tmp_res;
 	unsigned int i;
 	int r;
 
 	offset &= PAGE_MASK;
 	size = ALIGN(size, PAGE_SIZE);
 
-	r = amdgpu_bo_create_reserved(adev, size, PAGE_SIZE, domain, bo_ptr,
+	r = amdgpu_bo_create_reserved(adev, size, PAGE_SIZE,
+				      AMDGPU_GEM_DOMAIN_CPU, bo_ptr,
 				      NULL, cpu_addr);
 	if (r)
 		return r;
@@ -380,17 +382,18 @@ int amdgpu_bo_create_kernel_at(struct amdgpu_device *adev,
 	if (cpu_addr)
 		amdgpu_bo_kunmap(*bo_ptr);
 
-	ttm_resource_free(&(*bo_ptr)->tbo, &(*bo_ptr)->tbo.resource);
-
+	amdgpu_bo_placement_from_domain(*bo_ptr, domain);
 	for (i = 0; i < (*bo_ptr)->placement.num_placement; ++i) {
 		(*bo_ptr)->placements[i].fpfn = offset >> PAGE_SHIFT;
 		(*bo_ptr)->placements[i].lpfn = (offset + size) >> PAGE_SHIFT;
 	}
 	r = ttm_bo_mem_space(&(*bo_ptr)->tbo, &(*bo_ptr)->placement,
-			     &(*bo_ptr)->tbo.resource, &ctx);
+			     &tmp_res, &ctx);
 	if (r)
 		goto error;
 
+	ttm_bo_move_null(&(*bo_ptr)->tbo, tmp_res);
+
 	if (cpu_addr) {
 		r = amdgpu_bo_kmap(*bo_ptr, cpu_addr);
 		if (r)
-- 
2.25.1

More information about the amd-gfx mailing list