[bug report] drm/ttm: TTM fault handler helpers

Dan Carpenter dan.carpenter at oracle.com
Thu Jun 27 07:51:38 UTC 2019 

Hello Thomas Hellstrom,

This is a semi-automatic email about new static checker warnings.

The patch 7a39f35ce43f: "drm/ttm: TTM fault handler helpers" from Feb 
6, 2019, leads to the following Smatch complaint:

    drivers/gpu/drm/ttm/ttm_bo_vm.c:266 ttm_bo_vm_fault_reserved()
    error: we previously assumed 'bo->ttm' could be null (see line 204)

drivers/gpu/drm/ttm/ttm_bo_vm.c
   203		 */
   204		if (bo->ttm && (bo->ttm->page_flags & TTM_PAGE_FLAG_SG))
                    ^^^^^^^
Check for NULL.

   205			return VM_FAULT_SIGBUS;
   206	
   207		if (bdev->driver->fault_reserve_notify) {
   208			struct dma_fence *moving = dma_fence_get(bo->moving);
   209	
   210			err = bdev->driver->fault_reserve_notify(bo);
   211			switch (err) {
   212			case 0:
   213				break;
   214			case -EBUSY:
   215			case -ERESTARTSYS:
   216				return VM_FAULT_NOPAGE;
   217			default:
   218				return VM_FAULT_SIGBUS;
   219			}
   220	
   221			if (bo->moving != moving) {
   222				spin_lock(&bdev->glob->lru_lock);
   223				ttm_bo_move_to_lru_tail(bo, NULL);
   224				spin_unlock(&bdev->glob->lru_lock);
   225			}
   226			dma_fence_put(moving);
   227		}
   228	
   229		/*
   230		 * Wait for buffer data in transit, due to a pipelined
   231		 * move.
   232		 */
   233		ret = ttm_bo_vm_fault_idle(bo, vmf);
   234		if (unlikely(ret != 0))
   235			return ret;
   236	
   237		err = ttm_mem_io_lock(man, true);
   238		if (unlikely(err != 0))
   239			return VM_FAULT_NOPAGE;
   240		err = ttm_mem_io_reserve_vm(bo);
   241		if (unlikely(err != 0)) {
   242			ret = VM_FAULT_SIGBUS;
   243			goto out_io_unlock;
   244		}
   245	
   246		page_offset = ((address - vma->vm_start) >> PAGE_SHIFT) +
   247			vma->vm_pgoff - drm_vma_node_start(&bo->vma_node);
   248		page_last = vma_pages(vma) + vma->vm_pgoff -
   249			drm_vma_node_start(&bo->vma_node);
   250	
   251		if (unlikely(page_offset >= bo->num_pages)) {
   252			ret = VM_FAULT_SIGBUS;
   253			goto out_io_unlock;
   254		}
   255	
   256		cvma.vm_page_prot = ttm_io_prot(bo->mem.placement, prot);
   257		if (!bo->mem.bus.is_iomem) {
   258			struct ttm_operation_ctx ctx = {
   259				.interruptible = false,
   260				.no_wait_gpu = false,
   261				.flags = TTM_OPT_FLAG_FORCE_ALLOC
   262	
   263			};
   264	
   265			ttm = bo->ttm;
   266			if (ttm_tt_populate(bo->ttm, &ctx)) {
                                            ^^^^^^^
Unchecked dereference inside ttm_tt_populate() function.

   267				ret = VM_FAULT_OOM;
   268				goto out_io_unlock;

regards,
dan carpenter

More information about the dri-devel mailing list