[Intel-gfx] [PATCH] drm/i915: Add checks to prevent NULL pointer dereference
Thomas Hellström
thomas.hellstrom at linux.intel.com
Tue Nov 16 07:56:09 UTC 2021
Hi, Harish,
On 11/16/21 02:46, Harish Chegondi wrote:
> __sg_next() returns NULL if the input sg entry is the last entry in the
> list. Check the return pointer from __sg_next() to prevent NULL pointer
> dereference.
Did you actually hit a NULL pointer dereference here? I can't see how we
could hit the last entry in the list in this way since sg_alloc_table()
will either ensure we have sufficient entries or fail?
Thomas
> Cc: Matthew Auld <matthew.auld at intel.com>
> Cc: Thomas Hellström <thomas.hellstrom at linux.intel.com>
> Signed-off-by: Harish Chegondi <harish.chegondi at intel.com>
> ---
> drivers/gpu/drm/i915/i915_scatterlist.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/i915_scatterlist.c b/drivers/gpu/drm/i915/i915_scatterlist.c
> index 41f2adb6a583..da9322c5d5f7 100644
> --- a/drivers/gpu/drm/i915/i915_scatterlist.c
> +++ b/drivers/gpu/drm/i915/i915_scatterlist.c
> @@ -112,6 +112,11 @@ struct i915_refct_sgt *i915_rsgt_from_mm_node(const struct drm_mm_node *node,
> if (st->nents)
> sg = __sg_next(sg);
>
> + if (!sg) {
> + sg_free_table(st);
> + i915_refct_sgt_put(rsgt);
> + return ERR_PTR(-EFAULT);
> + }
> sg_dma_address(sg) = region_start + offset;
> sg_dma_len(sg) = 0;
> sg->length = 0;
> @@ -191,6 +196,11 @@ struct i915_refct_sgt *i915_rsgt_from_buddy_resource(struct ttm_resource *res,
> if (st->nents)
> sg = __sg_next(sg);
>
> + if (!sg) {
> + sg_free_table(st);
> + i915_refct_sgt_put(rsgt);
> + return ERR_PTR(-EFAULT);
> + }
> sg_dma_address(sg) = region_start + offset;
> sg_dma_len(sg) = 0;
> sg->length = 0;
More information about the Intel-gfx
mailing list