* drivers/gpu/drm/i915/gem/i915_gem_mman.c:961:20: error: dereference of NULL 'mmo' [CWE-476]
@ 2022-08-04 20:26 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2022-08-04 20:26 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 16492 bytes --]
::::::
:::::: Manual check reason: "low confidence bisect report"
::::::
BCC: lkp(a)intel.com
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
CC: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: b44f2fd87919b5ae6e1756d4c7ba2cbba22238e1
commit: cf3e3e86d77970211e0983130e896ae242601003 drm/i915: Use ttm mmap handling for ttm bo's.
date: 1 year, 2 months ago
:::::: branch date: 18 hours ago
:::::: commit date: 1 year, 2 months ago
config: x86_64-randconfig-c001-20220801 (https://download.01.org/0day-ci/archive/20220805/202208050420.DMCkrna5-lkp(a)intel.com/config)
compiler: gcc-11 (Debian 11.3.0-3) 11.3.0
reproduce (this is a W=1 build):
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf3e3e86d77970211e0983130e896ae242601003
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout cf3e3e86d77970211e0983130e896ae242601003
# save the config file
make
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
drivers/gpu/drm/i915/gem/i915_gem_mman.c: In function 'i915_gem_mmap':
>> drivers/gpu/drm/i915/gem/i915_gem_mman.c:961:20: error: dereference of NULL 'mmo' [CWE-476] [-Werror=analyzer-null-dereference]
961 | switch (mmo->mmap_type) {
| ~~~^~~~~~~~~~~
'i915_gem_mmap': events 1-4
|
| 880 | int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
| | ^~~~~~~~~~~~~
| | |
| | (1) entry to 'i915_gem_mmap'
|......
| 889 | if (drm_dev_is_unplugged(dev))
| | ~
| | |
| | (2) following 'false' branch...
|......
| 892 | rcu_read_lock();
| | ~~~~~~~~~~~~~
| | |
| | (3) ...to here
| 893 | drm_vma_offset_lock_lookup(dev->vma_offset_manager);
| 894 | node = drm_vma_offset_exact_lookup_locked(dev->vma_offset_manager,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) calling 'drm_vma_offset_exact_lookup_locked' from 'i915_gem_mmap'
| 895 | vma->vm_pgoff,
| | ~~~~~~~~~~~~~~
| 896 | vma_pages(vma));
| | ~~~~~~~~~~~~~~~
|
+--> 'drm_vma_offset_exact_lookup_locked': event 5
|
|include/drm/drm_vma_manager.h:95:1:
| 95 | drm_vma_offset_exact_lookup_locked(struct drm_vma_offset_manager *mgr,
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (5) entry to 'drm_vma_offset_exact_lookup_locked'
|
'drm_vma_offset_exact_lookup_locked': event 6
|
| 102 | return (node && node->vm_node.start == start) ? node : NULL;
|
'drm_vma_offset_exact_lookup_locked': event 7
|
| 102 | return (node && node->vm_node.start == start) ? node : NULL;
|
<------+
|
'i915_gem_mmap': events 8-13
|
|drivers/gpu/drm/i915/gem/i915_gem_mman.c:894:16:
| 894 | node = drm_vma_offset_exact_lookup_locked(dev->vma_offset_manager,
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (8) returning to 'i915_gem_mmap' from 'drm_vma_offset_exact_lookup_locked'
| 895 | vma->vm_pgoff,
| | ~~~~~~~~~~~~~~
| 896 | vma_pages(vma));
| | ~~~~~~~~~~~~~~~
| 897 | if (node && drm_vma_node_is_allowed(node, priv)) {
| | ~
| | |
| | (9) following 'true' branch...
|......
| 903 | if (!node->driver_private) {
| | ~~ ~
| | | |
| | | (11) following 'false' branch...
| | (10) ...to here
|......
| 909 | obj = i915_gem_object_get_rcu
| | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (13) calling 'i915_gem_object_get_rcu' from 'i915_gem_mmap'
| | (12) ...to here
| 910 | (container_of(node, struct drm_i915_gem_object,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 911 | base.vma_node));
| | ~~~~~~~~~~~~~~~
|
+--> 'i915_gem_object_get_rcu': events 14-15
|
|drivers/gpu/drm/i915/gem/i915_gem_object.h:105:1:
| 105 | i915_gem_object_get_rcu(struct drm_i915_gem_object *obj)
| | ^~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (14) entry to 'i915_gem_object_get_rcu'
| 106 | {
| 107 | if (obj && !kref_get_unless_zero(&obj->base.refcount))
| | ~
| | |
| | (15) following 'true' branch (when 'obj' is non-NULL)...
|
'i915_gem_object_get_rcu': events 16-17
|
|include/linux/kref.h:111:9:
| 111 | return refcount_inc_not_zero(&kref->refcount);
| | ^~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (17) calling 'refcount_inc_not_zero' from 'i915_gem_object_get_rcu'
| | (16) ...to here
|
vim +/mmo +961 drivers/gpu/drm/i915/gem/i915_gem_mman.c
f17b898009d8c9 Chris Wilson 2020-01-01 873
cc662126b4134e Abdiel Janulgue 2019-12-04 874 /*
cc662126b4134e Abdiel Janulgue 2019-12-04 875 * This overcomes the limitation in drm_gem_mmap's assignment of a
cc662126b4134e Abdiel Janulgue 2019-12-04 876 * drm_gem_object as the vma->vm_private_data. Since we need to
cc662126b4134e Abdiel Janulgue 2019-12-04 877 * be able to resolve multiple mmap offsets which could be tied
cc662126b4134e Abdiel Janulgue 2019-12-04 878 * to a single gem object.
cc662126b4134e Abdiel Janulgue 2019-12-04 879 */
cc662126b4134e Abdiel Janulgue 2019-12-04 880 int i915_gem_mmap(struct file *filp, struct vm_area_struct *vma)
cc662126b4134e Abdiel Janulgue 2019-12-04 881 {
cc662126b4134e Abdiel Janulgue 2019-12-04 882 struct drm_vma_offset_node *node;
cc662126b4134e Abdiel Janulgue 2019-12-04 883 struct drm_file *priv = filp->private_data;
cc662126b4134e Abdiel Janulgue 2019-12-04 884 struct drm_device *dev = priv->minor->dev;
280d14a69da2e7 Chris Wilson 2020-01-30 885 struct drm_i915_gem_object *obj = NULL;
cc662126b4134e Abdiel Janulgue 2019-12-04 886 struct i915_mmap_offset *mmo = NULL;
f17b898009d8c9 Chris Wilson 2020-01-01 887 struct file *anon;
cc662126b4134e Abdiel Janulgue 2019-12-04 888
cc662126b4134e Abdiel Janulgue 2019-12-04 889 if (drm_dev_is_unplugged(dev))
cc662126b4134e Abdiel Janulgue 2019-12-04 890 return -ENODEV;
cc662126b4134e Abdiel Janulgue 2019-12-04 891
280d14a69da2e7 Chris Wilson 2020-01-30 892 rcu_read_lock();
cc662126b4134e Abdiel Janulgue 2019-12-04 893 drm_vma_offset_lock_lookup(dev->vma_offset_manager);
cc662126b4134e Abdiel Janulgue 2019-12-04 894 node = drm_vma_offset_exact_lookup_locked(dev->vma_offset_manager,
cc662126b4134e Abdiel Janulgue 2019-12-04 895 vma->vm_pgoff,
cc662126b4134e Abdiel Janulgue 2019-12-04 896 vma_pages(vma));
280d14a69da2e7 Chris Wilson 2020-01-30 897 if (node && drm_vma_node_is_allowed(node, priv)) {
cc662126b4134e Abdiel Janulgue 2019-12-04 898 /*
cc662126b4134e Abdiel Janulgue 2019-12-04 899 * Skip 0-refcnted objects as it is in the process of being
cc662126b4134e Abdiel Janulgue 2019-12-04 900 * destroyed and will be invalid when the vma manager lock
cc662126b4134e Abdiel Janulgue 2019-12-04 901 * is released.
cc662126b4134e Abdiel Janulgue 2019-12-04 902 */
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 903 if (!node->driver_private) {
280d14a69da2e7 Chris Wilson 2020-01-30 904 mmo = container_of(node, struct i915_mmap_offset, vma_node);
280d14a69da2e7 Chris Wilson 2020-01-30 905 obj = i915_gem_object_get_rcu(mmo->obj);
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 906
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 907 GEM_BUG_ON(obj && obj->ops->mmap_ops);
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 908 } else {
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 909 obj = i915_gem_object_get_rcu
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 910 (container_of(node, struct drm_i915_gem_object,
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 911 base.vma_node));
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 912
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 913 GEM_BUG_ON(obj && !obj->ops->mmap_ops);
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 914 }
cc662126b4134e Abdiel Janulgue 2019-12-04 915 }
cc662126b4134e Abdiel Janulgue 2019-12-04 916 drm_vma_offset_unlock_lookup(dev->vma_offset_manager);
280d14a69da2e7 Chris Wilson 2020-01-30 917 rcu_read_unlock();
cc662126b4134e Abdiel Janulgue 2019-12-04 918 if (!obj)
280d14a69da2e7 Chris Wilson 2020-01-30 919 return node ? -EACCES : -EINVAL;
cc662126b4134e Abdiel Janulgue 2019-12-04 920
280d14a69da2e7 Chris Wilson 2020-01-30 921 if (i915_gem_object_is_readonly(obj)) {
cc662126b4134e Abdiel Janulgue 2019-12-04 922 if (vma->vm_flags & VM_WRITE) {
280d14a69da2e7 Chris Wilson 2020-01-30 923 i915_gem_object_put(obj);
cc662126b4134e Abdiel Janulgue 2019-12-04 924 return -EINVAL;
cc662126b4134e Abdiel Janulgue 2019-12-04 925 }
cc662126b4134e Abdiel Janulgue 2019-12-04 926 vma->vm_flags &= ~VM_MAYWRITE;
cc662126b4134e Abdiel Janulgue 2019-12-04 927 }
cc662126b4134e Abdiel Janulgue 2019-12-04 928
280d14a69da2e7 Chris Wilson 2020-01-30 929 anon = mmap_singleton(to_i915(dev));
f17b898009d8c9 Chris Wilson 2020-01-01 930 if (IS_ERR(anon)) {
280d14a69da2e7 Chris Wilson 2020-01-30 931 i915_gem_object_put(obj);
f17b898009d8c9 Chris Wilson 2020-01-01 932 return PTR_ERR(anon);
f17b898009d8c9 Chris Wilson 2020-01-01 933 }
f17b898009d8c9 Chris Wilson 2020-01-01 934
cc662126b4134e Abdiel Janulgue 2019-12-04 935 vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 936
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 937 if (i915_gem_object_has_iomem(obj))
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 938 vma->vm_flags |= VM_IO;
cc662126b4134e Abdiel Janulgue 2019-12-04 939
f17b898009d8c9 Chris Wilson 2020-01-01 940 /*
f17b898009d8c9 Chris Wilson 2020-01-01 941 * We keep the ref on mmo->obj, not vm_file, but we require
f17b898009d8c9 Chris Wilson 2020-01-01 942 * vma->vm_file->f_mapping, see vma_link(), for later revocation.
f17b898009d8c9 Chris Wilson 2020-01-01 943 * Our userspace is accustomed to having per-file resource cleanup
f17b898009d8c9 Chris Wilson 2020-01-01 944 * (i.e. contexts, objects and requests) on their close(fd), which
f17b898009d8c9 Chris Wilson 2020-01-01 945 * requires avoiding extraneous references to their filp, hence why
f17b898009d8c9 Chris Wilson 2020-01-01 946 * we prefer to use an anonymous file for their mmaps.
f17b898009d8c9 Chris Wilson 2020-01-01 947 */
295992fb815e79 Christian König 2020-09-14 948 vma_set_file(vma, anon);
295992fb815e79 Christian König 2020-09-14 949 /* Drop the initial creation reference, the vma is now holding one. */
295992fb815e79 Christian König 2020-09-14 950 fput(anon);
f17b898009d8c9 Chris Wilson 2020-01-01 951
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 952 if (obj->ops->mmap_ops) {
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 953 vma->vm_page_prot = pgprot_decrypted(vm_get_page_prot(vma->vm_flags));
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 954 vma->vm_ops = obj->ops->mmap_ops;
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 955 vma->vm_private_data = node->driver_private;
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 956 return 0;
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 957 }
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 958
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 959 vma->vm_private_data = mmo;
cf3e3e86d77970 Maarten Lankhorst 2021-06-10 960
cc662126b4134e Abdiel Janulgue 2019-12-04 @961 switch (mmo->mmap_type) {
cc662126b4134e Abdiel Janulgue 2019-12-04 962 case I915_MMAP_TYPE_WC:
cc662126b4134e Abdiel Janulgue 2019-12-04 963 vma->vm_page_prot =
cc662126b4134e Abdiel Janulgue 2019-12-04 964 pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
cc662126b4134e Abdiel Janulgue 2019-12-04 965 vma->vm_ops = &vm_ops_cpu;
cc662126b4134e Abdiel Janulgue 2019-12-04 966 break;
cc662126b4134e Abdiel Janulgue 2019-12-04 967
cc662126b4134e Abdiel Janulgue 2019-12-04 968 case I915_MMAP_TYPE_WB:
cc662126b4134e Abdiel Janulgue 2019-12-04 969 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
cc662126b4134e Abdiel Janulgue 2019-12-04 970 vma->vm_ops = &vm_ops_cpu;
cc662126b4134e Abdiel Janulgue 2019-12-04 971 break;
cc662126b4134e Abdiel Janulgue 2019-12-04 972
cc662126b4134e Abdiel Janulgue 2019-12-04 973 case I915_MMAP_TYPE_UC:
cc662126b4134e Abdiel Janulgue 2019-12-04 974 vma->vm_page_prot =
cc662126b4134e Abdiel Janulgue 2019-12-04 975 pgprot_noncached(vm_get_page_prot(vma->vm_flags));
cc662126b4134e Abdiel Janulgue 2019-12-04 976 vma->vm_ops = &vm_ops_cpu;
cc662126b4134e Abdiel Janulgue 2019-12-04 977 break;
cc662126b4134e Abdiel Janulgue 2019-12-04 978
cc662126b4134e Abdiel Janulgue 2019-12-04 979 case I915_MMAP_TYPE_GTT:
cc662126b4134e Abdiel Janulgue 2019-12-04 980 vma->vm_page_prot =
cc662126b4134e Abdiel Janulgue 2019-12-04 981 pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
cc662126b4134e Abdiel Janulgue 2019-12-04 982 vma->vm_ops = &vm_ops_gtt;
cc662126b4134e Abdiel Janulgue 2019-12-04 983 break;
cc662126b4134e Abdiel Janulgue 2019-12-04 984 }
cc662126b4134e Abdiel Janulgue 2019-12-04 985 vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot);
cc662126b4134e Abdiel Janulgue 2019-12-04 986
cc662126b4134e Abdiel Janulgue 2019-12-04 987 return 0;
b414fcd5be0b00 Chris Wilson 2019-05-28 988 }
b414fcd5be0b00 Chris Wilson 2019-05-28 989
:::::: The code at line 961 was first introduced by commit
:::::: cc662126b4134e25fcfb6cad480de0fa95a4d3d8 drm/i915: Introduce DRM_I915_GEM_MMAP_OFFSET
:::::: TO: Abdiel Janulgue <abdiel.janulgue@linux.intel.com>
:::::: CC: Chris Wilson <chris@chris-wilson.co.uk>
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-08-04 20:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-04 20:26 drivers/gpu/drm/i915/gem/i915_gem_mman.c:961:20: error: dereference of NULL 'mmo' [CWE-476] kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.