From: Matthew Auld <matthew.auld@intel.com>
To: Jonathan Cavitt <jonathan.cavitt@intel.com>,
intel-gfx@lists.freedesktop.org
Cc: andrzej.hajda@intel.com, nirmoy.das@intel.com
Subject: Re: [Intel-gfx] [PATCH] drm/i915/ttm: Fix access_memory null pointer exception
Date: Fri, 14 Oct 2022 09:39:52 +0100 [thread overview]
Message-ID: <43b8728b-4f05-3f32-d794-7b94ba65480c@intel.com> (raw)
In-Reply-To: <20221013175650.1769399-1-jonathan.cavitt@intel.com>
On 13/10/2022 18:56, Jonathan Cavitt wrote:
> i915_ttm_to_gem can return a NULL pointer, which is
> dereferenced in i915_ttm_access_memory without first
> checking if it is NULL. Inspecting
> i915_ttm_io_mem_reserve, it appears the correct
> behavior in this case is to return -EINVAL.
The GEM object has already been dereferenced before this point, if you
look at the caller (vm_access_ttm). The NULL obj thing is to identify
"ttm ghost objects", and I don't think a normal userpace object can
suddenly become one (access_memory comes from ptrace). AFAIK ghost
objects are just for temporarily hanging on to some memory/state, while
the dma-resv is busy. In the places where ttm is the one giving us the
object, then it might be possible to see these types of objects, since
ttm could in theory pass one in (like during eviction).
>
> Fixes: 26b15eb0 ("drm/i915/ttm: implement access_memory")
> Signed-off-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
> Suggested-by: John C Harrison <John.C.Harrison@intel.com>
> CC: Matthew Auld <matthew.auld@intel.com>
> CC: Andrzej Hajda <andrzej.hajda@intel.com>
> CC: Nirmoy Das <nirmoy.das@intel.com>
> CC: Andi Shyti <andi.shyti@linux.intel.com>
> ---
> drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> index d63f30efd631..b569624f2ed9 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
> @@ -704,11 +704,16 @@ static int i915_ttm_access_memory(struct ttm_buffer_object *bo,
> int len, int write)
> {
> struct drm_i915_gem_object *obj = i915_ttm_to_gem(bo);
> - resource_size_t iomap = obj->mm.region->iomap.base -
> - obj->mm.region->region.start;
> + resource_size_t iomap;
> unsigned long page = offset >> PAGE_SHIFT;
> unsigned long bytes_left = len;
>
> + if (!obj)
> + return -EINVAL;
> +
> + iomap = obj->mm.region->iomap.base -
> + obj->mm.region->region.start;
> +
> /*
> * TODO: For now just let it fail if the resource is non-mappable,
> * otherwise we need to perform the memcpy from the gpu here, without
next prev parent reply other threads:[~2022-10-14 8:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-13 17:56 [Intel-gfx] [PATCH] drm/i915/ttm: Fix access_memory null pointer exception Jonathan Cavitt
2022-10-13 19:28 ` [Intel-gfx] ✓ Fi.CI.BAT: success for " Patchwork
2022-10-13 23:07 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
2022-10-14 8:39 ` Matthew Auld [this message]
2022-10-14 8:56 ` [Intel-gfx] [PATCH] " Andi Shyti
2022-10-14 9:44 ` Matthew Auld
2022-10-14 14:49 ` Andi Shyti
2022-10-14 9:27 ` Das, Nirmoy
2022-10-14 10:13 ` Matthew Auld
2022-10-14 10:38 ` Das, Nirmoy
2022-10-14 10:52 ` Matthew Auld
2022-10-14 10:56 ` Das, Nirmoy
2022-10-14 8:47 ` Andi Shyti
2022-10-14 9:02 ` Andrzej Hajda
2022-10-14 9:52 ` Tvrtko Ursulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43b8728b-4f05-3f32-d794-7b94ba65480c@intel.com \
--to=matthew.auld@intel.com \
--cc=andrzej.hajda@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jonathan.cavitt@intel.com \
--cc=nirmoy.das@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox