From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jordan Crouse <jcrouse@codeaurora.org>
Subject: Re: [PATCH] drm/msm: Fix NULL deref in adreno_load_gpu
Date: Fri, 15 Dec 2017 08:33:25 -0700
Message-ID: <20171215153325.GA25601@jcrouse-lnx.qualcomm.com>
References: <20171214054150.20943-1-architt@codeaurora.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-arm-msm-owner@vger.kernel.org>
Received: from smtp.codeaurora.org ([198.145.29.96]:57986 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932168AbdLOPd3 (ORCPT
        <rfc822;linux-arm-msm@vger.kernel.org>);
        Fri, 15 Dec 2017 10:33:29 -0500
Content-Disposition: inline
In-Reply-To: <20171214054150.20943-1-architt@codeaurora.org>
Sender: linux-arm-msm-owner@vger.kernel.org
List-Id: linux-arm-msm@vger.kernel.org
To: Archit Taneja <architt@codeaurora.org>
Cc: robdclark@gmail.com, linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org

On Thu, Dec 14, 2017 at 11:11:50AM +0530, Archit Taneja wrote:
> The msm/kms driver should work even if there is no GPU device specified
> in DT. Currently, we get a NULL dereference crash in adreno_load_gpu
> since the driver assumes that priv->gpu_pdev is non-NULL.
> 
> Perform an additional check on priv->gpu_pdev before trying to retrieve
> the msm_gpu pointer from it.
> 
> Fixes: eec874ce5ff1 (drm/msm/adreno: load gpu at probe/bind time)
> 
> Signed-off-by: Archit Taneja <architt@codeaurora.org>
> ---
>  drivers/gpu/drm/msm/adreno/adreno_device.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/msm/adreno/adreno_device.c b/drivers/gpu/drm/msm/adreno/adreno_device.c
> index 05022ea2a007..ac60cf3c794e 100644
> --- a/drivers/gpu/drm/msm/adreno/adreno_device.c
> +++ b/drivers/gpu/drm/msm/adreno/adreno_device.c
> @@ -124,10 +124,17 @@ const struct adreno_info *adreno_info(struct adreno_rev rev)
>  struct msm_gpu *adreno_load_gpu(struct drm_device *dev)
>  {
>  	struct msm_drm_private *priv = dev->dev_private;
> -	struct platform_device *pdev = priv->gpu_pdev;
> -	struct msm_gpu *gpu = platform_get_drvdata(priv->gpu_pdev);
> +	struct platform_device *pdev;
> +	struct msm_gpu *gpu;
>  	int ret;
>  
> +	pdev = priv->gpu_pdev;
> +	if (!pdev) {
> +		dev_dbg(dev->dev, "no adreno platform device found\n");
> +		return NULL;
> +	}
> +
> +	gpu = platform_get_drvdata(pdev);
>  	if (!gpu) {
>  		dev_err(dev->dev, "no adreno device\n");
>  		return NULL;

Obviously correct fix but I can't help but think that we should share the same
error message, so something like:

struct msm_gpu *gpu = NULL;

.. 

if (priv->gpu_pdev)
   gpu = platform_get_drvdata(priv->gpu_pdev);

if (!gpu) {
	dev_err(dev->dev, "No GPU device was was found\n");
 	return NULL;
}

(also, I can't help but think maybe that dev_err should be a ONCE so you don't
get a nasty message every time you open the file descriptor).

Jordan

-- 
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project