* [PATCH 6.1] drm/ttm: fix up length check inside ttm_bo_vm_access()
@ 2026-01-16 18:50 Fedor Pchelkin
2026-01-16 19:36 ` Fedor Pchelkin
0 siblings, 1 reply; 2+ messages in thread
From: Fedor Pchelkin @ 2026-01-16 18:50 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: Fedor Pchelkin, Christian Koenig, Matthew Brost, Simon Richter,
dri-devel, linux-kernel, lvc-project
No upstream commit exists for this patch.
Commit 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for evicted BOs")
added the validation of bo->resource but in the context of 6.1.y and older
stable kernels the pointer is still dereferenced before that check.
It's been unseen and manifests as a stable kernel's issue only because
another upstream commit e3c92eb4a84f ("drm/ttm: rework on ttm_resource to
use size_t type") refactored the code a bit and, specifically, changed
bo->resource->num_pages to bo->base.size at some places. That commit is
rather intrusive and not handy to be backported to stable kernels so
implement the adaptive fix directly.
Since bo->resource->num_pages is calculated as PFN_UP(bo->base.size) in
older kernels as well, extract this single conversion from that commit.
Thus the problem indicated by commit 491adc6a0f99 ("drm/ttm: Avoid NULL
pointer deref for evicted BOs") would be actually fixed as intended.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for evicted BOs")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
Fresher stables starting from 6.6.y are not affected with this as they
have e3c92eb4a84f.
The backport of 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for
evicted BOs") is currently in 5.10-5.15 queues and it may be fixed up in
place.
drivers/gpu/drm/ttm/ttm_bo_vm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
index 1f543bd04fcf..51d0f5d23b1c 100644
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -412,7 +412,7 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
<< PAGE_SHIFT);
int ret;
- if (len < 1 || (offset + len) >> PAGE_SHIFT > bo->resource->num_pages)
+ if (len < 1 || (offset + len) > bo->base.size)
return -EIO;
ret = ttm_bo_reserve(bo, true, false, NULL);
--
2.51.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH 6.1] drm/ttm: fix up length check inside ttm_bo_vm_access()
2026-01-16 18:50 [PATCH 6.1] drm/ttm: fix up length check inside ttm_bo_vm_access() Fedor Pchelkin
@ 2026-01-16 19:36 ` Fedor Pchelkin
0 siblings, 0 replies; 2+ messages in thread
From: Fedor Pchelkin @ 2026-01-16 19:36 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: Christian Koenig, Matthew Brost, Simon Richter, dri-devel,
linux-kernel, lvc-project
On Fri, 16. Jan 21:50, Fedor Pchelkin wrote:
> The backport of 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for
> evicted BOs") is currently in 5.10-5.15 queues and it may be fixed up in
> place.
That's actually in queue for 5.15 only, not 5.10.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-01-16 19:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-16 18:50 [PATCH 6.1] drm/ttm: fix up length check inside ttm_bo_vm_access() Fedor Pchelkin
2026-01-16 19:36 ` Fedor Pchelkin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox