125 lines
4.9 KiB
Diff
125 lines
4.9 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Liu Xinyun <xinyun.liu@intel.com>
|
|
Date: Wed, 29 May 2019 21:51:16 +0800
|
|
Subject: [PATCH] dma-buf/hyper_dmabuf: check pointer before use it
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The null pointer may leads to kernel panic like:
|
|
|
|
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
|
|
PGD 153539067 P4D 153539067 PUD 153543067 PMD 0
|
|
Oops: 0000 [#1] PREEMPT SMP
|
|
CPU: 1 PID: 580 Comm: vmdisplay-wayla Tainted: GÂ Â Â Â UÂ WÂ Â Â Â Â Â Â Â 4.19.23-24.iot-lts2018-sos #1
|
|
RIP: 0010:hyper_dmabuf_ext_pgs+0x35/0x240
|
|
Code: be c0 00 60 00 48 89 e5 41 56 41 55 41 54 53 48 89 fb 48 8b 3d 64 b0 2d 01 e8 e7 e9 a9 ff 48 85 c0 49 89 c4 0f 84 d8 01 00 00 <48>9
|
|
RSP: 0018:ffff8c5f535af8e8 EFLAGS: 00010282
|
|
RAX: ffff8c5f68ada820 RBX: 0000000000000000 RCX: 00000000006000c0
|
|
RDX: 0000000000000000 RSI: 0000000000000020 RDI: ffff8c5f77000100
|
|
RBP: ffff8c5f535af908 R08: 0001000000000000 R09: ffff8c5f5f920678
|
|
R10: ffff8c5f6ce6ae80 R11: 00000000fec64890 R12: ffff8c5f68ada820
|
|
R13: 0000000000000000 R14: ffff8c5f6b8fe100 R15: ffff8c5f68944b40
|
|
FS:Â 00007f8e443136c0(0000) GS:ffff8c5f77a80000(0000) knlGS:0000000000000000
|
|
CS:Â 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
|
CR2: 0000000000000000 CR3: 000000015353e000 CR4: 00000000003406e0
|
|
Call Trace:
|
|
hyper_dmabuf_ops_map+0x34/0x120
|
|
dma_buf_map_attachment+0x45/0x70
|
|
i915_gem_object_get_pages_dmabuf+0x1b/0x70
|
|
____i915_gem_object_get_pages+0x22/0x40
|
|
__i915_gem_object_get_pages+0x5b/0x70
|
|
__i915_vma_do_pin+0x2cb/0x550
|
|
eb_lookup_vmas+0x73d/0xbf0
|
|
? __pm_runtime_resume+0x5b/0x90
|
|
i915_gem_do_execbuffer+0x3a3/0x1110
|
|
? mempool_kfree+0xe/0x10
|
|
? kmem_cache_alloc_trace+0x1c7/0x280
|
|
? drm_vma_node_allow+0x2c/0xd0
|
|
? _raw_spin_unlock_irqrestore+0x43/0x60
|
|
? __kmalloc+0x1e8/0x2b0
|
|
? kvmalloc_node+0x6a/0x80
|
|
? trace_hardirqs_on+0x38/0x100
|
|
i915_gem_execbuffer2_ioctl+0x1db/0x3c0
|
|
? i915_gem_execbuffer_ioctl+0x2d0/0x2d0
|
|
drm_ioctl_kernel+0xa5/0xf0
|
|
drm_ioctl+0x226/0x400
|
|
? i915_gem_execbuffer_ioctl+0x2d0/0x2d0
|
|
? hyper_dmabuf_ioctl+0xb7/0x150
|
|
? delayed_unexport+0x1b0/0x1b0
|
|
do_vfs_ioctl+0xa9/0x6d0
|
|
? __audit_syscall_entry+0xdd/0x130
|
|
? __fget+0x75/0xa0
|
|
ksys_ioctl+0x67/0x90
|
|
__x64_sys_ioctl+0x1a/0x20
|
|
do_syscall_64+0x5b/0x110
|
|
entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
|
RIP: 0033:0x7f8e44908f8b
|
|
Code: 0f 1e fa 48 8b 05 05 0f 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48>8
|
|
RSP: 002b:00007ffcf7fe8ae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
|
|
RAX: ffffffffffffffda RBX: 00000000024b2a80 RCX: 00007f8e44908f8b
|
|
RDX: 00007ffcf7fe8b30 RSI: 0000000040406469 RDI: 0000000000000007
|
|
RBP: 00007ffcf7fe8b10 R08: 00000000024f2c20 R09: 00007f8e42b0b030
|
|
R10: 00007ffcf7fe8af0 R11: 0000000000000246 R12: 00007ffcf7fe8b30
|
|
R13: 0000000040406469 R14: 0000000000000007 R15: ffffffffffffffff
|
|
Modules linked in: snd_soc_skl_virtio_be snd_soc_c4pro_ivi xhci_pci xhci_hcd snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dspe
|
|
CR2: 0000000000000000
|
|
---[ end trace f1dc57f344ffa276 ]---
|
|
|
|
Signed-off-by: Liu Xinyun <xinyun.liu@intel.com>
|
|
---
|
|
drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_ops.c | 12 +++++++++++-
|
|
drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_sgl_proc.c | 5 +++++
|
|
2 files changed, 16 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_ops.c b/drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_ops.c
|
|
index 3bd13c584ffc..3864f4b6a856 100644
|
|
--- a/drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_ops.c
|
|
+++ b/drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_ops.c
|
|
@@ -132,6 +132,11 @@ static struct sg_table *hyper_dmabuf_ops_map(
|
|
|
|
imported = (struct imported_sgt_info *)attachment->dmabuf->priv;
|
|
|
|
+ if (!imported) {
|
|
+ dev_err(hy_drv_priv->dev, "%s: imported is NULL\n", __func__);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
/* extract pages from sgt */
|
|
pg_info = hyper_dmabuf_ext_pgs(imported->sgt);
|
|
|
|
@@ -388,8 +393,13 @@ int hyper_dmabuf_export_fd(struct imported_sgt_info *imported, int flags)
|
|
*/
|
|
hyper_dmabuf_export_dma_buf(imported);
|
|
|
|
- if (imported->dma_buf)
|
|
+ if (!IS_ERR_OR_NULL(imported->dma_buf)) {
|
|
fd = dma_buf_fd(imported->dma_buf, flags);
|
|
+ } else {
|
|
+ imported->dma_buf = NULL;
|
|
+ dev_err(hy_drv_priv->dev,
|
|
+ "failed to get dma_buf,return -1\n");
|
|
+ }
|
|
|
|
return fd;
|
|
}
|
|
diff --git a/drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_sgl_proc.c b/drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_sgl_proc.c
|
|
index c1887d1ad709..0bf21ca864b1 100644
|
|
--- a/drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_sgl_proc.c
|
|
+++ b/drivers/dma-buf/hyper_dmabuf/hyper_dmabuf_sgl_proc.c
|
|
@@ -72,6 +72,11 @@ struct pages_info *hyper_dmabuf_ext_pgs(struct sg_table *sgt)
|
|
int length;
|
|
struct scatterlist *sgl;
|
|
|
|
+ if (!sgt) {
|
|
+ dev_err(hy_drv_priv->dev, "%s: sgt is null\n", __func__);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
pg_info = kmalloc(sizeof(*pg_info), GFP_KERNEL);
|
|
if (!pg_info)
|
|
return NULL;
|
|
--
|
|
https://clearlinux.org
|
|
|