[thirdparty/kernel/stable-queue.git] / releases / 3.18.114 / drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch

From foo@baz Sun Jun 17 13:19:44 CEST 2018
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
Date: Tue, 3 Apr 2018 23:38:45 +0100
Subject: drm/msm: Fix possible null dereference on failure of get_pages()

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

[ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ]

Commit 62e3a3e342af changed get_pages() to initialise
msm_gem_object::pages before trying to initialise msm_gem_object::sgt,
so that put_pages() would properly clean up pages in the failure
case.

However, this means that put_pages() now needs to check that
msm_gem_object::sgt is not null before trying to clean it up, and
this check was only applied to part of the cleanup code.  Move
it all into the conditional block.  (Strictly speaking we don't
need to make the kfree() conditional, but since we can't avoid
checking for null ourselves we may as well do so.)

Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/msm/msm_gem.c |   20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -110,17 +110,19 @@ static void put_pages(struct drm_gem_obj
 	struct msm_gem_object *msm_obj = to_msm_bo(obj);
 
 	if (msm_obj->pages) {
-		/* For non-cached buffers, ensure the new pages are clean
-		 * because display controller, GPU, etc. are not coherent:
-		 */
-		if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
-			dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
-					msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
+		if (msm_obj->sgt) {
+			/* For non-cached buffers, ensure the new
+			 * pages are clean because display controller,
+			 * GPU, etc. are not coherent:
+			 */
+			if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
+				dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
+					     msm_obj->sgt->nents,
+					     DMA_BIDIRECTIONAL);
 
-		if (msm_obj->sgt)
 			sg_free_table(msm_obj->sgt);
-
-		kfree(msm_obj->sgt);
+			kfree(msm_obj->sgt);
+		}
 
 		if (iommu_present(&platform_bus_type))
 			drm_gem_put_pages(obj, msm_obj->pages, true, false);
Commit	Line	Data
0bfe1e00 GKH	1	From foo@baz Sun Jun 17 13:19:44 CEST 2018
	2	From: Ben Hutchings <ben.hutchings@codethink.co.uk>
	3	Date: Tue, 3 Apr 2018 23:38:45 +0100
	4	Subject: drm/msm: Fix possible null dereference on failure of get_pages()
	5
	6	From: Ben Hutchings <ben.hutchings@codethink.co.uk>
	7
	8	[ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ]
	9
	10	Commit 62e3a3e342af changed get_pages() to initialise
	11	msm_gem_object::pages before trying to initialise msm_gem_object::sgt,
	12	so that put_pages() would properly clean up pages in the failure
	13	case.
	14
	15	However, this means that put_pages() now needs to check that
	16	msm_gem_object::sgt is not null before trying to clean it up, and
	17	this check was only applied to part of the cleanup code. Move
	18	it all into the conditional block. (Strictly speaking we don't
	19	need to make the kfree() conditional, but since we can't avoid
	20	checking for null ourselves we may as well do so.)
	21
	22	Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages")
	23	Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
	24	Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org>
	25	Signed-off-by: Rob Clark <robdclark@gmail.com>
	26	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	27	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	28	---
	29	drivers/gpu/drm/msm/msm_gem.c \| 20 +++++++++++---------
	30	1 file changed, 11 insertions(+), 9 deletions(-)
	31
	32	--- a/drivers/gpu/drm/msm/msm_gem.c
	33	+++ b/drivers/gpu/drm/msm/msm_gem.c
	34	@@ -110,17 +110,19 @@ static void put_pages(struct drm_gem_obj
	35	struct msm_gem_object *msm_obj = to_msm_bo(obj);
	36
	37	if (msm_obj->pages) {
	38	- /* For non-cached buffers, ensure the new pages are clean
	39	- * because display controller, GPU, etc. are not coherent:
	40	- */
	41	- if (msm_obj->flags & (MSM_BO_WC\|MSM_BO_UNCACHED))
	42	- dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
	43	- msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
	44	+ if (msm_obj->sgt) {
	45	+ /* For non-cached buffers, ensure the new
	46	+ * pages are clean because display controller,
	47	+ * GPU, etc. are not coherent:
	48	+ */
	49	+ if (msm_obj->flags & (MSM_BO_WC\|MSM_BO_UNCACHED))
	50	+ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
	51	+ msm_obj->sgt->nents,
	52	+ DMA_BIDIRECTIONAL);
	53
	54	- if (msm_obj->sgt)
	55	sg_free_table(msm_obj->sgt);
	56	-
	57	- kfree(msm_obj->sgt);
	58	+ kfree(msm_obj->sgt);
	59	+ }
	60
	61	if (iommu_present(&platform_bus_type))
	62	drm_gem_put_pages(obj, msm_obj->pages, true, false);