Hi,
On 01/03/23 11:38 pm, Greg Kroah-Hartman wrote:
From: Dmitry Osipenko dmitry.osipenko@collabora.com
commit 64b88afbd92fbf434759d1896a7cf705e1c00e79 upstream.
Previous commit fixed checking of the ERR_PTR value returned by drm_gem_shmem_get_sg_table(), but it missed to zero out the shmem->pages, which will crash virtio_gpu_cleanup_object(). Add the missing zeroing of the shmem->pages.
Fixes: c24968734abf ("drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init") Reviewed-by: Emil Velikov emil.l.velikov@gmail.com Signed-off-by: Dmitry Osipenko dmitry.osipenko@collabora.com Link: https://urldefense.com/v3/__http://patchwork.freedesktop.org/patch/msgid/202... Signed-off-by: Gerd Hoffmann kraxel@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ovidiu Panait ovidiu.panait@windriver.com
drivers/gpu/drm/virtio/virtgpu_object.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/virtio/virtgpu_object.c +++ b/drivers/gpu/drm/virtio/virtgpu_object.c @@ -159,6 +159,7 @@ static int virtio_gpu_object_shmem_init( shmem->pages = drm_gem_shmem_get_sg_table(&bo->base.base); if (IS_ERR(shmem->pages)) { drm_gem_shmem_unpin(&bo->base.base);
shmem->pages = NULL;
While doing static analysis with smatch on LTS-rc series I found this bug.
PTR_ERR(NULL) is 1/success, so we are returning success in this case, which looks wrong.
Only 5.10.y and 5.15.y are effected. Upstream commit b5c9ed70d1a9 ("drm/virtio: Improve DMA API usage for shmem BOs") deleted this code, is present in linux-6.1.y and linux-6.2.y, so this problem is not in 6.1.y and 6.2.y stable releases.
I have prepared a patch for fixing this, will send it out.
Thanks, Harshit