lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 17 Feb 2022 16:42:16 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Zack Rusin <zackr@...are.com>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org, Martin Krastev <krastevm@...are.com>
Subject: drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c:1177 vmw_translate_mob_ptr()
 warn: passing zero to 'PTR_ERR'

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   d567f5db412ed52de0b3b3efca4a451263de6108
commit: 8afa13a0583f94c14607e3041c02f068ac8fb628 drm/vmwgfx: Implement DRIVER_GEM
config: i386-randconfig-m021-20220214 (https://download.01.org/0day-ci/archive/20220215/202202151635.DiGY2FPj-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

smatch warnings:
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c:1177 vmw_translate_mob_ptr() warn: passing zero to 'PTR_ERR'
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c:1231 vmw_translate_guest_ptr() warn: passing zero to 'PTR_ERR'

vim +/PTR_ERR +1177 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c

ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1163  static int vmw_translate_mob_ptr(struct vmw_private *dev_priv,
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1164  				 struct vmw_sw_context *sw_context,
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1165  				 SVGAMobId *id,
f1d34bfd70b1b4 Thomas Hellstrom  2018-06-19  1166  				 struct vmw_buffer_object **vmw_bo_p)
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1167  {
b139d43dacef68 Thomas Hellstrom  2018-09-26  1168  	struct vmw_buffer_object *vmw_bo;
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1169  	uint32_t handle = *id;
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1170  	struct vmw_relocation *reloc;
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1171  	int ret;
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1172  
b139d43dacef68 Thomas Hellstrom  2018-09-26  1173  	vmw_validation_preload_bo(sw_context->ctx);
8afa13a0583f94 Zack Rusin        2021-12-06  1174  	vmw_bo = vmw_user_bo_noref_lookup(sw_context->filp, handle);
8afa13a0583f94 Zack Rusin        2021-12-06  1175  	if (IS_ERR_OR_NULL(vmw_bo)) {

Originally this was just IS_ERR(vmw_bo) and that's the correct check.
When a function returns both error pointers and NULL the NULL means that
there isn't an error but the feature is optional and has been
deliberately disabled.

vmw_user_bo_noref_lookup() is not optional.

5724f899ed8265 Deepak Rawat      2019-02-11  1176  		VMW_DEBUG_USER("Could not find or use MOB buffer.\n");
b139d43dacef68 Thomas Hellstrom  2018-09-26 @1177  		return PTR_ERR(vmw_bo);

If vmw_user_bo_noref_lookup() were optional then this returns
PTR_ERR(NULL) which is success.  Returning success here leads to a crash
in the caller because *vmw_bo_p is not initialized.

ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1178  	}
b139d43dacef68 Thomas Hellstrom  2018-09-26  1179  	ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo, true, false);
8afa13a0583f94 Zack Rusin        2021-12-06  1180  	ttm_bo_put(&vmw_bo->base);
b139d43dacef68 Thomas Hellstrom  2018-09-26  1181  	if (unlikely(ret != 0))
b139d43dacef68 Thomas Hellstrom  2018-09-26  1182  		return ret;
b139d43dacef68 Thomas Hellstrom  2018-09-26  1183  
fc18afcf5fb2d8 Thomas Hellstrom  2018-09-26  1184  	reloc = vmw_validation_mem_alloc(sw_context->ctx, sizeof(*reloc));
fc18afcf5fb2d8 Thomas Hellstrom  2018-09-26  1185  	if (!reloc)
b139d43dacef68 Thomas Hellstrom  2018-09-26  1186  		return -ENOMEM;
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1187  
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1188  	reloc->mob_loc = id;
9c079b8ce8bf8e Thomas Hellstrom  2018-09-26  1189  	reloc->vbo = vmw_bo;
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1190  
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1191  	*vmw_bo_p = vmw_bo;
fc18afcf5fb2d8 Thomas Hellstrom  2018-09-26  1192  	list_add_tail(&reloc->head, &sw_context->bo_relocations);
fc18afcf5fb2d8 Thomas Hellstrom  2018-09-26  1193  
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1194  	return 0;
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1195  }
ddcda24e3bec1d Thomas Hellstrom  2012-11-21  1196  
e2fa3a76839ada Thomas Hellstrom  2011-10-04  1197  /**
2cd80dbd35518d Zack Rusin        2021-05-05  1198   * vmw_translate_guest_ptr - Prepare to translate a user-space buffer handle
680360a4d3f695 Deepak Rawat      2019-02-13  1199   * to a valid SVGAGuestPtr
e2fa3a76839ada Thomas Hellstrom  2011-10-04  1200   *
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1201   * @dev_priv: Pointer to a device private structure.
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1202   * @sw_context: The software context used for this command batch validation.
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1203   * @ptr: Pointer to the user-space handle to be translated.
680360a4d3f695 Deepak Rawat      2019-02-13  1204   * @vmw_bo_p: Points to a location that, on successful return will carry a
680360a4d3f695 Deepak Rawat      2019-02-13  1205   * non-reference-counted pointer to the DMA buffer identified by the user-space
680360a4d3f695 Deepak Rawat      2019-02-13  1206   * handle in @id.
e2fa3a76839ada Thomas Hellstrom  2011-10-04  1207   *
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1208   * This function saves information needed to translate a user-space buffer
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1209   * handle to a valid SVGAGuestPtr. The translation does not take place
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1210   * immediately, but during a call to vmw_apply_relocations().
680360a4d3f695 Deepak Rawat      2019-02-13  1211   *
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1212   * This function builds a relocation list and a list of buffers to validate.
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1213   * The former needs to be freed using either vmw_apply_relocations() or
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1214   * vmw_free_relocations(). The latter needs to be freed using
c0951b797e7d0f Thomas Hellstrom  2012-11-20  1215   * vmw_clear_validations.
e2fa3a76839ada Thomas Hellstrom  2011-10-04  1216   */
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1217  static int vmw_translate_guest_ptr(struct vmw_private *dev_priv,
fb1d9738ca053e Jakob Bornecrantz 2009-12-10  1218  				   struct vmw_sw_context *sw_context,
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1219  				   SVGAGuestPtr *ptr,
f1d34bfd70b1b4 Thomas Hellstrom  2018-06-19  1220  				   struct vmw_buffer_object **vmw_bo_p)
fb1d9738ca053e Jakob Bornecrantz 2009-12-10  1221  {
b139d43dacef68 Thomas Hellstrom  2018-09-26  1222  	struct vmw_buffer_object *vmw_bo;
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1223  	uint32_t handle = ptr->gmrId;
fb1d9738ca053e Jakob Bornecrantz 2009-12-10  1224  	struct vmw_relocation *reloc;
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1225  	int ret;
fb1d9738ca053e Jakob Bornecrantz 2009-12-10  1226  
b139d43dacef68 Thomas Hellstrom  2018-09-26  1227  	vmw_validation_preload_bo(sw_context->ctx);
8afa13a0583f94 Zack Rusin        2021-12-06  1228  	vmw_bo = vmw_user_bo_noref_lookup(sw_context->filp, handle);
8afa13a0583f94 Zack Rusin        2021-12-06  1229  	if (IS_ERR_OR_NULL(vmw_bo)) {

Same.

5724f899ed8265 Deepak Rawat      2019-02-11  1230  		VMW_DEBUG_USER("Could not find or use GMR region.\n");
b139d43dacef68 Thomas Hellstrom  2018-09-26 @1231  		return PTR_ERR(vmw_bo);
fb1d9738ca053e Jakob Bornecrantz 2009-12-10  1232  	}
b139d43dacef68 Thomas Hellstrom  2018-09-26  1233  	ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo, false, false);
8afa13a0583f94 Zack Rusin        2021-12-06  1234  	ttm_bo_put(&vmw_bo->base);
b139d43dacef68 Thomas Hellstrom  2018-09-26  1235  	if (unlikely(ret != 0))
b139d43dacef68 Thomas Hellstrom  2018-09-26  1236  		return ret;
b139d43dacef68 Thomas Hellstrom  2018-09-26  1237  
fc18afcf5fb2d8 Thomas Hellstrom  2018-09-26  1238  	reloc = vmw_validation_mem_alloc(sw_context->ctx, sizeof(*reloc));
fc18afcf5fb2d8 Thomas Hellstrom  2018-09-26  1239  	if (!reloc)
b139d43dacef68 Thomas Hellstrom  2018-09-26  1240  		return -ENOMEM;
fb1d9738ca053e Jakob Bornecrantz 2009-12-10  1241  
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1242  	reloc->location = ptr;
9c079b8ce8bf8e Thomas Hellstrom  2018-09-26  1243  	reloc->vbo = vmw_bo;
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1244  	*vmw_bo_p = vmw_bo;
fc18afcf5fb2d8 Thomas Hellstrom  2018-09-26  1245  	list_add_tail(&reloc->head, &sw_context->bo_relocations);
fc18afcf5fb2d8 Thomas Hellstrom  2018-09-26  1246  
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1247  	return 0;
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1248  }
4e4ddd47774313 Thomas Hellstrom  2010-02-21  1249  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ