lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260116185007.1243557-1-pchelkin@ispras.ru>
Date: Fri, 16 Jan 2026 21:50:06 +0300
From: Fedor Pchelkin <pchelkin@...ras.ru>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	stable@...r.kernel.org
Cc: Fedor Pchelkin <pchelkin@...ras.ru>,
	Christian Koenig <christian.koenig@....com>,
	Matthew Brost <matthew.brost@...el.com>,
	Simon Richter <Simon.Richter@...yros.de>,
	dri-devel@...ts.freedesktop.org,
	linux-kernel@...r.kernel.org,
	lvc-project@...uxtesting.org
Subject: [PATCH 6.1] drm/ttm: fix up length check inside ttm_bo_vm_access()

No upstream commit exists for this patch.

Commit 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for evicted BOs")
added the validation of bo->resource but in the context of 6.1.y and older
stable kernels the pointer is still dereferenced before that check.

It's been unseen and manifests as a stable kernel's issue only because
another upstream commit e3c92eb4a84f ("drm/ttm: rework on ttm_resource to
use size_t type") refactored the code a bit and, specifically, changed
bo->resource->num_pages to bo->base.size at some places.  That commit is
rather intrusive and not handy to be backported to stable kernels so
implement the adaptive fix directly.

Since bo->resource->num_pages is calculated as PFN_UP(bo->base.size) in
older kernels as well, extract this single conversion from that commit.
Thus the problem indicated by commit 491adc6a0f99 ("drm/ttm: Avoid NULL
pointer deref for evicted BOs") would be actually fixed as intended.

Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.

Fixes: 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for evicted BOs")
Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
---

Fresher stables starting from 6.6.y are not affected with this as they
have e3c92eb4a84f.

The backport of 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for
evicted BOs") is currently in 5.10-5.15 queues and it may be fixed up in
place.

 drivers/gpu/drm/ttm/ttm_bo_vm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
index 1f543bd04fcf..51d0f5d23b1c 100644
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -412,7 +412,7 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
 		 << PAGE_SHIFT);
 	int ret;
 
-	if (len < 1 || (offset + len) >> PAGE_SHIFT > bo->resource->num_pages)
+	if (len < 1 || (offset + len) > bo->base.size)
 		return -EIO;
 
 	ret = ttm_bo_reserve(bo, true, false, NULL);
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ