From nobody Mon Jun 22 18:10:30 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D2B46C433EF
	for <linux-kernel@archiver.kernel.org>; Fri, 18 Mar 2022 19:50:44 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240423AbiCRTwB (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 18 Mar 2022 15:52:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35394 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230302AbiCRTv7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 Mar 2022 15:51:59 -0400
Received: from bhuna.collabora.co.uk (bhuna.collabora.co.uk
 [IPv6:2a00:1098:0:82:1000:25:2eeb:e3e3])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0382D2E8435
        for <linux-kernel@vger.kernel.org>;
 Fri, 18 Mar 2022 12:50:32 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1])
        (Authenticated sender: bbeckett)
        with ESMTPSA id 9A2AE1F45B08
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com;
        s=mail; t=1647633030;
        bh=9bigV/sYB4FUqshAYJdxs+cHARVqE00dOiOAg3Egs9Y=;
        h=From:To:Cc:Subject:Date:From;
        b=gDqPOrSjJ86k3/PKnd8PPM1RMLwNcZ91aYkmOXXsSFBIn8gTvQ/FZXK08Katx/ZiZ
         I8O3uG04Kq3RwGkO2127RrkM5BKVP+aiLSBRF1dneFE5QTaZi7yoOEkkviTJ9vLrSz
         7qHjX7+sDOKZz7JLeqodv+QtFd/kTxMQ3s9aHnOv4xJoH7/FdA0qzwmlf0CipF3zcB
         uv64JtT1fhiJUGvraQaRCDlgfhio7TD2iX6Zg1jrd3TqVQZKxJQuMwibHnvQC3CWlC
         DE0qHvObvxA1dcS4sL96zUgi6JgoKE1EUEwjhDFT6+TomJpFjbd0L0kdTXNO3L46df
         edaJbSf6GkoHg==
From: Robert Beckett <bob.beckett@collabora.com>
To: dri-devel@lists.freedesktop.org,
        Christian Koenig <christian.koenig@amd.com>,
        Huang Rui <ray.huang@amd.com>, David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>,
        Matthew Auld <matthew.auld@intel.com>
Cc: Robert Beckett <bob.beckett@collabora.com>,
        linux-kernel@vger.kernel.org
Subject: [PATCH] drm/ttm: fix potential null ptr deref in when mem space alloc
 fails
Date: Fri, 18 Mar 2022 19:50:04 +0000
Message-Id: <20220318195004.416539-1-bob.beckett@collabora.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

when allocating a resource in place it is common to free the buffer's
resource, then allocate a new resource in a different placement.

e.g. amdgpu_bo_create_kernel_at calls ttm_resource_free, then calls
ttm_bo_mem_space.

In this situation, bo->resource will be null as it is cleared during
the initial freeing of the previous resource.
This leads to a null deref.

Fixes: d3116756a710 (drm/ttm: rename bo->mem and make it a pointer)

Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
---
 drivers/gpu/drm/ttm/ttm_bo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index db3dc7ef5382..62b29ee7d040 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -875,7 +875,7 @@ int ttm_bo_mem_space(struct ttm_buffer_object *bo,
 	}
=20
 error:
-	if (bo->resource->mem_type =3D=3D TTM_PL_SYSTEM && !bo->pin_count)
+	if (bo->resource && bo->resource->mem_type =3D=3D TTM_PL_SYSTEM && !bo->p=
in_count)
 		ttm_bo_move_to_lru_tail_unlocked(bo);
=20
 	return ret;
--=20
2.25.1