1. Patchew
  2. linux
  3. View series

[PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

Dmitry Baryshkov posted 1 patch 2 months ago 
drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
1 file changed, 6 insertions(+)
[PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
Posted by Dmitry Baryshkov 2 months ago 
Before a5xx Adreno driver will not try fetching UBWC params (because
those generations didn't support UBWC anyway), however it's still
possible to query UBWC-related params from the userspace, triggering
possible NULL pointer dereference. Check for UBWC config in
adreno_get_param() and return sane defaults if there is none.

Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
Changes in v3:
- Switched to UERR (Rob)
- Link to v2: https://patch.msgid.link/20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com

Changes in v2:
- Changed adreno_get_param() return -ENOENT for affected params (Rob)
- Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
---
 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
index 66f80f2d12f9..02f60b33ea1d 100644
--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
@@ -424,15 +424,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
 		*value = vm->mm_range;
 		return 0;
 	case MSM_PARAM_HIGHEST_BANK_BIT:
+		if (!adreno_gpu->ubwc_config)
+			return UERR(ENOENT, drm, "no UBWC on this platform");
 		*value = adreno_gpu->ubwc_config->highest_bank_bit;
 		return 0;
 	case MSM_PARAM_RAYTRACING:
 		*value = adreno_gpu->has_ray_tracing;
 		return 0;
 	case MSM_PARAM_UBWC_SWIZZLE:
+		if (!adreno_gpu->ubwc_config)
+			return UERR(ENOENT, drm, "no UBWC on this platform");
 		*value = adreno_gpu->ubwc_config->ubwc_swizzle;
 		return 0;
 	case MSM_PARAM_MACROTILE_MODE:
+		if (!adreno_gpu->ubwc_config)
+			return UERR(ENOENT, drm, "no UBWC on this platform");
 		*value = adreno_gpu->ubwc_config->macrotile_mode;
 		return 0;
 	case MSM_PARAM_UCHE_TRAP_BASE:

---
base-commit: 66672af7a095d89f082c5327f3b15bc2f93d558e
change-id: 20260407-adreno-fix-ubwc-6a2564710e21

Best regards,
--  
With best wishes
Dmitry
Re: [PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
Posted by Rob Clark 2 months ago 
On Sat, Apr 11, 2026 at 7:59 AM Dmitry Baryshkov
<dmitry.baryshkov@oss.qualcomm.com> wrote:
>
> Before a5xx Adreno driver will not try fetching UBWC params (because
> those generations didn't support UBWC anyway), however it's still
> possible to query UBWC-related params from the userspace, triggering
> possible NULL pointer dereference. Check for UBWC config in
> adreno_get_param() and return sane defaults if there is none.
>
> Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>

Reviewed-by: Rob Clark <rob.clark@oss.qualcomm.com>

> ---
> Changes in v3:
> - Switched to UERR (Rob)
> - Link to v2: https://patch.msgid.link/20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com
>
> Changes in v2:
> - Changed adreno_get_param() return -ENOENT for affected params (Rob)
> - Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
> ---
>  drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> index 66f80f2d12f9..02f60b33ea1d 100644
> --- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> +++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> @@ -424,15 +424,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
>                 *value = vm->mm_range;
>                 return 0;
>         case MSM_PARAM_HIGHEST_BANK_BIT:
> +               if (!adreno_gpu->ubwc_config)
> +                       return UERR(ENOENT, drm, "no UBWC on this platform");
>                 *value = adreno_gpu->ubwc_config->highest_bank_bit;
>                 return 0;
>         case MSM_PARAM_RAYTRACING:
>                 *value = adreno_gpu->has_ray_tracing;
>                 return 0;
>         case MSM_PARAM_UBWC_SWIZZLE:
> +               if (!adreno_gpu->ubwc_config)
> +                       return UERR(ENOENT, drm, "no UBWC on this platform");
>                 *value = adreno_gpu->ubwc_config->ubwc_swizzle;
>                 return 0;
>         case MSM_PARAM_MACROTILE_MODE:
> +               if (!adreno_gpu->ubwc_config)
> +                       return UERR(ENOENT, drm, "no UBWC on this platform");
>                 *value = adreno_gpu->ubwc_config->macrotile_mode;
>                 return 0;
>         case MSM_PARAM_UCHE_TRAP_BASE:
>
> ---
> base-commit: 66672af7a095d89f082c5327f3b15bc2f93d558e
> change-id: 20260407-adreno-fix-ubwc-6a2564710e21
>
> Best regards,
> --
> With best wishes
> Dmitry
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.