gpu: nvgpu: pramin: add error checking for SGLs

If the total size of SGLs is lower than the size to copy, we will reach the end of the list so the sgl var will become NULL, and calling nvgpu_sgt_get_length will cause a null pointer dereference. This change will cause a BUG() which should be clearer than a NULL pointer dereference. There is no easy way to add more advanced error checking and handling, and an SGL bug would most likely be linked to another bug in the OS or OS layer. JIRA NVGPU-1279 Change-Id: Ide83f2b91ecae25f3a0f3202febfb115110315d7 Signed-off-by: Nicolas Benech <nbenech@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1923706 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Alex Waterman <alexw@nvidia.com> Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-25 02:52:51 +03:00 · 2018-10-10 11:24:07 -04:00
parent fdba70425d
commit 89125cb4f5
1 changed files with 5 additions and 1 deletions
--- a/drivers/gpu/nvgpu/common/pramin.c
+++ b/drivers/gpu/nvgpu/common/pramin.c
@@ -26,6 +26,7 @@
 #include <nvgpu/sizes.h>
 #include <nvgpu/io.h>
 #include <nvgpu/gk20a.h>
+#include <nvgpu/bug.h>

 /*
 * This typedef is for functions that get called during the access_batched()
@@ -68,7 +69,10 @@ static void nvgpu_pramin_access_batched(struct gk20a *g, struct nvgpu_mem *mem,
 	}

 	while (size) {
-		u32 sgl_len = (u32)nvgpu_sgt_get_length(sgt, sgl);
+		u32 sgl_len;
+
+		BUG_ON(sgl == NULL);
+		sgl_len = (u32)nvgpu_sgt_get_length(sgt, sgl);

 		nvgpu_spinlock_acquire(&g->mm.pramin_window_lock);
 		byteoff = g->ops.bus.set_bar0_window(g, mem, sgt, sgl,