From 89125cb4f562bf91ad2f1ca0ade9aaf29c83e0f5 Mon Sep 17 00:00:00 2001 From: Nicolas Benech Date: Wed, 10 Oct 2018 11:24:07 -0400 Subject: [PATCH] gpu: nvgpu: pramin: add error checking for SGLs If the total size of SGLs is lower than the size to copy, we will reach the end of the list so the sgl var will become NULL, and calling nvgpu_sgt_get_length will cause a null pointer dereference. This change will cause a BUG() which should be clearer than a NULL pointer dereference. There is no easy way to add more advanced error checking and handling, and an SGL bug would most likely be linked to another bug in the OS or OS layer. JIRA NVGPU-1279 Change-Id: Ide83f2b91ecae25f3a0f3202febfb115110315d7 Signed-off-by: Nicolas Benech Reviewed-on: https://git-master.nvidia.com/r/1923706 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Alex Waterman Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/gpu/nvgpu/common/pramin.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/nvgpu/common/pramin.c b/drivers/gpu/nvgpu/common/pramin.c index 289489cd1..b232a048f 100644 --- a/drivers/gpu/nvgpu/common/pramin.c +++ b/drivers/gpu/nvgpu/common/pramin.c @@ -26,6 +26,7 @@ #include #include #include +#include /* * This typedef is for functions that get called during the access_batched() @@ -68,7 +69,10 @@ static void nvgpu_pramin_access_batched(struct gk20a *g, struct nvgpu_mem *mem, } while (size) { - u32 sgl_len = (u32)nvgpu_sgt_get_length(sgt, sgl); + u32 sgl_len; + + BUG_ON(sgl == NULL); + sgl_len = (u32)nvgpu_sgt_get_length(sgt, sgl); nvgpu_spinlock_acquire(&g->mm.pramin_window_lock); byteoff = g->ops.bus.set_bar0_window(g, mem, sgt, sgl,