* [PATCH v2] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
@ 2026-04-07 3:23 Dmitry Baryshkov
2026-04-07 19:17 ` Akhil P Oommen
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dmitry Baryshkov @ 2026-04-07 3:23 UTC (permalink / raw)
To: Rob Clark, Sean Paul, Konrad Dybcio, Akhil P Oommen,
Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang, Marijn Suijten,
David Airlie, Simona Vetter
Cc: linux-arm-msm, dri-devel, freedreno, linux-kernel
Before a5xx Adreno driver will not try fetching UBWC params (because
those generations didn't support UBWC anyway), however it's still
possible to query UBWC-related params from the userspace, triggering
possible NULL pointer dereference. Check for UBWC config in
adreno_get_param() and return sane defaults if there is none.
Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
Changes in v2:
- Changed adreno_get_param() return -ENOENT for affected params (Rob)
- Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
---
drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
index d5fe6f6f0dec..34e4ab43b0f6 100644
--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
@@ -426,15 +426,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
*value = vm->mm_range;
return 0;
case MSM_PARAM_HIGHEST_BANK_BIT:
+ if (!adreno_gpu->ubwc_config)
+ return -ENOENT;
*value = adreno_gpu->ubwc_config->highest_bank_bit;
return 0;
case MSM_PARAM_RAYTRACING:
*value = adreno_gpu->has_ray_tracing;
return 0;
case MSM_PARAM_UBWC_SWIZZLE:
+ if (!adreno_gpu->ubwc_config)
+ return -ENOENT;
*value = adreno_gpu->ubwc_config->ubwc_swizzle;
return 0;
case MSM_PARAM_MACROTILE_MODE:
+ if (!adreno_gpu->ubwc_config)
+ return -ENOENT;
*value = adreno_gpu->ubwc_config->macrotile_mode;
return 0;
case MSM_PARAM_UCHE_TRAP_BASE:
---
base-commit: 36ece9697e89016181e5ae87510e40fb31d86f2b
change-id: 20260407-adreno-fix-ubwc-6a2564710e21
Best regards,
--
With best wishes
Dmitry
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
2026-04-07 3:23 [PATCH v2] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Dmitry Baryshkov
@ 2026-04-07 19:17 ` Akhil P Oommen
2026-04-07 20:40 ` Rob Clark
2026-04-12 4:10 ` Claude review: " Claude Code Review Bot
2026-04-12 4:10 ` Claude Code Review Bot
2 siblings, 1 reply; 5+ messages in thread
From: Akhil P Oommen @ 2026-04-07 19:17 UTC (permalink / raw)
To: Dmitry Baryshkov, Rob Clark, Sean Paul, Konrad Dybcio,
Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang, Marijn Suijten,
David Airlie, Simona Vetter
Cc: linux-arm-msm, dri-devel, freedreno, linux-kernel
On 4/7/2026 8:53 AM, Dmitry Baryshkov wrote:
> Before a5xx Adreno driver will not try fetching UBWC params (because
> those generations didn't support UBWC anyway), however it's still
> possible to query UBWC-related params from the userspace, triggering
> possible NULL pointer dereference. Check for UBWC config in
> adreno_get_param() and return sane defaults if there is none.
>
> Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
-Akhil
> ---
> Changes in v2:
> - Changed adreno_get_param() return -ENOENT for affected params (Rob)
> - Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
> ---
> drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> index d5fe6f6f0dec..34e4ab43b0f6 100644
> --- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> +++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> @@ -426,15 +426,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
> *value = vm->mm_range;
> return 0;
> case MSM_PARAM_HIGHEST_BANK_BIT:
> + if (!adreno_gpu->ubwc_config)
> + return -ENOENT;
> *value = adreno_gpu->ubwc_config->highest_bank_bit;
> return 0;
> case MSM_PARAM_RAYTRACING:
> *value = adreno_gpu->has_ray_tracing;
> return 0;
> case MSM_PARAM_UBWC_SWIZZLE:
> + if (!adreno_gpu->ubwc_config)
> + return -ENOENT;
> *value = adreno_gpu->ubwc_config->ubwc_swizzle;
> return 0;
> case MSM_PARAM_MACROTILE_MODE:
> + if (!adreno_gpu->ubwc_config)
> + return -ENOENT;
> *value = adreno_gpu->ubwc_config->macrotile_mode;
> return 0;
> case MSM_PARAM_UCHE_TRAP_BASE:
>
> ---
> base-commit: 36ece9697e89016181e5ae87510e40fb31d86f2b
> change-id: 20260407-adreno-fix-ubwc-6a2564710e21
>
> Best regards,
> --
> With best wishes
> Dmitry
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
2026-04-07 19:17 ` Akhil P Oommen
@ 2026-04-07 20:40 ` Rob Clark
0 siblings, 0 replies; 5+ messages in thread
From: Rob Clark @ 2026-04-07 20:40 UTC (permalink / raw)
To: Akhil P Oommen
Cc: Dmitry Baryshkov, Sean Paul, Konrad Dybcio, Dmitry Baryshkov,
Abhinav Kumar, Jessica Zhang, Marijn Suijten, David Airlie,
Simona Vetter, linux-arm-msm, dri-devel, freedreno, linux-kernel
On Tue, Apr 7, 2026 at 12:17 PM Akhil P Oommen <akhilpo@oss.qualcomm.com> wrote:
>
> On 4/7/2026 8:53 AM, Dmitry Baryshkov wrote:
> > Before a5xx Adreno driver will not try fetching UBWC params (because
> > those generations didn't support UBWC anyway), however it's still
> > possible to query UBWC-related params from the userspace, triggering
> > possible NULL pointer dereference. Check for UBWC config in
> > adreno_get_param() and return sane defaults if there is none.
> >
> > Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
> > Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
>
> Reviewed-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
>
> -Akhil
>
> > ---
> > Changes in v2:
> > - Changed adreno_get_param() return -ENOENT for affected params (Rob)
> > - Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
> > ---
> > drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> > index d5fe6f6f0dec..34e4ab43b0f6 100644
> > --- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> > +++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> > @@ -426,15 +426,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
> > *value = vm->mm_range;
> > return 0;
> > case MSM_PARAM_HIGHEST_BANK_BIT:
> > + if (!adreno_gpu->ubwc_config)
> > + return -ENOENT;
maybe use:
return UERR(ENOENT, dev, "no ubwc")
?
I've been trying to add UERR() to things to make it easier to debug
from userspace why the kernel returns various errors.
Otherwise, lgtm
BR,
-R
> > *value = adreno_gpu->ubwc_config->highest_bank_bit;
> > return 0;
> > case MSM_PARAM_RAYTRACING:
> > *value = adreno_gpu->has_ray_tracing;
> > return 0;
> > case MSM_PARAM_UBWC_SWIZZLE:
> > + if (!adreno_gpu->ubwc_config)
> > + return -ENOENT;
> > *value = adreno_gpu->ubwc_config->ubwc_swizzle;
> > return 0;
> > case MSM_PARAM_MACROTILE_MODE:
> > + if (!adreno_gpu->ubwc_config)
> > + return -ENOENT;
> > *value = adreno_gpu->ubwc_config->macrotile_mode;
> > return 0;
> > case MSM_PARAM_UCHE_TRAP_BASE:
> >
> > ---
> > base-commit: 36ece9697e89016181e5ae87510e40fb31d86f2b
> > change-id: 20260407-adreno-fix-ubwc-6a2564710e21
> >
> > Best regards,
> > --
> > With best wishes
> > Dmitry
> >
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
2026-04-07 3:23 [PATCH v2] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Dmitry Baryshkov
2026-04-07 19:17 ` Akhil P Oommen
@ 2026-04-12 4:10 ` Claude Code Review Bot
2026-04-12 4:10 ` Claude Code Review Bot
2 siblings, 0 replies; 5+ messages in thread
From: Claude Code Review Bot @ 2026-04-12 4:10 UTC (permalink / raw)
To: dri-devel-reviews
Overall Series Review
Subject: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
Author: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patches: 3
Reviewed: 2026-04-12T14:10:52.922255
---
This is a single patch (v2) fixing a userspace-triggerable NULL pointer dereference on older Adreno GPUs (a2xx through a4xx). The bug was introduced by commit a452510aad53 which switched to a common UBWC config struct pointer (`ubwc_config`), but older GPU generations that don't support UBWC never initialize this pointer. Userspace can still query UBWC-related params via `adreno_get_param()`, causing a NULL dereference.
The fix is straightforward, correct, and minimal. It adds NULL checks before each of the three `ubwc_config` dereferences in `adreno_get_param()`, returning `-ENOENT` when the config is absent. This is a v2 addressing Rob Clark's feedback to return `-ENOENT` instead of default values.
**Verdict: Patch looks good.**
---
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 5+ messages in thread
* Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
2026-04-07 3:23 [PATCH v2] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Dmitry Baryshkov
2026-04-07 19:17 ` Akhil P Oommen
2026-04-12 4:10 ` Claude review: " Claude Code Review Bot
@ 2026-04-12 4:10 ` Claude Code Review Bot
2 siblings, 0 replies; 5+ messages in thread
From: Claude Code Review Bot @ 2026-04-12 4:10 UTC (permalink / raw)
To: dri-devel-reviews
Patch Review
**Correctness:** The fix is correct. The `ubwc_config` pointer in `struct adreno_gpu` (defined in `adreno_gpu.h:243`) is only initialized for a5xx+ GPUs. The a5xx and a6xx init paths call `qcom_ubwc_config_get_data()` and set `adreno_gpu->ubwc_config = &adreno_gpu->_ubwc_config`, but a2xx, a3xx, and a4xx init functions never touch this field, leaving it as NULL from the kzalloc'd struct.
**Completeness:** All three UBWC-related param cases in `adreno_get_param()` are guarded:
```c
case MSM_PARAM_HIGHEST_BANK_BIT:
if (!adreno_gpu->ubwc_config)
return -ENOENT;
*value = adreno_gpu->ubwc_config->highest_bank_bit;
return 0;
...
case MSM_PARAM_UBWC_SWIZZLE:
if (!adreno_gpu->ubwc_config)
return -ENOENT;
*value = adreno_gpu->ubwc_config->ubwc_swizzle;
return 0;
case MSM_PARAM_MACROTILE_MODE:
if (!adreno_gpu->ubwc_config)
return -ENOENT;
*value = adreno_gpu->ubwc_config->macrotile_mode;
return 0;
```
This covers every dereference of `ubwc_config` in this function. No dereference sites are missed.
**Error code choice:** `-ENOENT` is a reasonable return value, semantically conveying "this parameter does not exist on this hardware." The `MSM_PARAM_RAYTRACING` case between the first two guarded cases already follows a similar pattern of returning a property that may not be meaningful on all generations, though it returns 0 with `has_ray_tracing` being false. The difference is that `has_ray_tracing` is a direct struct member (always valid), while `ubwc_config` is a pointer that may be NULL, so a distinct error return makes sense here.
**Observation (not a blocker):** The agent's exploration revealed that `ubwc_config` is also dereferenced without NULL checks in the hardware init paths: `a5xx_hw_init()` (line ~838, with a `BUG_ON`), `a6xx_set_ubwc_config()` (line ~815), and `a8xx_set_ubwc_config()` (line ~277). However, these code paths are only reached for GPU generations that do initialize `ubwc_config`, so they are not vulnerable to the same NULL dereference. The scoping of this fix to `adreno_get_param()` is correct since that is the function reachable from any GPU generation via the common userspace ioctl path.
**Commit message:** Clear, explains the root cause and fix. The `Fixes:` tag correctly references the commit that introduced the regression.
**No issues found.** Patch is ready to merge.
Reviewed-by: Dave Airlie <airlied@gmail.com>
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-12 4:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-07 3:23 [PATCH v2] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Dmitry Baryshkov
2026-04-07 19:17 ` Akhil P Oommen
2026-04-07 20:40 ` Rob Clark
2026-04-12 4:10 ` Claude review: " Claude Code Review Bot
2026-04-12 4:10 ` Claude Code Review Bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox