* [PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
@ 2026-04-11 14:59 Dmitry Baryshkov
2026-04-11 15:22 ` Rob Clark
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Dmitry Baryshkov @ 2026-04-11 14:59 UTC (permalink / raw)
To: Rob Clark, Sean Paul, Konrad Dybcio, Akhil P Oommen,
Dmitry Baryshkov, Abhinav Kumar, Jessica Zhang, Marijn Suijten,
David Airlie, Simona Vetter
Cc: linux-arm-msm, dri-devel, freedreno, linux-kernel
Before a5xx Adreno driver will not try fetching UBWC params (because
those generations didn't support UBWC anyway), however it's still
possible to query UBWC-related params from the userspace, triggering
possible NULL pointer dereference. Check for UBWC config in
adreno_get_param() and return sane defaults if there is none.
Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
Changes in v3:
- Switched to UERR (Rob)
- Link to v2: https://patch.msgid.link/20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com
Changes in v2:
- Changed adreno_get_param() return -ENOENT for affected params (Rob)
- Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
---
drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
index 66f80f2d12f9..02f60b33ea1d 100644
--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
@@ -424,15 +424,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
*value = vm->mm_range;
return 0;
case MSM_PARAM_HIGHEST_BANK_BIT:
+ if (!adreno_gpu->ubwc_config)
+ return UERR(ENOENT, drm, "no UBWC on this platform");
*value = adreno_gpu->ubwc_config->highest_bank_bit;
return 0;
case MSM_PARAM_RAYTRACING:
*value = adreno_gpu->has_ray_tracing;
return 0;
case MSM_PARAM_UBWC_SWIZZLE:
+ if (!adreno_gpu->ubwc_config)
+ return UERR(ENOENT, drm, "no UBWC on this platform");
*value = adreno_gpu->ubwc_config->ubwc_swizzle;
return 0;
case MSM_PARAM_MACROTILE_MODE:
+ if (!adreno_gpu->ubwc_config)
+ return UERR(ENOENT, drm, "no UBWC on this platform");
*value = adreno_gpu->ubwc_config->macrotile_mode;
return 0;
case MSM_PARAM_UCHE_TRAP_BASE:
---
base-commit: 66672af7a095d89f082c5327f3b15bc2f93d558e
change-id: 20260407-adreno-fix-ubwc-6a2564710e21
Best regards,
--
With best wishes
Dmitry
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
2026-04-11 14:59 [PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Dmitry Baryshkov
@ 2026-04-11 15:22 ` Rob Clark
2026-04-11 22:59 ` Claude review: " Claude Code Review Bot
2026-04-11 22:59 ` Claude Code Review Bot
2 siblings, 0 replies; 4+ messages in thread
From: Rob Clark @ 2026-04-11 15:22 UTC (permalink / raw)
To: Dmitry Baryshkov
Cc: Sean Paul, Konrad Dybcio, Akhil P Oommen, Dmitry Baryshkov,
Abhinav Kumar, Jessica Zhang, Marijn Suijten, David Airlie,
Simona Vetter, linux-arm-msm, dri-devel, freedreno, linux-kernel
On Sat, Apr 11, 2026 at 7:59 AM Dmitry Baryshkov
<dmitry.baryshkov@oss.qualcomm.com> wrote:
>
> Before a5xx Adreno driver will not try fetching UBWC params (because
> those generations didn't support UBWC anyway), however it's still
> possible to query UBWC-related params from the userspace, triggering
> possible NULL pointer dereference. Check for UBWC config in
> adreno_get_param() and return sane defaults if there is none.
>
> Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Rob Clark <rob.clark@oss.qualcomm.com>
> ---
> Changes in v3:
> - Switched to UERR (Rob)
> - Link to v2: https://patch.msgid.link/20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com
>
> Changes in v2:
> - Changed adreno_get_param() return -ENOENT for affected params (Rob)
> - Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
> ---
> drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> index 66f80f2d12f9..02f60b33ea1d 100644
> --- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> +++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> @@ -424,15 +424,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
> *value = vm->mm_range;
> return 0;
> case MSM_PARAM_HIGHEST_BANK_BIT:
> + if (!adreno_gpu->ubwc_config)
> + return UERR(ENOENT, drm, "no UBWC on this platform");
> *value = adreno_gpu->ubwc_config->highest_bank_bit;
> return 0;
> case MSM_PARAM_RAYTRACING:
> *value = adreno_gpu->has_ray_tracing;
> return 0;
> case MSM_PARAM_UBWC_SWIZZLE:
> + if (!adreno_gpu->ubwc_config)
> + return UERR(ENOENT, drm, "no UBWC on this platform");
> *value = adreno_gpu->ubwc_config->ubwc_swizzle;
> return 0;
> case MSM_PARAM_MACROTILE_MODE:
> + if (!adreno_gpu->ubwc_config)
> + return UERR(ENOENT, drm, "no UBWC on this platform");
> *value = adreno_gpu->ubwc_config->macrotile_mode;
> return 0;
> case MSM_PARAM_UCHE_TRAP_BASE:
>
> ---
> base-commit: 66672af7a095d89f082c5327f3b15bc2f93d558e
> change-id: 20260407-adreno-fix-ubwc-6a2564710e21
>
> Best regards,
> --
> With best wishes
> Dmitry
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
2026-04-11 14:59 [PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Dmitry Baryshkov
2026-04-11 15:22 ` Rob Clark
@ 2026-04-11 22:59 ` Claude Code Review Bot
2026-04-11 22:59 ` Claude Code Review Bot
2 siblings, 0 replies; 4+ messages in thread
From: Claude Code Review Bot @ 2026-04-11 22:59 UTC (permalink / raw)
To: dri-devel-reviews
Overall Series Review
Subject: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
Author: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patches: 2
Reviewed: 2026-04-12T08:59:45.879716
---
This is a single patch (v3) fixing a **userspace-triggerable NULL pointer dereference** on Adreno a2xx through a4xx GPUs. The bug was introduced by commit `a452510aad53` which refactored UBWC configuration into a common struct and added a pointer (`ubwc_config`) that gets dereferenced in `adreno_get_param()` — but a2xx, a3xx, and a4xx GPUs never set this pointer since they predate UBWC support.
The fix is correct, minimal, and well-targeted. The approach of returning `-ENOENT` via the `UERR()` macro is consistent with how other unsupported parameter queries are handled in this function and matches the v2/v3 review feedback from Rob Clark.
**Verdict: Looks good.**
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 4+ messages in thread
* Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
2026-04-11 14:59 [PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Dmitry Baryshkov
2026-04-11 15:22 ` Rob Clark
2026-04-11 22:59 ` Claude review: " Claude Code Review Bot
@ 2026-04-11 22:59 ` Claude Code Review Bot
2 siblings, 0 replies; 4+ messages in thread
From: Claude Code Review Bot @ 2026-04-11 22:59 UTC (permalink / raw)
To: dri-devel-reviews
Patch Review
**Problem analysis:** Confirmed correct. The kernel source tree shows:
- `a5xx_gpu.c` sets `adreno_gpu->ubwc_config = &adreno_gpu->_ubwc_config` (line 1778)
- `a6xx_gpu.c` sets `gpu->ubwc_config = &gpu->_ubwc_config` (line 807)
- `a2xx_gpu.c`, `a3xx_gpu.c`, `a4xx_gpu.c` never touch `ubwc_config` — the pointer remains NULL from `kzalloc`
Since `MSM_PARAM_HIGHEST_BANK_BIT` (0x10), `MSM_PARAM_UBWC_SWIZZLE` (0x12), and `MSM_PARAM_MACROTILE_MODE` (0x13) are all UAPI params, any userspace program can query them and trigger the NULL dereference on pre-a5xx hardware.
**Code review:**
The three guard clauses are identical in structure and correct:
```c
case MSM_PARAM_HIGHEST_BANK_BIT:
if (!adreno_gpu->ubwc_config)
return UERR(ENOENT, drm, "no UBWC on this platform");
*value = adreno_gpu->ubwc_config->highest_bank_bit;
return 0;
```
- The `UERR(ENOENT, ...)` macro expands to `DRM_DEV_DEBUG_DRIVER(...)` followed by returning `-ENOENT`. This is appropriate — `ENOENT` signals "this parameter doesn't exist on this hardware" which is semantically correct and matches the review feedback.
- The debug message is helpful for userspace developers without being noisy (it's `DEBUG_DRIVER` level, not a warning).
- All three UBWC-related params are covered: `HIGHEST_BANK_BIT`, `UBWC_SWIZZLE`, and `MACROTILE_MODE`. No UBWC-related params are missed.
**No issues found.** The patch is minimal, correct, has proper `Fixes:` tag, and addresses the review feedback from v1/v2.
Reviewed-by worthy.
---
Generated by Claude Code Patch Reviewer
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-11 22:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-11 14:59 [PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Dmitry Baryshkov
2026-04-11 15:22 ` Rob Clark
2026-04-11 22:59 ` Claude review: " Claude Code Review Bot
2026-04-11 22:59 ` Claude Code Review Bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox