[PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[Dmitry Baryshkov]

Before a5xx Adreno driver will not try fetching UBWC params (because
those generations didn't support UBWC anyway), however it's still
possible to query UBWC-related params from the userspace, triggering
possible NULL pointer dereference. Check for UBWC config in
adreno_get_param() and return sane defaults if there is none.

Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
Changes in v3:
- Switched to UERR (Rob)
- Link to v2: https://patch.msgid.link/20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com

Changes in v2:
- Changed adreno_get_param() return -ENOENT for affected params (Rob)
- Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
---
 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
index 66f80f2d12f9..02f60b33ea1d 100644
--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
@@ -424,15 +424,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
 		*value = vm->mm_range;
 		return 0;
 	case MSM_PARAM_HIGHEST_BANK_BIT:
+		if (!adreno_gpu->ubwc_config)
+			return UERR(ENOENT, drm, "no UBWC on this platform");
 		*value = adreno_gpu->ubwc_config->highest_bank_bit;
 		return 0;
 	case MSM_PARAM_RAYTRACING:
 		*value = adreno_gpu->has_ray_tracing;
 		return 0;
 	case MSM_PARAM_UBWC_SWIZZLE:
+		if (!adreno_gpu->ubwc_config)
+			return UERR(ENOENT, drm, "no UBWC on this platform");
 		*value = adreno_gpu->ubwc_config->ubwc_swizzle;
 		return 0;
 	case MSM_PARAM_MACROTILE_MODE:
+		if (!adreno_gpu->ubwc_config)
+			return UERR(ENOENT, drm, "no UBWC on this platform");
 		*value = adreno_gpu->ubwc_config->macrotile_mode;
 		return 0;
 	case MSM_PARAM_UCHE_TRAP_BASE:

---
base-commit: 66672af7a095d89f082c5327f3b15bc2f93d558e
change-id: 20260407-adreno-fix-ubwc-6a2564710e21

Best regards,
--  
With best wishes
Dmitry

Re: [PATCH v3] drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[Rob Clark]

On Sat, Apr 11, 2026 at 7:59 AM Dmitry Baryshkov
<dmitry.baryshkov@oss.qualcomm.com> wrote:
>
> Before a5xx Adreno driver will not try fetching UBWC params (because
> those generations didn't support UBWC anyway), however it's still
> possible to query UBWC-related params from the userspace, triggering
> possible NULL pointer dereference. Check for UBWC config in
> adreno_get_param() and return sane defaults if there is none.
>
> Fixes: a452510aad53 ("drm/msm/adreno: Switch to the common UBWC config struct")
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>

Reviewed-by: Rob Clark <rob.clark@oss.qualcomm.com>

> ---
> Changes in v3:
> - Switched to UERR (Rob)
> - Link to v2: https://patch.msgid.link/20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com
>
> Changes in v2:
> - Changed adreno_get_param() return -ENOENT for affected params (Rob)
> - Link to v1: https://patch.msgid.link/20260407-adreno-fix-ubwc-v1-1-bb2b09450b87@oss.qualcomm.com
> ---
>  drivers/gpu/drm/msm/adreno/adreno_gpu.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> index 66f80f2d12f9..02f60b33ea1d 100644
> --- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> +++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
> @@ -424,15 +424,21 @@ int adreno_get_param(struct msm_gpu *gpu, struct msm_context *ctx,
>                 *value = vm->mm_range;
>                 return 0;
>         case MSM_PARAM_HIGHEST_BANK_BIT:
> +               if (!adreno_gpu->ubwc_config)
> +                       return UERR(ENOENT, drm, "no UBWC on this platform");
>                 *value = adreno_gpu->ubwc_config->highest_bank_bit;
>                 return 0;
>         case MSM_PARAM_RAYTRACING:
>                 *value = adreno_gpu->has_ray_tracing;
>                 return 0;
>         case MSM_PARAM_UBWC_SWIZZLE:
> +               if (!adreno_gpu->ubwc_config)
> +                       return UERR(ENOENT, drm, "no UBWC on this platform");
>                 *value = adreno_gpu->ubwc_config->ubwc_swizzle;
>                 return 0;
>         case MSM_PARAM_MACROTILE_MODE:
> +               if (!adreno_gpu->ubwc_config)
> +                       return UERR(ENOENT, drm, "no UBWC on this platform");
>                 *value = adreno_gpu->ubwc_config->macrotile_mode;
>                 return 0;
>         case MSM_PARAM_UCHE_TRAP_BASE:
>
> ---
> base-commit: 66672af7a095d89f082c5327f3b15bc2f93d558e
> change-id: 20260407-adreno-fix-ubwc-6a2564710e21
>
> Best regards,
> --
> With best wishes
> Dmitry
>

Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[Claude Code Review Bot]

Overall Series Review

Subject: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
Author: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patches: 2
Reviewed: 2026-04-12T08:59:45.879716

---

This is a single patch (v3) fixing a **userspace-triggerable NULL pointer dereference** on Adreno a2xx through a4xx GPUs. The bug was introduced by commit `a452510aad53` which refactored UBWC configuration into a common struct and added a pointer (`ubwc_config`) that gets dereferenced in `adreno_get_param()` — but a2xx, a3xx, and a4xx GPUs never set this pointer since they predate UBWC support.

The fix is correct, minimal, and well-targeted. The approach of returning `-ENOENT` via the `UERR()` macro is consistent with how other unsupported parameter queries are handled in this function and matches the v2/v3 review feedback from Rob Clark.

**Verdict: Looks good.**

---
Generated by Claude Code Patch Reviewer

Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[Claude Code Review Bot]

Patch Review

**Problem analysis:** Confirmed correct. The kernel source tree shows:
- `a5xx_gpu.c` sets `adreno_gpu->ubwc_config = &adreno_gpu->_ubwc_config` (line 1778)
- `a6xx_gpu.c` sets `gpu->ubwc_config = &gpu->_ubwc_config` (line 807)
- `a2xx_gpu.c`, `a3xx_gpu.c`, `a4xx_gpu.c` never touch `ubwc_config` — the pointer remains NULL from `kzalloc`

Since `MSM_PARAM_HIGHEST_BANK_BIT` (0x10), `MSM_PARAM_UBWC_SWIZZLE` (0x12), and `MSM_PARAM_MACROTILE_MODE` (0x13) are all UAPI params, any userspace program can query them and trigger the NULL dereference on pre-a5xx hardware.

**Code review:**

The three guard clauses are identical in structure and correct:

```c
case MSM_PARAM_HIGHEST_BANK_BIT:
	if (!adreno_gpu->ubwc_config)
		return UERR(ENOENT, drm, "no UBWC on this platform");
	*value = adreno_gpu->ubwc_config->highest_bank_bit;
	return 0;
```

- The `UERR(ENOENT, ...)` macro expands to `DRM_DEV_DEBUG_DRIVER(...)` followed by returning `-ENOENT`. This is appropriate — `ENOENT` signals "this parameter doesn't exist on this hardware" which is semantically correct and matches the review feedback.
- The debug message is helpful for userspace developers without being noisy (it's `DEBUG_DRIVER` level, not a warning).
- All three UBWC-related params are covered: `HIGHEST_BANK_BIT`, `UBWC_SWIZZLE`, and `MACROTILE_MODE`. No UBWC-related params are missed.

**No issues found.** The patch is minimal, correct, has proper `Fixes:` tag, and addresses the review feedback from v1/v2. 

Reviewed-by worthy.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[Claude Code Review Bot]

Overall Series Review

Subject: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
Author: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patches: 3
Reviewed: 2026-04-12T14:10:52.922255

---

This is a single patch (v2) fixing a userspace-triggerable NULL pointer dereference on older Adreno GPUs (a2xx through a4xx). The bug was introduced by commit a452510aad53 which switched to a common UBWC config struct pointer (`ubwc_config`), but older GPU generations that don't support UBWC never initialize this pointer. Userspace can still query UBWC-related params via `adreno_get_param()`, causing a NULL dereference.

The fix is straightforward, correct, and minimal. It adds NULL checks before each of the three `ubwc_config` dereferences in `adreno_get_param()`, returning `-ENOENT` when the config is absent. This is a v2 addressing Rob Clark's feedback to return `-ENOENT` instead of default values.

**Verdict: Patch looks good.**

---

---
Generated by Claude Code Patch Reviewer

Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[Claude Code Review Bot]

Patch Review

**Correctness:** The fix is correct. The `ubwc_config` pointer in `struct adreno_gpu` (defined in `adreno_gpu.h:243`) is only initialized for a5xx+ GPUs. The a5xx and a6xx init paths call `qcom_ubwc_config_get_data()` and set `adreno_gpu->ubwc_config = &adreno_gpu->_ubwc_config`, but a2xx, a3xx, and a4xx init functions never touch this field, leaving it as NULL from the kzalloc'd struct.

**Completeness:** All three UBWC-related param cases in `adreno_get_param()` are guarded:

```c
case MSM_PARAM_HIGHEST_BANK_BIT:
	if (!adreno_gpu->ubwc_config)
		return -ENOENT;
	*value = adreno_gpu->ubwc_config->highest_bank_bit;
	return 0;
...
case MSM_PARAM_UBWC_SWIZZLE:
	if (!adreno_gpu->ubwc_config)
		return -ENOENT;
	*value = adreno_gpu->ubwc_config->ubwc_swizzle;
	return 0;
case MSM_PARAM_MACROTILE_MODE:
	if (!adreno_gpu->ubwc_config)
		return -ENOENT;
	*value = adreno_gpu->ubwc_config->macrotile_mode;
	return 0;
```

This covers every dereference of `ubwc_config` in this function. No dereference sites are missed.

**Error code choice:** `-ENOENT` is a reasonable return value, semantically conveying "this parameter does not exist on this hardware." The `MSM_PARAM_RAYTRACING` case between the first two guarded cases already follows a similar pattern of returning a property that may not be meaningful on all generations, though it returns 0 with `has_ray_tracing` being false. The difference is that `has_ray_tracing` is a direct struct member (always valid), while `ubwc_config` is a pointer that may be NULL, so a distinct error return makes sense here.

**Observation (not a blocker):** The agent's exploration revealed that `ubwc_config` is also dereferenced without NULL checks in the hardware init paths: `a5xx_hw_init()` (line ~838, with a `BUG_ON`), `a6xx_set_ubwc_config()` (line ~815), and `a8xx_set_ubwc_config()` (line ~277). However, these code paths are only reached for GPU generations that do initialize `ubwc_config`, so they are not vulnerable to the same NULL dereference. The scoping of this fix to `adreno_get_param()` is correct since that is the function reachable from any GPU generation via the common userspace ioctl path.

**Commit message:** Clear, explains the root cause and fix. The `Fixes:` tag correctly references the commit that introduced the regression.

**No issues found.** Patch is ready to merge.

Reviewed-by: Dave Airlie <airlied@gmail.com>

---
Generated by Claude Code Patch Reviewer

Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[Claude Code Review Bot]

Overall Series Review

Subject: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
Author: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patches: 3
Reviewed: 2026-04-12T14:17:19.494675

---

This is a single patch fixing a real NULL pointer dereference bug in the Adreno GPU driver. The problem is genuine: the commit `a452510aad53` ("drm/msm/adreno: Switch to the common UBWC config struct") introduced unconditional dereferences of `adreno_gpu->ubwc_config` in `adreno_get_param()`, but on a2xx through a4xx hardware, `ubwc_config` is never initialized (confirmed: none of a2xx_gpu.c, a3xx_gpu.c, or a4xx_gpu.c ever set `ubwc_config`). Any userspace process can trigger this crash by issuing an `MSM_PARAM_HIGHEST_BANK_BIT`, `MSM_PARAM_UBWC_SWIZZLE`, or `MSM_PARAM_MACROTILE_MODE` ioctl query on those older GPUs.

The fix is correct in that it prevents the crash, but the approach is debatable.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx

[Claude Code Review Bot]

Patch Review

**The bug is real and the fix prevents the crash.** The NULL dereference is userspace-triggerable via the `MSM_GET_PARAM` ioctl, making this a local DoS / kernel oops from unprivileged userspace. The `Fixes:` tag is appropriate.

**Design concern: returning fabricated defaults vs returning -EINVAL.**

The patch returns hardcoded values (`13` for `HIGHEST_BANK_BIT`, `0` for the others) when `ubwc_config` is NULL:

```c
	case MSM_PARAM_HIGHEST_BANK_BIT:
		if (!adreno_gpu->ubwc_config)
			*value = 13;
		else
			*value = adreno_gpu->ubwc_config->highest_bank_bit;
```

While `13` is a reasonable default for `highest_bank_bit` (it matches the value used in `a5xx_gpu.c:838` where `BUG_ON(adreno_gpu->ubwc_config->highest_bank_bit < 13)` shows 13 is the baseline), returning fabricated UBWC parameters for hardware that **doesn't support UBWC at all** is semantically questionable. These params are meaningless on a2xx-a4xx.

An alternative would be to return `-EINVAL` for these three params when `ubwc_config` is NULL, similar to how `MSM_PARAM_TIMESTAMP` returns `-EINVAL` when the GPU doesn't support timestamps. This would clearly communicate to userspace "this GPU does not have UBWC" rather than silently returning plausible-looking but meaningless values. If existing userspace (e.g., freedreno in Mesa) depends on getting a success return from these params without checking the GPU generation first, that would justify the current approach — but a comment explaining why defaults were chosen over `-EINVAL` would be helpful.

**Minor style observation: repetitive NULL checks.**

The three cases repeat the same `if (!adreno_gpu->ubwc_config)` pattern. A small refactor could consolidate:

```c
	case MSM_PARAM_HIGHEST_BANK_BIT:
	case MSM_PARAM_UBWC_SWIZZLE:
	case MSM_PARAM_MACROTILE_MODE:
		if (!adreno_gpu->ubwc_config) {
			*value = (param == MSM_PARAM_HIGHEST_BANK_BIT) ? 13 : 0;
			return 0;
		}
		/* fall through to individual handling */
```

But this is a matter of taste for a simple bugfix, and the current form is perfectly readable.

**Missing Cc: stable.** Given this is a userspace-triggerable NULL pointer dereference, this should probably carry `Cc: stable@vger.kernel.org` to get backported to affected stable kernels (those carrying `a452510aad53`).

**Overall verdict:** The patch fixes a real crash. The only substantive question is whether returning `-EINVAL` would be more appropriate than returning dummy values for hardware that has no UBWC support. If the maintainers are happy with the default-value approach (and Mesa handles it correctly), the patch is ready to merge with the possible addition of a `Cc: stable` tag.

---
Generated by Claude Code Patch Reviewer