[lvc-project] [PATCH 6.1] drm/ttm: fix up length check inside ttm_bo_vm_access()

Fedor Pchelkin pchelkin at ispras.ru
Fri Jan 16 21:50:06 MSK 2026 

No upstream commit exists for this patch.

Commit 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for evicted BOs")
added the validation of bo->resource but in the context of 6.1.y and older
stable kernels the pointer is still dereferenced before that check.

It's been unseen and manifests as a stable kernel's issue only because
another upstream commit e3c92eb4a84f ("drm/ttm: rework on ttm_resource to
use size_t type") refactored the code a bit and, specifically, changed
bo->resource->num_pages to bo->base.size at some places.  That commit is
rather intrusive and not handy to be backported to stable kernels so
implement the adaptive fix directly.

Since bo->resource->num_pages is calculated as PFN_UP(bo->base.size) in
older kernels as well, extract this single conversion from that commit.
Thus the problem indicated by commit 491adc6a0f99 ("drm/ttm: Avoid NULL
pointer deref for evicted BOs") would be actually fixed as intended.

Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.

Fixes: 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for evicted BOs")
Signed-off-by: Fedor Pchelkin <pchelkin at ispras.ru>
---

Fresher stables starting from 6.6.y are not affected with this as they
have e3c92eb4a84f.

The backport of 491adc6a0f99 ("drm/ttm: Avoid NULL pointer deref for
evicted BOs") is currently in 5.10-5.15 queues and it may be fixed up in
place.

 drivers/gpu/drm/ttm/ttm_bo_vm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
index 1f543bd04fcf..51d0f5d23b1c 100644
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -412,7 +412,7 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
 		 << PAGE_SHIFT);
 	int ret;
 
-	if (len < 1 || (offset + len) >> PAGE_SHIFT > bo->resource->num_pages)
+	if (len < 1 || (offset + len) > bo->base.size)
 		return -EIO;
 
 	ret = ttm_bo_reserve(bo, true, false, NULL);
-- 
2.51.0

More information about the lvc-project mailing list