amdgpf: BUG: NULL pointer dereference and memory leak

zhoucm1 zhoucm1 at amd.com
Tue Jul 30 09:14:10 UTC 2019



On 2019年07月30日 17:04, Koenig, Christian wrote:
> Am 30.07.19 um 10:47 schrieb 亿一:
>> Hi  alll,
>>            While analyzing the source code, I notice that function
>> amdgpu_cs_process_fence_dep() may exist NULL pointer dereference and
>> memory leak in the following code fragments:
>>
>>
>> fence = amdgpu_ctx_get_fence(ctx, entity,
>>       deps[i].handle);
>>
>> if (chunk->chunk_id == AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES) {
>>           struct drm_sched_fence *s_fence = to_drm_sched_fence(fence);
>>           struct dma_fence *old = fence;
>>
>>           fence = dma_fence_get(&s_fence->scheduled);
>>           dma_fence_put(old);
>> }
>>
>> if (IS_ERR(fence)) {
>>            r = PTR_ERR(fence);
>>            amdgpu_ctx_put(ctx);
>>            return r;
>>     } else if (fence) {
>>             r = amdgpu_sync_fence(p->adev, &p->job->sync, fence,
>>                                                    true);
>>             dma_fence_put(fence);
>>              amdgpu_ctx_put(ctx);
>>              if (r)
>>              return r;
>>              }
>>
>> function amdgpu_ctx_get_fence may return NULL pointer,  which will
>> cause NULL pointer dereference. What's more,  IS_ERR() would not
>> return true when pointer is NULL,  which will cause the ctx reference
>> leaked.
> That handling is actually correct.
>
> The problem is the "if (chunk->chunk_id ==
> AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES)" stuff above.
>
> That comes to early and needs to be moved below checking the fence for
> errors. Going to send a fix for this to the mailing list in a minute.
Lin Yi is right I think, we leaked ctx reference when fence is NULL.

-David
>
> Thanks for the notice,
> Christian.
>
>> But I don't know how to fix it, so report it to you all.
>>
>> Best Regards.
>> Lin Yi.



More information about the amd-gfx mailing list