[PATCH] drm/amdkfd: Fix a wild pointer dereference in svm_range_add()
Felix Kuehling
felix.kuehling at amd.com
Wed Dec 8 00:54:52 UTC 2021
On 2021-11-30 12:49 p.m., Qingyang Zhou wrote:
> Dear Felix:
>
> This patch is not auto-generated, and as a matter of fact, it is
> requested by the Linux Community.
>
> As you can see from my email address, I am a researcher from the
> University of Minnesota, and because of the unpleasant event that
> happened in April, all the patches from our university must contain
> enough information for the Linux Community to verify. Still I feel so
> sorry to take up your time.
Hi Qingyang,
Sorry for the late response. I was about to apply your patch when I
realized that it's not unwinding things correctly in the new failure
case. I think I'll refactor svm_range_add and svm_range_handle_overlap a
bit to make sure the unwinding is handled correctly and only needs to be
done in one place instead of two.
I'll copy you on the final patch.
Regards,
Felix
>
> yours sincerely,
> zhou qingyang.
>
>
> On Wed, Dec 1, 2021 at 1:35 AM Felix Kuehling <felix.kuehling at amd.com
> <mailto:felix.kuehling at amd.com>> wrote:
>
> Am 2021-11-30 um 11:51 a.m. schrieb philip yang:
> >
> >
> > On 2021-11-30 6:26 a.m., Zhou Qingyang wrote:
> >> In svm_range_add(), the return value of svm_range_new() is assigned
> >> to prange and &prange->insert_list is used in list_add(). There
> is a
> >> a dereference of &prange->insert_list in list_add(), which
> could lead
> >> to a wild pointer dereference on failure of vm_range_new() if
> >> CONFIG_DEBUG_LIST is unset in .config file.
> >>
> >> Fix this bug by adding a check of prange.
> >>
> >> This bug was found by a static analyzer. The analysis employs
> >> differential checking to identify inconsistent security operations
> >> (e.g., checks or kfrees) between two code paths and confirms
> that the
> >> inconsistent operations are not recovered in the current
> function or
> >> the callers, so they constitute bugs.
> >>
> >> Note that, as a bug found by static analysis, it can be a false
> >> positive or hard to trigger. Multiple researchers have
> cross-reviewed
> >> the bug.
> >>
> >> Builds with CONFIG_DRM_AMDGPU=m, CONFIG_HSA_AMD=y, and
> >> CONFIG_HSA_AMD_SVM=y show no new warnings, and our static
> analyzer no
> >> longer warns about this code.
> >>
> >> Fixes: 42de677f7999 ("drm/amdkfd: register svm range")
> >> Signed-off-by: Zhou Qingyang <zhou1615 at umn.edu
> <mailto:zhou1615 at umn.edu>>
> > Reviewed-by: Philip Yang <Philip.Yang at amd.com
> <mailto:Philip.Yang at amd.com>>
>
> The patch looks good to me. It's an obvious bug and definitely not a
> false positive. The patch description is a bit verbose. Is this
> auto-generated output from the static checker? It could be
> replaced with
> something more concise. Especially the comment about this possibly
> being
> a false positive should not be in the final submission.
>
> Regards,
> Felix
>
>
> >> ---
> >> drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
> b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
> >> index 58b89b53ebe6..e40c2211901d 100644
> >> --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
> >> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
> >> @@ -2940,6 +2940,9 @@ svm_range_add(struct kfd_process *p,
> uint64_t start, uint64_t size,
> >>
> >> if (left) {
> >> prange = svm_range_new(svms, last - left + 1, last);
> >> + if (!prange)
> >> + return -ENOMEM;
> >> +
> >> list_add(&prange->insert_list, insert_list);
> >> list_add(&prange->update_list, update_list);
> >> }
>
More information about the amd-gfx
mailing list