[PATCH] radeon: use kvcalloc for relocs and chunks

Christian König christian.koenig at amd.com
Wed Mar 17 07:55:47 UTC 2021 

Am 17.03.21 um 07:22 schrieb Chen Li:
> kvmalloc_array + __GFP_ZERO is the same with kvcalloc.
>
> As for p->chunks, it will be used in:
> ```
> if (ib_chunk->kdata)
> 		memcpy(parser->ib.ptr, ib_chunk->kdata, ib_chunk->length_dw * 4);
> ```
>
> If chunks doesn't zero out with __GFP_ZERO, it may point to somewhere else, e.g.,
> ```
> Unable to handle kernel paging request at virtual address 0000000000010000
> ...
> pc is at memcpy+0x84/0x250
> ra is at radeon_cs_ioctl+0x368/0xb90 [radeon]
> ```
>
> after allocating chunks with __GFP_KERNEL/kvcalloc, this bug is fixed.

NAK to zeroing the chunks array.

That array should be fully initialized with data before using it, 
otherwise we have a much more serious bug and zeroing it out only papers 
over the real issue.

How did you trigger the NULL pointer deref above?

Thanks,
Christian.

> Signed-off-by: Chen Li <chenli at uniontech.com>
> ---
>   drivers/gpu/drm/radeon/radeon_cs.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
> index fb736ef9f9aa..059431689c2d 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -93,8 +93,8 @@ static int radeon_cs_parser_relocs(struct radeon_cs_parser *p)
>   	p->dma_reloc_idx = 0;
>   	/* FIXME: we assume that each relocs use 4 dwords */
>   	p->nrelocs = chunk->length_dw / 4;
> -	p->relocs = kvmalloc_array(p->nrelocs, sizeof(struct radeon_bo_list),
> -			GFP_KERNEL | __GFP_ZERO);
> +	p->relocs = kvcalloc(p->nrelocs, sizeof(struct radeon_bo_list),
> +			GFP_KERNEL);
>   	if (p->relocs == NULL) {
>   		return -ENOMEM;
>   	}
> @@ -299,7 +299,7 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
>   	}
>   	p->cs_flags = 0;
>   	p->nchunks = cs->num_chunks;
> -	p->chunks = kvmalloc_array(p->nchunks, sizeof(struct radeon_cs_chunk), GFP_KERNEL);
> +	p->chunks = kvcalloc(p->nchunks, sizeof(struct radeon_cs_chunk), GFP_KERNEL);
>   	if (p->chunks == NULL) {
>   		return -ENOMEM;
>   	}

More information about the amd-gfx mailing list