[PATCH] drm/amdgpu: Fix a use-after-free

xinhui pan xinhui.pan at amd.com
Tue May 18 03:00:41 UTC 2021 

looks like we forget to set ttm->sg to NULL.
Hit panic below

[ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
[ 1235.862186] CPU: 5 PID: 25180 Comm: kfdtest Tainted: G        W         5.11.0+ #114
[ 1235.870633] Hardware name: System manufacturer System Product Name/PRIME Z390-A, BIOS 1401 11/26/2019
[ 1235.880689] RIP: 0010:__sg_free_table+0x55/0x90
[ 1235.885654] Code: 39 c6 77 1c 41 c7 46 0c 00 00 00 00 85 d2 74 46 49 c7 06 00 00 00 00 5b 41 5c 41 5d 41 5e 5d c3 8d 48 ff 49 89 c8 48 c1 e1 05 <48> 8b 1c 0f 44 29 c6 41 89 76 0c 48 83 e3 f8
[ 1235.906084] RSP: 0000:ffffad1c430cfbd0 EFLAGS: 00010202
[ 1235.911671] RAX: 0000000000000080 RBX: ffff93e266d2e6d8 RCX: 0000000000000fe0
[ 1235.919393] RDX: 0000000000000000 RSI: 00000000a56b6b6b RDI: 6b6b6b6b6b6b6b6b
[ 1235.927190] RBP: ffffad1c430cfbf0 R08: 000000000000007f R09: 0000000000000001
[ 1235.934970] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000080
[ 1235.942766] R13: ffffffff9e7fe9f0 R14: ffff93e20c3488b0 R15: ffff93e270bc8b20
[ 1235.950563] FS:  00007f5013ca63c0(0000) GS:ffff93f075200000(0000) knlGS:0000000000000000
[ 1235.959404] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1235.965683] CR2: 00007ff44b08faff CR3: 000000020f84e002 CR4: 00000000003706e0
[ 1235.973472] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1235.981269] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1235.989074] Call Trace:
[ 1235.991751]  sg_free_table+0x17/0x20
[ 1235.995667]  amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu]
[ 1236.002288]  amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu]
[ 1236.008464]  ttm_tt_destroy+0x1e/0x30 [ttm]
[ 1236.013066]  ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm]
[ 1236.018783]  ttm_bo_release+0x262/0xa50 [ttm]
[ 1236.023547]  ttm_bo_put+0x82/0xd0 [ttm]
[ 1236.027766]  amdgpu_bo_unref+0x26/0x50 [amdgpu]
[ 1236.032809]  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu]
[ 1236.040400]  kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu]
[ 1236.046912]  kfd_ioctl+0x463/0x690 [amdgpu]
[ 1236.051632]  ? kfd_dev_is_large_bar+0xf0/0xf0 [amdgpu]
[ 1236.057360]  __x64_sys_ioctl+0x91/0xc0
[ 1236.061457]  do_syscall_64+0x38/0x90
[ 1236.065383]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1236.070920] RIP: 0033:0x7f5013dbe50b

Signed-off-by: xinhui pan <xinhui.pan at amd.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
index 89cd93b24404..754f9847497d 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -1158,6 +1158,7 @@ static void amdgpu_ttm_tt_unpopulate(struct ttm_device *bdev,
 	if (gtt && gtt->userptr) {
 		amdgpu_ttm_tt_set_user_pages(ttm, NULL);
 		kfree(ttm->sg);
+		ttm->sg = NULL;
 		ttm->page_flags &= ~TTM_PAGE_FLAG_SG;
 		return;
 	}
-- 
2.25.1

More information about the amd-gfx mailing list