[PATCH 3/8] drm/amdkfd: fix overflow for the function criu_restore_bos
Felix Kuehling
felix.kuehling at amd.com
Thu May 30 20:41:50 UTC 2024
On 2024-05-29 23:47, Jesse Zhang wrote:
> When copying the information from the user fails, it will goto exit.
> But the variable i remains at 0, and do i-- will overflow.
i-- may underflow, but the loop will still exit. Why is the underflow a
problem?
>
> Signed-off-by: Jesse Zhang <Jesse.Zhang at amd.com>
> ---
> drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> index fdf171ad4a3c..dac8fdc49e3b 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> @@ -2480,10 +2480,11 @@ static int criu_restore_bos(struct kfd_process *p,
> ret = -EFAULT;
>
> exit:
> - while (ret && i--) {
> + while (ret && i) {
> if (bo_buckets[i].alloc_flags
> & (KFD_IOC_ALLOC_MEM_FLAGS_VRAM | KFD_IOC_ALLOC_MEM_FLAGS_GTT))
> close_fd(bo_buckets[i].dmabuf_fd);
> + i--;
This changes the value of i in the loop body. To get the same behaviour
you'd need to decrement i at the start of the loop body.
Regards,
Felix
> }
> kvfree(bo_buckets);
> kvfree(bo_privs);
More information about the amd-gfx
mailing list