<div dir="ltr">Dear Felix:<div><br></div><div>This patch is not auto-generated, and as a matter of fact, it is requested by the Linux Community.</div><div><br></div><div>As you can see from my email address, I am a researcher from the University of Minnesota, and because of the unpleasant event that happened in April, all the patches from our university must contain enough information for the Linux Community to verify. Still I feel so sorry to take up your time. </div><div><br></div><div>yours sincerely,</div><div>zhou qingyang.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 1, 2021 at 1:35 AM Felix Kuehling <<a href="mailto:felix.kuehling@amd.com" target="_blank">felix.kuehling@amd.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Am 2021-11-30 um 11:51 a.m. schrieb philip yang:<br>
><br>
><br>
> On 2021-11-30 6:26 a.m., Zhou Qingyang wrote:<br>
>> In svm_range_add(), the return value of svm_range_new() is assigned<br>
>> to prange and &prange->insert_list is used in list_add(). There is a<br>
>> a dereference of &prange->insert_list in list_add(), which could lead<br>
>> to a wild pointer dereference on failure of vm_range_new() if<br>
>> CONFIG_DEBUG_LIST is unset in .config file.<br>
>><br>
>> Fix this bug by adding a check of prange.<br>
>><br>
>> This bug was found by a static analyzer. The analysis employs<br>
>> differential checking to identify inconsistent security operations<br>
>> (e.g., checks or kfrees) between two code paths and confirms that the<br>
>> inconsistent operations are not recovered in the current function or<br>
>> the callers, so they constitute bugs.<br>
>><br>
>> Note that, as a bug found by static analysis, it can be a false<br>
>> positive or hard to trigger. Multiple researchers have cross-reviewed<br>
>> the bug.<br>
>><br>
>> Builds with CONFIG_DRM_AMDGPU=m, CONFIG_HSA_AMD=y, and<br>
>> CONFIG_HSA_AMD_SVM=y show no new warnings, and our static analyzer no<br>
>> longer warns about this code.<br>
>><br>
>> Fixes: 42de677f7999 ("drm/amdkfd: register svm range")<br>
>> Signed-off-by: Zhou Qingyang <<a href="mailto:zhou1615@umn.edu" target="_blank">zhou1615@umn.edu</a>><br>
> Reviewed-by: Philip Yang <<a href="mailto:Philip.Yang@amd.com" target="_blank">Philip.Yang@amd.com</a>><br>
<br>
The patch looks good to me. It's an obvious bug and definitely not a<br>
false positive. The patch description is a bit verbose. Is this<br>
auto-generated output from the static checker? It could be replaced with<br>
something more concise. Especially the comment about this possibly being<br>
a false positive should not be in the final submission.<br>
<br>
Regards,<br>
Felix<br>
<br>
<br>
>> ---<br>
>> drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++<br>
>> 1 file changed, 3 insertions(+)<br>
>><br>
>> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c<br>
>> index 58b89b53ebe6..e40c2211901d 100644<br>
>> --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c<br>
>> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c<br>
>> @@ -2940,6 +2940,9 @@ svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,<br>
>> <br>
>> if (left) {<br>
>> prange = svm_range_new(svms, last - left + 1, last);<br>
>> + if (!prange)<br>
>> + return -ENOMEM;<br>
>> +<br>
>> list_add(&prange->insert_list, insert_list);<br>
>> list_add(&prange->update_list, update_list);<br>
>> }<br>
</blockquote></div>