[PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg
Ghimiray, Himal Prasad
himal.prasad.ghimiray at intel.com
Wed Jul 24 15:53:00 UTC 2024
On 24-07-2024 21:12, Upadhyay, Tejas wrote:
>
>
>> -----Original Message-----
>> From: Intel-xe <intel-xe-bounces at lists.freedesktop.org> On Behalf Of
>> Matthew Brost
>> Sent: Wednesday, July 24, 2024 12:49 AM
>> To: intel-xe at lists.freedesktop.org
>> Cc: dan.carpenter at linaro.org
>> Subject: [PATCH v2] drm/xe: Fix possible UAF in
>> guc_exec_queue_process_msg
>>
>> Store xe_device ahead of processing message as message can be free'd in
>> some cases.
>>
>> v2:
>> - Including missing local changes
>>
>> Reported-by: kernel test robot <lkp at intel.com>
>> Reported-by: Dan Carpenter <dan.carpenter at linaro.org>
>> Closes: https://lore.kernel.org/r/202407231445.rpisd1vA-lkp@intel.com/
>> Fixes: d930c19fdff3 ("drm/xe: Build PM into GuC CT layer")
>> Signed-off-by: Matthew Brost <matthew.brost at intel.com>
>> ---
>> drivers/gpu/drm/xe/xe_guc_submit.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c
>> b/drivers/gpu/drm/xe/xe_guc_submit.c
>> index da2ead86b9ae..b8f938539a90 100644
>> --- a/drivers/gpu/drm/xe/xe_guc_submit.c
>> +++ b/drivers/gpu/drm/xe/xe_guc_submit.c
>> @@ -1395,6 +1395,8 @@ static void
>> __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
>>
>> static void guc_exec_queue_process_msg(struct xe_sched_msg *msg) {
>> + struct xe_device *xe =
>> +guc_to_xe(exec_queue_to_guc(msg->private_data));
>
> If msg freed at this point, don't you need to protect against NULL, just in case?
>
> Thanks,
> Tejas
xe_sched_process_msg_work the caller of the ops ensures the routine is
called only if msg is valid.
Below msg->opcode for eg like CLEANUP can clean it uo.
>> +
>> trace_xe_sched_msg_recv(msg);
>>
>> switch (msg->opcode) {
>> @@ -1414,7 +1416,7 @@ static void guc_exec_queue_process_msg(struct
>> xe_sched_msg *msg)
>> XE_WARN_ON("Unknown message type");
>> }
>>
>> - xe_pm_runtime_put(guc_to_xe(exec_queue_to_guc(msg-
>>> private_data)));
>> + xe_pm_runtime_put(xe);
>> }
>>
>> static const struct drm_sched_backend_ops drm_sched_ops = {
>> --
>> 2.34.1
>
More information about the Intel-xe
mailing list