[PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg
Upadhyay, Tejas
tejas.upadhyay at intel.com
Thu Jul 25 05:23:13 UTC 2024
> -----Original Message-----
> From: Brost, Matthew <matthew.brost at intel.com>
> Sent: Wednesday, July 24, 2024 9:14 PM
> To: Upadhyay, Tejas <tejas.upadhyay at intel.com>
> Cc: intel-xe at lists.freedesktop.org; dan.carpenter at linaro.org
> Subject: Re: [PATCH v2] drm/xe: Fix possible UAF in
> guc_exec_queue_process_msg
>
> On Wed, Jul 24, 2024 at 09:42:11AM -0600, Upadhyay, Tejas wrote:
> >
> >
> > > -----Original Message-----
> > > From: Intel-xe <intel-xe-bounces at lists.freedesktop.org> On Behalf Of
> > > Matthew Brost
> > > Sent: Wednesday, July 24, 2024 12:49 AM
> > > To: intel-xe at lists.freedesktop.org
> > > Cc: dan.carpenter at linaro.org
> > > Subject: [PATCH v2] drm/xe: Fix possible UAF in
> > > guc_exec_queue_process_msg
> > >
> > > Store xe_device ahead of processing message as message can be free'd
> > > in some cases.
> > >
> > > v2:
> > > - Including missing local changes
> > >
> > > Reported-by: kernel test robot <lkp at intel.com>
> > > Reported-by: Dan Carpenter <dan.carpenter at linaro.org>
> > > Closes:
> > > https://lore.kernel.org/r/202407231445.rpisd1vA-lkp@intel.com/
> > > Fixes: d930c19fdff3 ("drm/xe: Build PM into GuC CT layer")
> > > Signed-off-by: Matthew Brost <matthew.brost at intel.com>
> > > ---
> > > drivers/gpu/drm/xe/xe_guc_submit.c | 4 +++-
> > > 1 file changed, 3 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c
> > > b/drivers/gpu/drm/xe/xe_guc_submit.c
> > > index da2ead86b9ae..b8f938539a90 100644
> > > --- a/drivers/gpu/drm/xe/xe_guc_submit.c
> > > +++ b/drivers/gpu/drm/xe/xe_guc_submit.c
> > > @@ -1395,6 +1395,8 @@ static void
> > > __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
> > >
> > > static void guc_exec_queue_process_msg(struct xe_sched_msg *msg) {
> > > + struct xe_device *xe =
> > > +guc_to_xe(exec_queue_to_guc(msg->private_data));
> >
> > If msg freed at this point, don't you need to protect against NULL, just in
> case?
> >
>
> The msg is valid here, it can be freed in the below swicth statement hence the
> bug in referencing it after the switch statement.
Ok, LGTM,
Acked-by: Tejas Upadhyay <tejas.upadhyay at intel.com>
Tejas
>
> Matt
>
> > Thanks,
> > Tejas
> > > +
> > > trace_xe_sched_msg_recv(msg);
> > >
> > > switch (msg->opcode) {
> > > @@ -1414,7 +1416,7 @@ static void guc_exec_queue_process_msg(struct
> > > xe_sched_msg *msg)
> > > XE_WARN_ON("Unknown message type");
> > > }
> > >
> > > - xe_pm_runtime_put(guc_to_xe(exec_queue_to_guc(msg-
> > > >private_data)));
> > > + xe_pm_runtime_put(xe);
> > > }
> > >
> > > static const struct drm_sched_backend_ops drm_sched_ops = {
> > > --
> > > 2.34.1
> >
More information about the Intel-xe
mailing list