* [PATCH] drm/amdkfd: Fix a __user pointer dereference in create_signal_event
@ 2021-10-13 7:33 Lang Yu
2021-10-13 8:06 ` Lazar, Lijo
0 siblings, 1 reply; 3+ messages in thread
From: Lang Yu @ 2021-10-13 7:33 UTC (permalink / raw)
To: amd-gfx, Felix Kuehling; +Cc: Alex Deucher, Huang Rui, Lang Yu
We should not dereference __user pointers directly.
https://yarchive.net/comp/linux/user_pointers.html
Fixes: 482f07775cf5
("drm/amdkfd: Simplify event ID and signal slot management")
Signed-off-by: Lang Yu <lang.yu@amd.com>
---
drivers/gpu/drm/amd/amdkfd/kfd_events.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
index 3eea4edee355..74d3bdcfe341 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
@@ -201,7 +201,7 @@ static int create_signal_event(struct file *devkfd,
p->signal_event_count++;
- ev->user_signal_address = &p->signal_page->user_address[ev->event_id];
+ ev->user_signal_address = p->signal_page->user_address + ev->event_id;
pr_debug("Signal event number %zu created with id %d, address %p\n",
p->signal_event_count, ev->event_id,
ev->user_signal_address);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] drm/amdkfd: Fix a __user pointer dereference in create_signal_event 2021-10-13 7:33 [PATCH] drm/amdkfd: Fix a __user pointer dereference in create_signal_event Lang Yu @ 2021-10-13 8:06 ` Lazar, Lijo 2021-10-13 8:30 ` Yu, Lang 0 siblings, 1 reply; 3+ messages in thread From: Lazar, Lijo @ 2021-10-13 8:06 UTC (permalink / raw) To: Lang Yu, amd-gfx, Felix Kuehling; +Cc: Alex Deucher, Huang Rui On 10/13/2021 1:03 PM, Lang Yu wrote: > We should not dereference __user pointers directly. > https://yarchive.net/comp/linux/user_pointers.html > > Fixes: 482f07775cf5 > ("drm/amdkfd: Simplify event ID and signal slot management") > > Signed-off-by: Lang Yu <lang.yu@amd.com> > --- > drivers/gpu/drm/amd/amdkfd/kfd_events.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c > index 3eea4edee355..74d3bdcfe341 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c > @@ -201,7 +201,7 @@ static int create_signal_event(struct file *devkfd, > > p->signal_event_count++; > > - ev->user_signal_address = &p->signal_page->user_address[ev->event_id]; This is interesting. I thought this wouldn't dereference. See here - https://en.cppreference.com/w/c/language/operator_member_access "If the operand is an array index expression, no action is taken other than the array-to-pointer conversion and the addition, so &a[N] is valid for an array of size N (obtaining a pointer one past the end is okay, dereferencing it is not, but dereference cancels out in this expression)" Thanks, Lijo > + ev->user_signal_address = p->signal_page->user_address + ev->event_id; > pr_debug("Signal event number %zu created with id %d, address %p\n", > p->signal_event_count, ev->event_id, > ev->user_signal_address); > ^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: [PATCH] drm/amdkfd: Fix a __user pointer dereference in create_signal_event 2021-10-13 8:06 ` Lazar, Lijo @ 2021-10-13 8:30 ` Yu, Lang 0 siblings, 0 replies; 3+ messages in thread From: Yu, Lang @ 2021-10-13 8:30 UTC (permalink / raw) To: Lazar, Lijo, amd-gfx@lists.freedesktop.org, Kuehling, Felix Cc: Deucher, Alexander, Huang, Ray [AMD Official Use Only] >-----Original Message----- >From: Lazar, Lijo <Lijo.Lazar@amd.com> >Sent: Wednesday, October 13, 2021 4:07 PM >To: Yu, Lang <Lang.Yu@amd.com>; amd-gfx@lists.freedesktop.org; Kuehling, >Felix <Felix.Kuehling@amd.com> >Cc: Deucher, Alexander <Alexander.Deucher@amd.com>; Huang, Ray ><Ray.Huang@amd.com> >Subject: Re: [PATCH] drm/amdkfd: Fix a __user pointer dereference in >create_signal_event > > > >On 10/13/2021 1:03 PM, Lang Yu wrote: >> We should not dereference __user pointers directly. >> https://yarchive.net/comp/linux/user_pointers.html >> >> Fixes: 482f07775cf5 >> ("drm/amdkfd: Simplify event ID and signal slot management") >> >> Signed-off-by: Lang Yu <lang.yu@amd.com> >> --- >> drivers/gpu/drm/amd/amdkfd/kfd_events.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c >> b/drivers/gpu/drm/amd/amdkfd/kfd_events.c >> index 3eea4edee355..74d3bdcfe341 100644 >> --- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c >> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c >> @@ -201,7 +201,7 @@ static int create_signal_event(struct file >> *devkfd, >> >> p->signal_event_count++; >> >> - ev->user_signal_address = &p->signal_page->user_address[ev- >>event_id]; > >This is interesting. I thought this wouldn't dereference. > >See here - > >https://en.cppreference.com/w/c/language/operator_member_access > >"If the operand is an array index expression, no action is taken other than the >array-to-pointer conversion and the addition, so &a[N] is valid for an array of size >N (obtaining a pointer one past the end is okay, dereferencing it is not, but >dereference cancels out in this expression)" Thanks for your clarification about this. I got it. Regards, Lang >Thanks, >Lijo > > >> + ev->user_signal_address = p->signal_page->user_address + >> +ev->event_id; >> pr_debug("Signal event number %zu created with id %d, address %p\n", >> p->signal_event_count, ev->event_id, >> ev->user_signal_address); >> ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-13 8:30 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-10-13 7:33 [PATCH] drm/amdkfd: Fix a __user pointer dereference in create_signal_event Lang Yu 2021-10-13 8:06 ` Lazar, Lijo 2021-10-13 8:30 ` Yu, Lang
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.