From: Felix Kuehling <felix.kuehling@amd.com>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Ramesh Errabolu <Ramesh.Errabolu@amd.com>
Cc: "David Airlie" <airlied@linux.ie>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
kernel-janitors@vger.kernel.org, amd-gfx@lists.freedesktop.org,
"Daniel Vetter" <daniel@ffwll.ch>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>
Subject: Re: [PATCH] drm/amdkfd: potential crash in kfd_create_indirect_link_prop()
Date: Fri, 12 Aug 2022 17:10:51 -0400 [thread overview]
Message-ID: <8fe840db-ccba-0dae-23fe-d08db0b35167@amd.com> (raw)
In-Reply-To: <YvXxSkLaaSMLU8fT@kili>
On 2022-08-12 02:20, Dan Carpenter wrote:
> This code has two bugs. If kfd_topology_device_by_proximity_domain()
> failed on the first iteration through the loop then "cpu_link" is
> uninitialized and should not be dereferenced.
>
> The second bug is that we cannot dereference a list iterator when it
> points to the list head. In other words, if we exit the
> list_for_each_entry() loop exits without hitting a break then "cpu_link"
> is not a valid pointer and should not be dereferenced.
>
> Fix both of these problems by setting "cpu_link" to NULL when it is invalid
> and non-NULL when it is valid. That makes it easier to test for
> valid vs invalid.
>
> Fixes: 0f28cca87e9a ("drm/amdkfd: Extend KFD device topology to surface peer-to-peer links")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> I reported these in June but never heard back.
I thought Ramesh implemented a fix for this:
https://lore.kernel.org/all/20220706183302.1719795-1-Ramesh.Errabolu@amd.com/
You commented on a version of his patch:
https://lore.kernel.org/all/20220629161241.GM11460@kadam/
Did this get lost somehow? Anyway, your patch looks good to me and I'm
going to apply it to amd-staging-drm-next now.
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Thanks,
Felix
>
> drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
> index 25990bec600d..3f0a4a415907 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
> @@ -1392,8 +1392,8 @@ static int kfd_build_p2p_node_entry(struct kfd_topology_device *dev,
>
> static int kfd_create_indirect_link_prop(struct kfd_topology_device *kdev, int gpu_node)
> {
> + struct kfd_iolink_properties *gpu_link, *tmp_link, *cpu_link;
> struct kfd_iolink_properties *props = NULL, *props2 = NULL;
> - struct kfd_iolink_properties *gpu_link, *cpu_link;
> struct kfd_topology_device *cpu_dev;
> int ret = 0;
> int i, num_cpu;
> @@ -1416,16 +1416,19 @@ static int kfd_create_indirect_link_prop(struct kfd_topology_device *kdev, int g
> continue;
>
> /* find CPU <--> CPU links */
> + cpu_link = NULL;
> cpu_dev = kfd_topology_device_by_proximity_domain(i);
> if (cpu_dev) {
> - list_for_each_entry(cpu_link,
> + list_for_each_entry(tmp_link,
> &cpu_dev->io_link_props, list) {
> - if (cpu_link->node_to == gpu_link->node_to)
> + if (tmp_link->node_to == gpu_link->node_to) {
> + cpu_link = tmp_link;
> break;
> + }
> }
> }
>
> - if (cpu_link->node_to != gpu_link->node_to)
> + if (!cpu_link)
> return -ENOMEM;
>
> /* CPU <--> CPU <--> GPU, GPU node*/
WARNING: multiple messages have this Message-ID (diff)
From: Felix Kuehling <felix.kuehling@amd.com>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Ramesh Errabolu <Ramesh.Errabolu@amd.com>
Cc: "Alex Deucher" <alexander.deucher@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"Pan, Xinhui" <Xinhui.Pan@amd.com>,
"David Airlie" <airlied@linux.ie>,
"Daniel Vetter" <daniel@ffwll.ch>,
amd-gfx@lists.freedesktop.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] drm/amdkfd: potential crash in kfd_create_indirect_link_prop()
Date: Fri, 12 Aug 2022 17:10:51 -0400 [thread overview]
Message-ID: <8fe840db-ccba-0dae-23fe-d08db0b35167@amd.com> (raw)
In-Reply-To: <YvXxSkLaaSMLU8fT@kili>
On 2022-08-12 02:20, Dan Carpenter wrote:
> This code has two bugs. If kfd_topology_device_by_proximity_domain()
> failed on the first iteration through the loop then "cpu_link" is
> uninitialized and should not be dereferenced.
>
> The second bug is that we cannot dereference a list iterator when it
> points to the list head. In other words, if we exit the
> list_for_each_entry() loop exits without hitting a break then "cpu_link"
> is not a valid pointer and should not be dereferenced.
>
> Fix both of these problems by setting "cpu_link" to NULL when it is invalid
> and non-NULL when it is valid. That makes it easier to test for
> valid vs invalid.
>
> Fixes: 0f28cca87e9a ("drm/amdkfd: Extend KFD device topology to surface peer-to-peer links")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> I reported these in June but never heard back.
I thought Ramesh implemented a fix for this:
https://lore.kernel.org/all/20220706183302.1719795-1-Ramesh.Errabolu@amd.com/
You commented on a version of his patch:
https://lore.kernel.org/all/20220629161241.GM11460@kadam/
Did this get lost somehow? Anyway, your patch looks good to me and I'm
going to apply it to amd-staging-drm-next now.
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Thanks,
Felix
>
> drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
> index 25990bec600d..3f0a4a415907 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
> @@ -1392,8 +1392,8 @@ static int kfd_build_p2p_node_entry(struct kfd_topology_device *dev,
>
> static int kfd_create_indirect_link_prop(struct kfd_topology_device *kdev, int gpu_node)
> {
> + struct kfd_iolink_properties *gpu_link, *tmp_link, *cpu_link;
> struct kfd_iolink_properties *props = NULL, *props2 = NULL;
> - struct kfd_iolink_properties *gpu_link, *cpu_link;
> struct kfd_topology_device *cpu_dev;
> int ret = 0;
> int i, num_cpu;
> @@ -1416,16 +1416,19 @@ static int kfd_create_indirect_link_prop(struct kfd_topology_device *kdev, int g
> continue;
>
> /* find CPU <--> CPU links */
> + cpu_link = NULL;
> cpu_dev = kfd_topology_device_by_proximity_domain(i);
> if (cpu_dev) {
> - list_for_each_entry(cpu_link,
> + list_for_each_entry(tmp_link,
> &cpu_dev->io_link_props, list) {
> - if (cpu_link->node_to == gpu_link->node_to)
> + if (tmp_link->node_to == gpu_link->node_to) {
> + cpu_link = tmp_link;
> break;
> + }
> }
> }
>
> - if (cpu_link->node_to != gpu_link->node_to)
> + if (!cpu_link)
> return -ENOMEM;
>
> /* CPU <--> CPU <--> GPU, GPU node*/
next prev parent reply other threads:[~2022-08-12 21:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-12 6:20 [PATCH] drm/amdkfd: potential crash in kfd_create_indirect_link_prop() Dan Carpenter
2022-08-12 6:20 ` Dan Carpenter
2022-08-12 21:10 ` Felix Kuehling [this message]
2022-08-12 21:10 ` Felix Kuehling
2022-08-15 11:23 ` Dan Carpenter
2022-08-15 11:23 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8fe840db-ccba-0dae-23fe-d08db0b35167@amd.com \
--to=felix.kuehling@amd.com \
--cc=Ramesh.Errabolu@amd.com \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=dan.carpenter@oracle.com \
--cc=daniel@ffwll.ch \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.