From: "Ghimiray, Himal Prasad" <himal.prasad.ghimiray@intel.com>
To: "Upadhyay, Tejas" <tejas.upadhyay@intel.com>,
"Brost, Matthew" <matthew.brost@intel.com>,
"intel-xe@lists.freedesktop.org" <intel-xe@lists.freedesktop.org>
Cc: "dan.carpenter@linaro.org" <dan.carpenter@linaro.org>
Subject: Re: [PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg
Date: Wed, 24 Jul 2024 21:23:00 +0530 [thread overview]
Message-ID: <2b54cffb-002c-4d87-bffc-feaf9ff69fba@intel.com> (raw)
In-Reply-To: <SJ1PR11MB620491E5A7575114CD082E2281AA2@SJ1PR11MB6204.namprd11.prod.outlook.com>
On 24-07-2024 21:12, Upadhyay, Tejas wrote:
>
>
>> -----Original Message-----
>> From: Intel-xe <intel-xe-bounces@lists.freedesktop.org> On Behalf Of
>> Matthew Brost
>> Sent: Wednesday, July 24, 2024 12:49 AM
>> To: intel-xe@lists.freedesktop.org
>> Cc: dan.carpenter@linaro.org
>> Subject: [PATCH v2] drm/xe: Fix possible UAF in
>> guc_exec_queue_process_msg
>>
>> Store xe_device ahead of processing message as message can be free'd in
>> some cases.
>>
>> v2:
>> - Including missing local changes
>>
>> Reported-by: kernel test robot <lkp@intel.com>
>> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
>> Closes: https://lore.kernel.org/r/202407231445.rpisd1vA-lkp@intel.com/
>> Fixes: d930c19fdff3 ("drm/xe: Build PM into GuC CT layer")
>> Signed-off-by: Matthew Brost <matthew.brost@intel.com>
>> ---
>> drivers/gpu/drm/xe/xe_guc_submit.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c
>> b/drivers/gpu/drm/xe/xe_guc_submit.c
>> index da2ead86b9ae..b8f938539a90 100644
>> --- a/drivers/gpu/drm/xe/xe_guc_submit.c
>> +++ b/drivers/gpu/drm/xe/xe_guc_submit.c
>> @@ -1395,6 +1395,8 @@ static void
>> __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
>>
>> static void guc_exec_queue_process_msg(struct xe_sched_msg *msg) {
>> + struct xe_device *xe =
>> +guc_to_xe(exec_queue_to_guc(msg->private_data));
>
> If msg freed at this point, don't you need to protect against NULL, just in case?
>
> Thanks,
> Tejas
xe_sched_process_msg_work the caller of the ops ensures the routine is
called only if msg is valid.
Below msg->opcode for eg like CLEANUP can clean it uo.
>> +
>> trace_xe_sched_msg_recv(msg);
>>
>> switch (msg->opcode) {
>> @@ -1414,7 +1416,7 @@ static void guc_exec_queue_process_msg(struct
>> xe_sched_msg *msg)
>> XE_WARN_ON("Unknown message type");
>> }
>>
>> - xe_pm_runtime_put(guc_to_xe(exec_queue_to_guc(msg-
>>> private_data)));
>> + xe_pm_runtime_put(xe);
>> }
>>
>> static const struct drm_sched_backend_ops drm_sched_ops = {
>> --
>> 2.34.1
>
next prev parent reply other threads:[~2024-07-24 15:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-23 19:19 [PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg Matthew Brost
2024-07-23 20:16 ` ✓ CI.Patch_applied: success for drm/xe: Fix possible UAF in guc_exec_queue_process_msg (rev2) Patchwork
2024-07-23 20:16 ` ✗ CI.checkpatch: warning " Patchwork
2024-07-23 20:16 ` ✗ CI.KUnit: failure " Patchwork
2024-07-24 15:42 ` [PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg Upadhyay, Tejas
2024-07-24 15:44 ` Matthew Brost
2024-07-25 5:23 ` Upadhyay, Tejas
2024-07-24 15:53 ` Ghimiray, Himal Prasad [this message]
2024-07-24 15:43 ` Ghimiray, Himal Prasad
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b54cffb-002c-4d87-bffc-feaf9ff69fba@intel.com \
--to=himal.prasad.ghimiray@intel.com \
--cc=dan.carpenter@linaro.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=matthew.brost@intel.com \
--cc=tejas.upadhyay@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox