From: Matthew Brost <matthew.brost@intel.com>
To: "Upadhyay, Tejas" <tejas.upadhyay@intel.com>
Cc: "intel-xe@lists.freedesktop.org" <intel-xe@lists.freedesktop.org>,
"dan.carpenter@linaro.org" <dan.carpenter@linaro.org>
Subject: Re: [PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg
Date: Wed, 24 Jul 2024 15:44:04 +0000 [thread overview]
Message-ID: <ZqEhRPvmgg2VgEaB@DUT025-TGLU.fm.intel.com> (raw)
In-Reply-To: <SJ1PR11MB620491E5A7575114CD082E2281AA2@SJ1PR11MB6204.namprd11.prod.outlook.com>
On Wed, Jul 24, 2024 at 09:42:11AM -0600, Upadhyay, Tejas wrote:
>
>
> > -----Original Message-----
> > From: Intel-xe <intel-xe-bounces@lists.freedesktop.org> On Behalf Of
> > Matthew Brost
> > Sent: Wednesday, July 24, 2024 12:49 AM
> > To: intel-xe@lists.freedesktop.org
> > Cc: dan.carpenter@linaro.org
> > Subject: [PATCH v2] drm/xe: Fix possible UAF in
> > guc_exec_queue_process_msg
> >
> > Store xe_device ahead of processing message as message can be free'd in
> > some cases.
> >
> > v2:
> > - Including missing local changes
> >
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Closes: https://lore.kernel.org/r/202407231445.rpisd1vA-lkp@intel.com/
> > Fixes: d930c19fdff3 ("drm/xe: Build PM into GuC CT layer")
> > Signed-off-by: Matthew Brost <matthew.brost@intel.com>
> > ---
> > drivers/gpu/drm/xe/xe_guc_submit.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c
> > b/drivers/gpu/drm/xe/xe_guc_submit.c
> > index da2ead86b9ae..b8f938539a90 100644
> > --- a/drivers/gpu/drm/xe/xe_guc_submit.c
> > +++ b/drivers/gpu/drm/xe/xe_guc_submit.c
> > @@ -1395,6 +1395,8 @@ static void
> > __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
> >
> > static void guc_exec_queue_process_msg(struct xe_sched_msg *msg) {
> > + struct xe_device *xe =
> > +guc_to_xe(exec_queue_to_guc(msg->private_data));
>
> If msg freed at this point, don't you need to protect against NULL, just in case?
>
The msg is valid here, it can be freed in the below swicth statement
hence the bug in referencing it after the switch statement.
Matt
> Thanks,
> Tejas
> > +
> > trace_xe_sched_msg_recv(msg);
> >
> > switch (msg->opcode) {
> > @@ -1414,7 +1416,7 @@ static void guc_exec_queue_process_msg(struct
> > xe_sched_msg *msg)
> > XE_WARN_ON("Unknown message type");
> > }
> >
> > - xe_pm_runtime_put(guc_to_xe(exec_queue_to_guc(msg-
> > >private_data)));
> > + xe_pm_runtime_put(xe);
> > }
> >
> > static const struct drm_sched_backend_ops drm_sched_ops = {
> > --
> > 2.34.1
>
next prev parent reply other threads:[~2024-07-24 15:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-23 19:19 [PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg Matthew Brost
2024-07-23 20:16 ` ✓ CI.Patch_applied: success for drm/xe: Fix possible UAF in guc_exec_queue_process_msg (rev2) Patchwork
2024-07-23 20:16 ` ✗ CI.checkpatch: warning " Patchwork
2024-07-23 20:16 ` ✗ CI.KUnit: failure " Patchwork
2024-07-24 15:42 ` [PATCH v2] drm/xe: Fix possible UAF in guc_exec_queue_process_msg Upadhyay, Tejas
2024-07-24 15:44 ` Matthew Brost [this message]
2024-07-25 5:23 ` Upadhyay, Tejas
2024-07-24 15:53 ` Ghimiray, Himal Prasad
2024-07-24 15:43 ` Ghimiray, Himal Prasad
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZqEhRPvmgg2VgEaB@DUT025-TGLU.fm.intel.com \
--to=matthew.brost@intel.com \
--cc=dan.carpenter@linaro.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=tejas.upadhyay@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox