From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Qu Huang <qu.huang@linux.dev>,
Felix Kuehling <Felix.Kuehling@amd.com>,
Alex Deucher <alexander.deucher@amd.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 26/36] drm/amdkfd: Fix an illegal memory access
Date: Mon, 20 Mar 2023 15:54:52 +0100 [thread overview]
Message-ID: <20230320145425.212333945@linuxfoundation.org> (raw)
In-Reply-To: <20230320145424.191578432@linuxfoundation.org>
From: Qu Huang <qu.huang@linux.dev>
[ Upstream commit 4fc8fff378b2f2039f2a666d9f8c570f4e58352c ]
In the kfd_wait_on_events() function, the kfd_event_waiter structure is
allocated by alloc_event_waiters(), but the event field of the waiter
structure is not initialized; When copy_from_user() fails in the
kfd_wait_on_events() function, it will enter exception handling to
release the previously allocated memory of the waiter structure;
Due to the event field of the waiters structure being accessed
in the free_waiters() function, this results in illegal memory access
and system crash, here is the crash log:
localhost kernel: RIP: 0010:native_queued_spin_lock_slowpath+0x185/0x1e0
localhost kernel: RSP: 0018:ffffaa53c362bd60 EFLAGS: 00010082
localhost kernel: RAX: ff3d3d6bff4007cb RBX: 0000000000000282 RCX: 00000000002c0000
localhost kernel: RDX: ffff9e855eeacb80 RSI: 000000000000279c RDI: ffffe7088f6a21d0
localhost kernel: RBP: ffffe7088f6a21d0 R08: 00000000002c0000 R09: ffffaa53c362be64
localhost kernel: R10: ffffaa53c362bbd8 R11: 0000000000000001 R12: 0000000000000002
localhost kernel: R13: ffff9e7ead15d600 R14: 0000000000000000 R15: ffff9e7ead15d698
localhost kernel: FS: 0000152a3d111700(0000) GS:ffff9e855ee80000(0000) knlGS:0000000000000000
localhost kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
localhost kernel: CR2: 0000152938000010 CR3: 000000044d7a4000 CR4: 00000000003506e0
localhost kernel: Call Trace:
localhost kernel: _raw_spin_lock_irqsave+0x30/0x40
localhost kernel: remove_wait_queue+0x12/0x50
localhost kernel: kfd_wait_on_events+0x1b6/0x490 [hydcu]
localhost kernel: ? ftrace_graph_caller+0xa0/0xa0
localhost kernel: kfd_ioctl+0x38c/0x4a0 [hydcu]
localhost kernel: ? kfd_ioctl_set_trap_handler+0x70/0x70 [hydcu]
localhost kernel: ? kfd_ioctl_create_queue+0x5a0/0x5a0 [hydcu]
localhost kernel: ? ftrace_graph_caller+0xa0/0xa0
localhost kernel: __x64_sys_ioctl+0x8e/0xd0
localhost kernel: ? syscall_trace_enter.isra.18+0x143/0x1b0
localhost kernel: do_syscall_64+0x33/0x80
localhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
localhost kernel: RIP: 0033:0x152a4dff68d7
Allocate the structure with kcalloc, and remove redundant 0-initialization
and a redundant loop condition check.
Signed-off-by: Qu Huang <qu.huang@linux.dev>
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_events.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
index 892077377339a..8f23192b67095 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
@@ -529,16 +529,13 @@ static struct kfd_event_waiter *alloc_event_waiters(uint32_t num_events)
struct kfd_event_waiter *event_waiters;
uint32_t i;
- event_waiters = kmalloc_array(num_events,
- sizeof(struct kfd_event_waiter),
- GFP_KERNEL);
+ event_waiters = kcalloc(num_events, sizeof(struct kfd_event_waiter),
+ GFP_KERNEL);
if (!event_waiters)
return NULL;
- for (i = 0; (event_waiters) && (i < num_events) ; i++) {
+ for (i = 0; i < num_events; i++)
init_wait(&event_waiters[i].wait);
- event_waiters[i].activated = false;
- }
return event_waiters;
}
--
2.39.2
next prev parent reply other threads:[~2023-03-20 14:59 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-20 14:54 [PATCH 4.19 00/36] 4.19.279-rc1 review Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 01/36] ext4: fix cgroup writeback accounting with fs-layer encryption Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 02/36] fs: sysfs_emit_at: Remove PAGE_SIZE alignment check Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 03/36] clk: HI655X: select REGMAP instead of depending on it Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 04/36] tcp: tcp_make_synack() can be called from process context Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 05/36] nfc: pn533: initialize struct pn533_out_arg properly Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 06/36] qed/qed_dev: guard against a possible division by zero Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 07/36] net: tunnels: annotate lockless accesses to dev->needed_headroom Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 08/36] net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 09/36] nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 10/36] net: usb: smsc75xx: Limit packet length to skb->len Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 11/36] nvmet: avoid potential UAF in nvmet_req_complete() Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 12/36] block: sunvdc: add check for mdesc_grab() returning NULL Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 13/36] ipv4: Fix incorrect table ID in IOCTL path Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 14/36] net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 15/36] net/iucv: Fix size of interrupt data Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 16/36] ethernet: sun: add check for the mdesc_grab() Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 17/36] hwmon: (adt7475) Display smoothing attributes in correct order Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 18/36] hwmon: (adt7475) Fix masking of hysteresis registers Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 19/36] hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 20/36] media: m5mols: fix off-by-one loop termination error Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 21/36] mmc: atmel-mci: fix race between stop command and start of next command Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 22/36] jffs2: correct logic when creating a hole in jffs2_write_begin Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 23/36] rust: arch/um: Disable FP/SIMD instruction to match x86 Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 24/36] ext4: fail ext4_iget if special inode unallocated Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 25/36] ext4: fix task hung in ext4_xattr_delete_inode Greg Kroah-Hartman
2023-03-20 14:54 ` Greg Kroah-Hartman [this message]
2023-03-20 14:54 ` [PATCH 4.19 27/36] sh: intc: Avoid spurious sizeof-pointer-div warning Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 28/36] tracing: Check field value in hist_field_name() Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 29/36] tracing: Make tracepoint lockdep check actually test something Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 30/36] ftrace: Fix invalid address access in lookup_rec() when index is 0 Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 31/36] fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 32/36] x86/mm: Fix use of uninitialized buffer in sme_enable() Greg Kroah-Hartman
2023-03-20 14:54 ` [PATCH 4.19 33/36] drm/i915: Dont use stolen memory for ring buffers with LLC Greg Kroah-Hartman
2023-03-20 14:55 ` [PATCH 4.19 34/36] serial: 8250_em: Fix UART port type Greg Kroah-Hartman
2023-03-20 14:55 ` [PATCH 4.19 35/36] HID: core: Provide new max_buffer_size attribute to over-ride the default Greg Kroah-Hartman
2023-03-20 14:55 ` [PATCH 4.19 36/36] HID: uhid: Over-ride the default maximum data buffer value with our own Greg Kroah-Hartman
2023-03-20 17:19 ` [PATCH 4.19 00/36] 4.19.279-rc1 review Chris Paterson
2023-03-20 23:15 ` Shuah Khan
2023-03-21 7:31 ` Naresh Kamboju
2023-03-21 11:53 ` Jon Hunter
2023-03-21 23:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230320145425.212333945@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Felix.Kuehling@amd.com \
--cc=alexander.deucher@amd.com \
--cc=patches@lists.linux.dev \
--cc=qu.huang@linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).