* [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
@ 2023-04-18 6:55 Daniil Dulov
2023-04-18 8:47 ` Andi Shyti
0 siblings, 1 reply; 8+ messages in thread
From: Daniil Dulov @ 2023-04-18 6:55 UTC (permalink / raw)
To: Felix Kuehling
Cc: Daniil Dulov, Alex Deucher, Christian König, David Airlie,
Daniel Vetter, Oak Zeng, amd-gfx, dri-devel, linux-kernel,
lvc-project
Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
The function then returns non-zero value, which causes the second deallocation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
index 3b6f5963180d..bce11c5b07d6 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
@@ -119,7 +119,8 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
}
if (retval) {
- kfree(mqd_mem_obj);
+ if (mqd_mem_obj)
+ kfree(mqd_mem_obj);
return NULL;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory. 2023-04-18 6:55 [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory Daniil Dulov @ 2023-04-18 8:47 ` Andi Shyti 2023-04-18 10:07 ` Krzysztof Kozlowski 0 siblings, 1 reply; 8+ messages in thread From: Andi Shyti @ 2023-04-18 8:47 UTC (permalink / raw) To: Daniil Dulov Cc: Felix Kuehling, lvc-project, David Airlie, linux-kernel, amd-gfx, dri-devel, Alex Deucher, Oak Zeng, Christian König Hi Daniil, On Mon, Apr 17, 2023 at 11:55:21PM -0700, Daniil Dulov wrote: > Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). > The function then returns non-zero value, which causes the second deallocation. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") > Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> > --- > drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > index 3b6f5963180d..bce11c5b07d6 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > @@ -119,7 +119,8 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, > } > > if (retval) { > - kfree(mqd_mem_obj); > + if (mqd_mem_obj) > + kfree(mqd_mem_obj); I think this is not needed. kfree() returns immediately if mqd_mem_obj is NULL. Andi > return NULL; > } > > -- > 2.25.1 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory. 2023-04-18 8:47 ` Andi Shyti @ 2023-04-18 10:07 ` Krzysztof Kozlowski 2023-04-18 16:59 ` Andi Shyti 0 siblings, 1 reply; 8+ messages in thread From: Krzysztof Kozlowski @ 2023-04-18 10:07 UTC (permalink / raw) To: Andi Shyti, Daniil Dulov Cc: Felix Kuehling, lvc-project, David Airlie, linux-kernel, amd-gfx, dri-devel, Alex Deucher, Oak Zeng, Christian König On 18/04/2023 10:47, Andi Shyti wrote: > Hi Daniil, > > On Mon, Apr 17, 2023 at 11:55:21PM -0700, Daniil Dulov wrote: >> Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). >> The function then returns non-zero value, which causes the second deallocation. >> >> Found by Linux Verification Center (linuxtesting.org) with SVACE. >> >> Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") >> Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> >> --- >> drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c >> index 3b6f5963180d..bce11c5b07d6 100644 >> --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c >> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c >> @@ -119,7 +119,8 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, >> } >> >> if (retval) { >> - kfree(mqd_mem_obj); >> + if (mqd_mem_obj) >> + kfree(mqd_mem_obj); > > I think this is not needed. kfree() returns immediately if > mqd_mem_obj is NULL. > Yep, the tool has to be fixed because such patch is just misleading. However different point - the commit description actually describes entirely different case: double free. Maybe the issue is true, just the fix is wrong? Best regards, Krzysztof ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory. 2023-04-18 10:07 ` Krzysztof Kozlowski @ 2023-04-18 16:59 ` Andi Shyti 2023-04-18 17:44 ` Andi Shyti 0 siblings, 1 reply; 8+ messages in thread From: Andi Shyti @ 2023-04-18 16:59 UTC (permalink / raw) To: Krzysztof Kozlowski Cc: Andi Shyti, Daniil Dulov, Felix Kuehling, lvc-project, David Airlie, linux-kernel, amd-gfx, dri-devel, Alex Deucher, Oak Zeng, Christian König On Tue, Apr 18, 2023 at 12:07:15PM +0200, Krzysztof Kozlowski wrote: > On 18/04/2023 10:47, Andi Shyti wrote: > > Hi Daniil, > > > > On Mon, Apr 17, 2023 at 11:55:21PM -0700, Daniil Dulov wrote: > >> Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). > >> The function then returns non-zero value, which causes the second deallocation. > >> > >> Found by Linux Verification Center (linuxtesting.org) with SVACE. > >> > >> Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") > >> Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> > >> --- > >> drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 3 ++- > >> 1 file changed, 2 insertions(+), 1 deletion(-) > >> > >> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > >> index 3b6f5963180d..bce11c5b07d6 100644 > >> --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > >> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > >> @@ -119,7 +119,8 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, > >> } > >> > >> if (retval) { > >> - kfree(mqd_mem_obj); > >> + if (mqd_mem_obj) > >> + kfree(mqd_mem_obj); > > > > I think this is not needed. kfree() returns immediately if > > mqd_mem_obj is NULL. > > > > Yep, the tool has to be fixed because such patch is just misleading. > However different point - the commit description actually describes > entirely different case: double free. Maybe the issue is true, just the > fix is wrong? Yes, indeed, the fix is wrong, but the bug exists. I'm pasting the original function: if (kfd->cwsr_enabled && (q->type == KFD_QUEUE_TYPE_COMPUTE)) { mqd_mem_obj = kzalloc(sizeof(struct kfd_mem_obj), GFP_KERNEL); if (!mqd_mem_obj) return NULL; ... } else { retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd), &mqd_mem_obj); } if (retval) { kfree(mqd_mem_obj); return NULL; } The "kfd_gtt_sa_allocate()" function allocates mqd_mem_obj and if an error occurs internally frees it, without setting it to NULL; retval is true and we kfree a memory that has already been freed. The real fix is to move the "if (retval)" inside the if. It would basically be: diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c index fdbfd725841ff..31d47d687bd62 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c @@ -115,18 +115,20 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, &(mqd_mem_obj->gtt_mem), &(mqd_mem_obj->gpu_addr), (void *)&(mqd_mem_obj->cpu_ptr), true); + + if (retval) { + kfree(mqd_mem_obj); + return NULL; + } + } else { retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd), &mqd_mem_obj); - } - - if (retval) { - kfree(mqd_mem_obj); - return NULL; + if (retval) + return NULL; } return mqd_mem_obj; - } Maybe with some clever refactoring we could reduce some code duplication. Daniil will you look into this? Andi ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory. 2023-04-18 16:59 ` Andi Shyti @ 2023-04-18 17:44 ` Andi Shyti 2023-04-18 18:12 ` Daniil Dulov 2023-05-11 11:23 ` [PATCH v2] " Daniil Dulov 0 siblings, 2 replies; 8+ messages in thread From: Andi Shyti @ 2023-04-18 17:44 UTC (permalink / raw) To: Andi Shyti Cc: Krzysztof Kozlowski, Daniil Dulov, Felix Kuehling, lvc-project, David Airlie, linux-kernel, amd-gfx, dri-devel, Alex Deucher, Oak Zeng, Christian König > Daniil will you look into this? and, because this is a bug fix, if you do want to send a real fix, plase add to the commit message: Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") Cc: Oak Zeng <oak.zeng@intel.com> Cc: <stable@vger.kernel.org> # v5.3+ Andi PS: please note that Oak's e-mail has changed. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory. 2023-04-18 17:44 ` Andi Shyti @ 2023-04-18 18:12 ` Daniil Dulov 2023-05-11 11:23 ` [PATCH v2] " Daniil Dulov 1 sibling, 0 replies; 8+ messages in thread From: Daniil Dulov @ 2023-04-18 18:12 UTC (permalink / raw) To: Andi Shyti Cc: Krzysztof Kozlowski, Felix Kuehling, lvc-project@linuxtesting.org, David Airlie, linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, Alex Deucher, Oak Zeng, Christian König Thank you for your feedback! I will do it as soon as possible. Daniil ________________________________ От: Andi Shyti <andi.shyti@linux.intel.com> Отправлено: вторник, 18 апреля 2023 г., 20:44 Кому: Andi Shyti <andi.shyti@linux.intel.com> Копия: Krzysztof Kozlowski <krzk@kernel.org>; Daniil Dulov <D.Dulov@aladdin.ru>; Felix Kuehling <Felix.Kuehling@amd.com>; lvc-project@linuxtesting.org <lvc-project@linuxtesting.org>; David Airlie <airlied@linux.ie>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; amd-gfx@lists.freedesktop.org <amd-gfx@lists.freedesktop.org>; dri-devel@lists.freedesktop.org <dri-devel@lists.freedesktop.org>; Alex Deucher <alexander.deucher@amd.com>; Oak Zeng <oak.zeng@intel.com>; Christian König <christian.koenig@amd.com> Тема: Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory. > Daniil will you look into this? and, because this is a bug fix, if you do want to send a real fix, plase add to the commit message: Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") Cc: Oak Zeng <oak.zeng@intel.com> Cc: <stable@vger.kernel.org> # v5.3+ Andi PS: please note that Oak's e-mail has changed. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v2] drm/amdkfd: Fix potential deallocation of previously deallocated memory. 2023-04-18 17:44 ` Andi Shyti 2023-04-18 18:12 ` Daniil Dulov @ 2023-05-11 11:23 ` Daniil Dulov 2023-05-11 21:12 ` Felix Kuehling 1 sibling, 1 reply; 8+ messages in thread From: Daniil Dulov @ 2023-05-11 11:23 UTC (permalink / raw) To: Felix Kuehling Cc: Daniil Dulov, Alex Deucher, Christian König, David Airlie, Daniel Vetter, Oak Zeng, amd-gfx, dri-devel, linux-kernel, # v5 . 3+, lvc-project Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). The function then returns non-zero value, which causes the second deallocation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> --- v2: Move if (retval) inside previous if as Andi Shyti <andi.shyti@linux.intel.com> suggested. drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c index 3b6f5963180d..dadeb2013fd9 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c @@ -113,18 +113,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, &(mqd_mem_obj->gtt_mem), &(mqd_mem_obj->gpu_addr), (void *)&(mqd_mem_obj->cpu_ptr), true); + + if (retval) { + kfree(mqd_mem_obj); + return NULL; + } } else { retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd), &mqd_mem_obj); - } - - if (retval) { - kfree(mqd_mem_obj); - return NULL; + if (retval) + return NULL; } return mqd_mem_obj; - } static void init_mqd(struct mqd_manager *mm, void **mqd, -- 2.25.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v2] drm/amdkfd: Fix potential deallocation of previously deallocated memory. 2023-05-11 11:23 ` [PATCH v2] " Daniil Dulov @ 2023-05-11 21:12 ` Felix Kuehling 0 siblings, 0 replies; 8+ messages in thread From: Felix Kuehling @ 2023-05-11 21:12 UTC (permalink / raw) To: Daniil Dulov Cc: Alex Deucher, Christian König, David Airlie, Daniel Vetter, Oak Zeng, amd-gfx, dri-devel, linux-kernel, # v5 . 3+, lvc-project On 2023-05-11 07:23, Daniil Dulov wrote: > Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). > The function then returns non-zero value, which causes the second deallocation. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") > Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> Thanks. I am applying this patch to amd-staging-drm-next. Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com> > --- > v2: Move if (retval) inside previous if as Andi Shyti <andi.shyti@linux.intel.com> suggested. > drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > index 3b6f5963180d..dadeb2013fd9 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c > @@ -113,18 +113,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, > &(mqd_mem_obj->gtt_mem), > &(mqd_mem_obj->gpu_addr), > (void *)&(mqd_mem_obj->cpu_ptr), true); > + > + if (retval) { > + kfree(mqd_mem_obj); > + return NULL; > + } > } else { > retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd), > &mqd_mem_obj); > - } > - > - if (retval) { > - kfree(mqd_mem_obj); > - return NULL; > + if (retval) > + return NULL; > } > > return mqd_mem_obj; > - > } > > static void init_mqd(struct mqd_manager *mm, void **mqd, ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-05-11 21:12 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-04-18 6:55 [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory Daniil Dulov 2023-04-18 8:47 ` Andi Shyti 2023-04-18 10:07 ` Krzysztof Kozlowski 2023-04-18 16:59 ` Andi Shyti 2023-04-18 17:44 ` Andi Shyti 2023-04-18 18:12 ` Daniil Dulov 2023-05-11 11:23 ` [PATCH v2] " Daniil Dulov 2023-05-11 21:12 ` Felix Kuehling
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox