From: Oded Gabbay <ogabbay@kernel.org>
To: linux-kernel@vger.kernel.org
Cc: Dani Liberman <dliberman@habana.ai>
Subject: [PATCH 5/5] habanalabs: fix NULL pointer dereference
Date: Sun, 10 Oct 2021 11:03:07 +0300 [thread overview]
Message-ID: <20211010080307.153420-5-ogabbay@kernel.org> (raw)
In-Reply-To: <20211010080307.153420-1-ogabbay@kernel.org>
From: Dani Liberman <dliberman@habana.ai>
When polling fences for multi CS, it is possible that fence is
no longer exists (its corresponding CS completed and the fence was
deleted) but we still accessing its parameters, causing NULL pointer
dereference.
Fixed by checking if fence exits before accessing its parameters.
Signed-off-by: Dani Liberman <dliberman@habana.ai>
Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
---
drivers/misc/habanalabs/common/command_submission.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/habanalabs/common/command_submission.c b/drivers/misc/habanalabs/common/command_submission.c
index 8e4dc1441fff..a3358cc3c877 100644
--- a/drivers/misc/habanalabs/common/command_submission.c
+++ b/drivers/misc/habanalabs/common/command_submission.c
@@ -2382,7 +2382,15 @@ static int hl_cs_poll_fences(struct multi_cs_data *mcs_data)
break;
}
- mcs_data->stream_master_qid_map |= fence->stream_master_qid_map;
+ /*
+ * It is possible to get an old sequence numbers from user
+ * which related to already completed CSs and their fences
+ * already gone. In this case, no need to consider its QID for
+ * mcs completion.
+ */
+ if (fence)
+ mcs_data->stream_master_qid_map |=
+ fence->stream_master_qid_map;
/*
* Using mcs_handling_done to avoid possibility of mcs_data
@@ -2390,7 +2398,8 @@ static int hl_cs_poll_fences(struct multi_cs_data *mcs_data)
* all of its mcs handling, to avoid race the next time the
* user waits for mcs.
*/
- if (status == CS_WAIT_STATUS_BUSY || !fence->mcs_handling_done)
+ if (status == CS_WAIT_STATUS_BUSY ||
+ (fence && !fence->mcs_handling_done))
continue;
mcs_data->completion_bitmap |= BIT(i);
--
2.25.1
prev parent reply other threads:[~2021-10-10 8:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-10 8:03 [PATCH 1/5] habanalabs: bypass reset for continuous h/w error event Oded Gabbay
2021-10-10 8:03 ` [PATCH 2/5] habanalabs: update firmware files Oded Gabbay
2021-10-10 8:03 ` [PATCH 3/5] habanalabs: use only u32 Oded Gabbay
2021-10-10 8:03 ` [PATCH 4/5] habanalabs: fix race condition in multi CS completion Oded Gabbay
2021-10-10 8:03 ` Oded Gabbay [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211010080307.153420-5-ogabbay@kernel.org \
--to=ogabbay@kernel.org \
--cc=dliberman@habana.ai \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox