* [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
@ 2023-04-18 6:55 Daniil Dulov
2023-04-18 8:47 ` Andi Shyti
0 siblings, 1 reply; 8+ messages in thread
From: Daniil Dulov @ 2023-04-18 6:55 UTC (permalink / raw)
To: Felix Kuehling
Cc: Daniil Dulov, Alex Deucher, Christian König, David Airlie,
Daniel Vetter, Oak Zeng, amd-gfx, dri-devel, linux-kernel,
lvc-project
Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
The function then returns non-zero value, which causes the second deallocation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
index 3b6f5963180d..bce11c5b07d6 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
@@ -119,7 +119,8 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
}
if (retval) {
- kfree(mqd_mem_obj);
+ if (mqd_mem_obj)
+ kfree(mqd_mem_obj);
return NULL;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
2023-04-18 6:55 [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory Daniil Dulov
@ 2023-04-18 8:47 ` Andi Shyti
2023-04-18 10:07 ` Krzysztof Kozlowski
0 siblings, 1 reply; 8+ messages in thread
From: Andi Shyti @ 2023-04-18 8:47 UTC (permalink / raw)
To: Daniil Dulov
Cc: Felix Kuehling, lvc-project, David Airlie, linux-kernel, amd-gfx,
dri-devel, Alex Deucher, Oak Zeng, Christian König
Hi Daniil,
On Mon, Apr 17, 2023 at 11:55:21PM -0700, Daniil Dulov wrote:
> Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
> The function then returns non-zero value, which causes the second deallocation.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
> Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
> ---
> drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> index 3b6f5963180d..bce11c5b07d6 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> @@ -119,7 +119,8 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
> }
>
> if (retval) {
> - kfree(mqd_mem_obj);
> + if (mqd_mem_obj)
> + kfree(mqd_mem_obj);
I think this is not needed. kfree() returns immediately if
mqd_mem_obj is NULL.
Andi
> return NULL;
> }
>
> --
> 2.25.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
2023-04-18 8:47 ` Andi Shyti
@ 2023-04-18 10:07 ` Krzysztof Kozlowski
2023-04-18 16:59 ` Andi Shyti
0 siblings, 1 reply; 8+ messages in thread
From: Krzysztof Kozlowski @ 2023-04-18 10:07 UTC (permalink / raw)
To: Andi Shyti, Daniil Dulov
Cc: Felix Kuehling, lvc-project, David Airlie, linux-kernel, amd-gfx,
dri-devel, Alex Deucher, Oak Zeng, Christian König
On 18/04/2023 10:47, Andi Shyti wrote:
> Hi Daniil,
>
> On Mon, Apr 17, 2023 at 11:55:21PM -0700, Daniil Dulov wrote:
>> Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
>> The function then returns non-zero value, which causes the second deallocation.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
>> Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
>> ---
>> drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
>> index 3b6f5963180d..bce11c5b07d6 100644
>> --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
>> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
>> @@ -119,7 +119,8 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
>> }
>>
>> if (retval) {
>> - kfree(mqd_mem_obj);
>> + if (mqd_mem_obj)
>> + kfree(mqd_mem_obj);
>
> I think this is not needed. kfree() returns immediately if
> mqd_mem_obj is NULL.
>
Yep, the tool has to be fixed because such patch is just misleading.
However different point - the commit description actually describes
entirely different case: double free. Maybe the issue is true, just the
fix is wrong?
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
2023-04-18 10:07 ` Krzysztof Kozlowski
@ 2023-04-18 16:59 ` Andi Shyti
2023-04-18 17:44 ` Andi Shyti
0 siblings, 1 reply; 8+ messages in thread
From: Andi Shyti @ 2023-04-18 16:59 UTC (permalink / raw)
To: Krzysztof Kozlowski
Cc: Andi Shyti, Daniil Dulov, Felix Kuehling, lvc-project,
David Airlie, linux-kernel, amd-gfx, dri-devel, Alex Deucher,
Oak Zeng, Christian König
On Tue, Apr 18, 2023 at 12:07:15PM +0200, Krzysztof Kozlowski wrote:
> On 18/04/2023 10:47, Andi Shyti wrote:
> > Hi Daniil,
> >
> > On Mon, Apr 17, 2023 at 11:55:21PM -0700, Daniil Dulov wrote:
> >> Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
> >> The function then returns non-zero value, which causes the second deallocation.
> >>
> >> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> >>
> >> Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
> >> Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
> >> ---
> >> drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> >> index 3b6f5963180d..bce11c5b07d6 100644
> >> --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> >> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> >> @@ -119,7 +119,8 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
> >> }
> >>
> >> if (retval) {
> >> - kfree(mqd_mem_obj);
> >> + if (mqd_mem_obj)
> >> + kfree(mqd_mem_obj);
> >
> > I think this is not needed. kfree() returns immediately if
> > mqd_mem_obj is NULL.
> >
>
> Yep, the tool has to be fixed because such patch is just misleading.
> However different point - the commit description actually describes
> entirely different case: double free. Maybe the issue is true, just the
> fix is wrong?
Yes, indeed, the fix is wrong, but the bug exists. I'm pasting
the original function:
if (kfd->cwsr_enabled && (q->type == KFD_QUEUE_TYPE_COMPUTE)) {
mqd_mem_obj = kzalloc(sizeof(struct kfd_mem_obj), GFP_KERNEL);
if (!mqd_mem_obj)
return NULL;
...
} else {
retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),
&mqd_mem_obj);
}
if (retval) {
kfree(mqd_mem_obj);
return NULL;
}
The "kfd_gtt_sa_allocate()" function allocates mqd_mem_obj and if
an error occurs internally frees it, without setting it to NULL;
retval is true and we kfree a memory that has already been freed.
The real fix is to move the "if (retval)" inside the if. It would
basically be:
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
index fdbfd725841ff..31d47d687bd62 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
@@ -115,18 +115,20 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
&(mqd_mem_obj->gtt_mem),
&(mqd_mem_obj->gpu_addr),
(void *)&(mqd_mem_obj->cpu_ptr), true);
+
+ if (retval) {
+ kfree(mqd_mem_obj);
+ return NULL;
+ }
+
} else {
retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),
&mqd_mem_obj);
- }
-
- if (retval) {
- kfree(mqd_mem_obj);
- return NULL;
+ if (retval)
+ return NULL;
}
return mqd_mem_obj;
-
}
Maybe with some clever refactoring we could reduce some code
duplication.
Daniil will you look into this?
Andi
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
2023-04-18 16:59 ` Andi Shyti
@ 2023-04-18 17:44 ` Andi Shyti
2023-04-18 18:12 ` Daniil Dulov
2023-05-11 11:23 ` [PATCH v2] " Daniil Dulov
0 siblings, 2 replies; 8+ messages in thread
From: Andi Shyti @ 2023-04-18 17:44 UTC (permalink / raw)
To: Andi Shyti
Cc: Krzysztof Kozlowski, Daniil Dulov, Felix Kuehling, lvc-project,
David Airlie, linux-kernel, amd-gfx, dri-devel, Alex Deucher,
Oak Zeng, Christian König
> Daniil will you look into this?
and, because this is a bug fix, if you do want to send a real
fix, plase add to the commit message:
Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
Cc: Oak Zeng <oak.zeng@intel.com>
Cc: <stable@vger.kernel.org> # v5.3+
Andi
PS: please note that Oak's e-mail has changed.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
2023-04-18 17:44 ` Andi Shyti
@ 2023-04-18 18:12 ` Daniil Dulov
2023-05-11 11:23 ` [PATCH v2] " Daniil Dulov
1 sibling, 0 replies; 8+ messages in thread
From: Daniil Dulov @ 2023-04-18 18:12 UTC (permalink / raw)
To: Andi Shyti
Cc: Krzysztof Kozlowski, Felix Kuehling, lvc-project@linuxtesting.org,
David Airlie, linux-kernel@vger.kernel.org,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
Alex Deucher, Oak Zeng, Christian König
Thank you for your feedback! I will do it as soon as possible.
Daniil
________________________________
От: Andi Shyti <andi.shyti@linux.intel.com>
Отправлено: вторник, 18 апреля 2023 г., 20:44
Кому: Andi Shyti <andi.shyti@linux.intel.com>
Копия: Krzysztof Kozlowski <krzk@kernel.org>; Daniil Dulov <D.Dulov@aladdin.ru>; Felix Kuehling <Felix.Kuehling@amd.com>; lvc-project@linuxtesting.org <lvc-project@linuxtesting.org>; David Airlie <airlied@linux.ie>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; amd-gfx@lists.freedesktop.org <amd-gfx@lists.freedesktop.org>; dri-devel@lists.freedesktop.org <dri-devel@lists.freedesktop.org>; Alex Deucher <alexander.deucher@amd.com>; Oak Zeng <oak.zeng@intel.com>; Christian König <christian.koenig@amd.com>
Тема: Re: [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
> Daniil will you look into this?
and, because this is a bug fix, if you do want to send a real
fix, plase add to the commit message:
Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
Cc: Oak Zeng <oak.zeng@intel.com>
Cc: <stable@vger.kernel.org> # v5.3+
Andi
PS: please note that Oak's e-mail has changed.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v2] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
2023-04-18 17:44 ` Andi Shyti
2023-04-18 18:12 ` Daniil Dulov
@ 2023-05-11 11:23 ` Daniil Dulov
2023-05-11 21:12 ` Felix Kuehling
1 sibling, 1 reply; 8+ messages in thread
From: Daniil Dulov @ 2023-05-11 11:23 UTC (permalink / raw)
To: Felix Kuehling
Cc: Daniil Dulov, Alex Deucher, Christian König, David Airlie,
Daniel Vetter, Oak Zeng, amd-gfx, dri-devel, linux-kernel,
# v5 . 3+, lvc-project
Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
The function then returns non-zero value, which causes the second deallocation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
v2: Move if (retval) inside previous if as Andi Shyti <andi.shyti@linux.intel.com> suggested.
drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
index 3b6f5963180d..dadeb2013fd9 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
@@ -113,18 +113,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
&(mqd_mem_obj->gtt_mem),
&(mqd_mem_obj->gpu_addr),
(void *)&(mqd_mem_obj->cpu_ptr), true);
+
+ if (retval) {
+ kfree(mqd_mem_obj);
+ return NULL;
+ }
} else {
retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),
&mqd_mem_obj);
- }
-
- if (retval) {
- kfree(mqd_mem_obj);
- return NULL;
+ if (retval)
+ return NULL;
}
return mqd_mem_obj;
-
}
static void init_mqd(struct mqd_manager *mm, void **mqd,
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v2] drm/amdkfd: Fix potential deallocation of previously deallocated memory.
2023-05-11 11:23 ` [PATCH v2] " Daniil Dulov
@ 2023-05-11 21:12 ` Felix Kuehling
0 siblings, 0 replies; 8+ messages in thread
From: Felix Kuehling @ 2023-05-11 21:12 UTC (permalink / raw)
To: Daniil Dulov
Cc: Alex Deucher, Christian König, David Airlie, Daniel Vetter,
Oak Zeng, amd-gfx, dri-devel, linux-kernel, # v5 . 3+,
lvc-project
On 2023-05-11 07:23, Daniil Dulov wrote:
> Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
> The function then returns non-zero value, which causes the second deallocation.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
> Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Thanks. I am applying this patch to amd-staging-drm-next.
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
> ---
> v2: Move if (retval) inside previous if as Andi Shyti <andi.shyti@linux.intel.com> suggested.
> drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> index 3b6f5963180d..dadeb2013fd9 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
> @@ -113,18 +113,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
> &(mqd_mem_obj->gtt_mem),
> &(mqd_mem_obj->gpu_addr),
> (void *)&(mqd_mem_obj->cpu_ptr), true);
> +
> + if (retval) {
> + kfree(mqd_mem_obj);
> + return NULL;
> + }
> } else {
> retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),
> &mqd_mem_obj);
> - }
> -
> - if (retval) {
> - kfree(mqd_mem_obj);
> - return NULL;
> + if (retval)
> + return NULL;
> }
>
> return mqd_mem_obj;
> -
> }
>
> static void init_mqd(struct mqd_manager *mm, void **mqd,
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-05-11 21:12 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-18 6:55 [PATCH] drm/amdkfd: Fix potential deallocation of previously deallocated memory Daniil Dulov
2023-04-18 8:47 ` Andi Shyti
2023-04-18 10:07 ` Krzysztof Kozlowski
2023-04-18 16:59 ` Andi Shyti
2023-04-18 17:44 ` Andi Shyti
2023-04-18 18:12 ` Daniil Dulov
2023-05-11 11:23 ` [PATCH v2] " Daniil Dulov
2023-05-11 21:12 ` Felix Kuehling
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox