From: jbmoore <jbmoore61@gmail.com>
To: alexander.deucher@amd.com, christian.koenig@amd.com
Cc: "John B. Moore" <jbmoore61@gmail.com>, stable@vger.kernel.org
Subject: [PATCH 1/4] drm/amdgpu/sdma4: replace BUG_ON with WARN_ON_ONCE in fence emission
Date: Sun, 26 Apr 2026 16:52:50 -0500 [thread overview]
Message-ID: <20260426215256.50722-2-jbmoore@nooks.dev> (raw)
In-Reply-To: <20260426215256.50722-1-jbmoore@nooks.dev>
From: "John B. Moore" <jbmoore61@gmail.com>
sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
that verify fence writeback addresses are dword-aligned. These
assertions can be reached via crafted DRM_IOCTL_AMDGPU_CS submissions
from unprivileged userspace, causing a fatal kernel panic in a
scheduler worker thread.
Replace both BUG_ON() calls with WARN_ON_ONCE() and force-align the
address by clearing the reserved bits. This logs the condition once
per boot and allows the hardware to proceed without crashing the
kernel.
On all hardware that amdgpu supports, bits [1:0] of ring buffer
addresses are reserved (they historically encoded byte-swap mode on
legacy pre-amdgpu hardware). A misaligned fence address indicates a
driver bug, but crashing the kernel is never the correct response.
Found by a custom amdgpu DRM ioctl fuzzer.
Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)")
Signed-off-by: John B. Moore <jbmoore61@gmail.com>
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index 8a2a4e618..dcb7e4219 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -889,7 +889,8 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
/* write the fence */
amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
/* zero in first two bits */
- BUG_ON(addr & 0x3);
+ if (WARN_ON_ONCE(addr & 0x3))
+ addr &= ~0x3ULL;
amdgpu_ring_write(ring, lower_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(addr));
amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -899,7 +900,8 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
addr += 4;
amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
/* zero in first two bits */
- BUG_ON(addr & 0x3);
+ if (WARN_ON_ONCE(addr & 0x3))
+ addr &= ~0x3ULL;
amdgpu_ring_write(ring, lower_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(addr));
amdgpu_ring_write(ring, upper_32_bits(seq));
--
2.43.0
next parent reply other threads:[~2026-04-26 21:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260426215256.50722-1-jbmoore@nooks.dev>
2026-04-26 21:52 ` jbmoore [this message]
2026-04-26 21:52 ` [PATCH 2/4] drm/amdgpu/gfx9: replace BUG_ON/BUG with WARN_ON_ONCE in ring emission jbmoore
2026-04-26 21:52 ` [PATCH 3/4] drm/amdgpu/gfx9: replace BUG_ON with WARN_ON_ONCE for KIQ 64-bit fence flag jbmoore
2026-04-26 21:52 ` [PATCH 4/4] drm/amdgpu/vcn: prevent silent fence drop on 64-bit flag mismatch jbmoore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260426215256.50722-2-jbmoore@nooks.dev \
--to=jbmoore61@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=christian.koenig@amd.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox