Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp232009imn; Wed, 27 Jul 2022 21:38:08 -0700 (PDT) X-Google-Smtp-Source: AGRyM1su/l55xGzVOsKdTFteMIAyZGIxhsViCXRnOc62wlaAlfEYlJG8YauwDKM3jtCS5pVdQaoq X-Received: by 2002:a17:906:8477:b0:72b:3e65:55c5 with SMTP id hx23-20020a170906847700b0072b3e6555c5mr19344531ejc.255.1658983088322; Wed, 27 Jul 2022 21:38:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658983088; cv=none; d=google.com; s=arc-20160816; b=HfeY6pX1thZMdvUtwrzx1/jjoFMF9t3Pu5BFuX7loBJl62XGXYo3GKYmVSEMAJO3tq ngqhh96+WT8CJ0g61AdgD1sJb3bhFz9+KvNuMm29WHOM2ROI0w030m1aE3G47yjcUAtY HvgqtaDHiAhWunmsiK67CpbX6B0qtgID5LNUSYztGrRiGtmV524b5/CiL6lVU+DTiPV5 wZSoeB97i20h0X0LFWoysmjinMGjT0nSPuInr7O7TTdvjNW7e5bWV1gB4wMhHmu4q7Ej Pxo/0FVVeQVqdJxDqgkxtQH+TYV+I8XvyNd50K3XFB0fajJN0Hmxje1IgXyCmP+w6Si9 jRQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=bVVbSM5uGOf1wQEjz212orLlRtzz2wOPJ7P2wmRhbqc=; b=LHL08UVdmLqnohikBMbGaYyyJDW1F8CJgQQTW8b9G4a9EY7F3sncg2cpqLEmkvdNPi HDfuYmWzhrfG2jZg0nwDGdLI9J6uDoaGkiK89hDH4KjNS1wRs44hhUq02QoNjC7YB8IT nvdAHAM+tmSlbihX/JuSBJqG1C9si31g6HlupyUbksJvykh+AwLr5Zh2yih1MfkCs+wv yegJITZNZ7cluQ43xc9OR05dVVR1iXjjJeDbOLVjRBRYuvmw/TFC79S1tPm2Vae8H8n1 nkqijlTcz+X2Px2t74ymW1qVkoq/Iif7Dep3ye4rmz1j9qOYz/l8cfkzSLaFiKAsV9Mt 0quw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=Kb6nFxQH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q17-20020a056402249100b0043cafd761b2si3402581eda.513.2022.07.27.21.37.43; Wed, 27 Jul 2022 21:38:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=Kb6nFxQH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234306AbiG1EPf (ORCPT + 99 others); Thu, 28 Jul 2022 00:15:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232484AbiG1ENT (ORCPT ); Thu, 28 Jul 2022 00:13:19 -0400 Received: from mail-m974.mail.163.com (mail-m974.mail.163.com [123.126.97.4]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AA49952DE8 for ; Wed, 27 Jul 2022 21:13:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=bVVbS M5uGOf1wQEjz212orLlRtzz2wOPJ7P2wmRhbqc=; b=Kb6nFxQH7BAHPKno+61xE i6OFctarBlgLbjpmQIMnQ41xvDdiFeFdjomGEMJK6mteo2A9mVhnjUD0Qndj+pDE AP6oBG0QvxhXwBM2VJv3Yrj3JJ7WRqbDxnZfz1lj5WxXvIZSJBlWqlTBv3f+St7m 0Xwl8FGzIrZoYDezXxe73w= Received: from localhost.localdomain (unknown [221.222.55.182]) by smtp4 (Coremail) with SMTP id HNxpCgDnANnHDOJitLtRRQ--.29129S4; Thu, 28 Jul 2022 12:13:04 +0800 (CST) From: Wentao_Liang To: alexander.deucher@amd.com, christian.koenig@amd.com, Xinhui.Pan@amd.com Cc: amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Wentao_Liang Subject: [PATCH] drivers:gpu:drm:amd:amdgpu:amdgpu_cs.c:fix a potential use-after-free Date: Thu, 28 Jul 2022 20:12:37 +0800 Message-Id: <20220728121237.9201-1-Wentao_Liang_g@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CM-TRANSID: HNxpCgDnANnHDOJitLtRRQ--.29129S4 X-Coremail-Antispam: 1Uf129KBjvJXoW7Cr4rWFyUur1DKry5Kw4xXrb_yoW8XFWfpF 4rGw1qkrykZF1aq347AFyvqF90kw1avFyfKr4UCwnI93W5AF95tr1rtrW0gF17CrZ7CF42 qr9Fq3y3uanFvF7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UpGQDUUUUU= X-Originating-IP: [221.222.55.182] X-CM-SenderInfo: xzhq3t5rboxtpqjbwqqrwthudrp/xtbB0RBML1zICF+cLQAAsQ X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_00,DATE_IN_FUTURE_06_12, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org in line 1535, "dma_fence_put(fence);" drop the reference to fence and may cause fence to be released. However, fence is used subsequently in line 1542 "fence->error". This may result in an use-after-free bug. It can be fixed by recording fence->error in a variable before dropping the reference to fence and referencing it after dropping. The bug has been confirmed by Christian König on 2021-08-16. Now, I resend this patch with my real name. I hope the patch can be updated in a near future. Signed-off-by: Wentao_Liang --- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index b28af04b0c3e..1d675a5838f2 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -1518,7 +1518,7 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev, struct drm_amdgpu_fence *fences) { uint32_t fence_count = wait->in.fence_count; - unsigned int i; + unsigned int i, error; long r = 1; for (i = 0; i < fence_count; i++) { @@ -1533,14 +1533,15 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev, r = dma_fence_wait_timeout(fence, true, timeout); dma_fence_put(fence); + error = fence->error; if (r < 0) return r; if (r == 0) break; - if (fence->error) - return fence->error; + if (error) + return error; } memset(wait, 0, sizeof(*wait)); -- 2.25.1