diff options
| author | YuBiao Wang <YuBiao.Wang@amd.com> | 2022-08-24 10:56:04 +0300 |
|---|---|---|
| committer | Alex Deucher <alexander.deucher@amd.com> | 2022-08-30 00:45:36 +0300 |
| commit | 2581c5d85e31c96dee352a751dbce17c1b71b417 (patch) | |
| tree | 6e86aee26b1cc3090e18173586ed372b2cb2b560 /drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | |
| parent | cfa1e7f8a75927e55cce1300c8fbda2e1d1e0abe (diff) | |
| download | linux-2581c5d85e31c96dee352a751dbce17c1b71b417.tar.xz | |
drm/amdgpu: Fix use-after-free in amdgpu_cs_ioctl
[Why]
In amdgpu_cs_ioctl, amdgpu_job_free could be performed ealier if there
is -ERESTARTSYS error. In this case, job->hw_fence could be not
initialized yet. Putting hw_fence during amdgpu_job_free could lead to a
use-after-free warning.
[How]
Check if drm_sched_job_init is performed before job_free by checking
s_fence.
v2: Check hw_fence.ops instead since it could be NULL if fence is not
initialized. Reverse the condition since !=NULL check is discouraged in
kernel.
Signed-off-by: YuBiao Wang <YuBiao.Wang@amd.com>
Reviewed-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_job.c')
| -rw-r--r-- | drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c index 8f51adf3b329..1062b7ed74ec 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c @@ -162,7 +162,10 @@ void amdgpu_job_free(struct amdgpu_job *job) amdgpu_sync_free(&job->sync); amdgpu_sync_free(&job->sched_sync); - dma_fence_put(&job->hw_fence); + if (!job->hw_fence.ops) + kfree(job); + else + dma_fence_put(&job->hw_fence); } int amdgpu_job_submit(struct amdgpu_job *job, struct drm_sched_entity *entity, |