mirror of
https://git.proxmox.com/git/mirror_ubuntu-kernels.git
synced 2025-12-16 02:21:56 +00:00
4fc8fff378
In the kfd_wait_on_events() function, the kfd_event_waiter structure is allocated by alloc_event_waiters(), but the event field of the waiter structure is not initialized; When copy_from_user() fails in the kfd_wait_on_events() function, it will enter exception handling to release the previously allocated memory of the waiter structure; Due to the event field of the waiters structure being accessed in the free_waiters() function, this results in illegal memory access and system crash, here is the crash log: localhost kernel: RIP: 0010:native_queued_spin_lock_slowpath+0x185/0x1e0 localhost kernel: RSP: 0018:ffffaa53c362bd60 EFLAGS: 00010082 localhost kernel: RAX: ff3d3d6bff4007cb RBX: 0000000000000282 RCX: 00000000002c0000 localhost kernel: RDX: ffff9e855eeacb80 RSI: 000000000000279c RDI: ffffe7088f6a21d0 localhost kernel: RBP: ffffe7088f6a21d0 R08: 00000000002c0000 R09: ffffaa53c362be64 localhost kernel: R10: ffffaa53c362bbd8 R11: 0000000000000001 R12: 0000000000000002 localhost kernel: R13: ffff9e7ead15d600 R14: 0000000000000000 R15: ffff9e7ead15d698 localhost kernel: FS: 0000152a3d111700(0000) GS:ffff9e855ee80000(0000) knlGS:0000000000000000 localhost kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 localhost kernel: CR2: 0000152938000010 CR3: 000000044d7a4000 CR4: 00000000003506e0 localhost kernel: Call Trace: localhost kernel: _raw_spin_lock_irqsave+0x30/0x40 localhost kernel: remove_wait_queue+0x12/0x50 localhost kernel: kfd_wait_on_events+0x1b6/0x490 [hydcu] localhost kernel: ? ftrace_graph_caller+0xa0/0xa0 localhost kernel: kfd_ioctl+0x38c/0x4a0 [hydcu] localhost kernel: ? kfd_ioctl_set_trap_handler+0x70/0x70 [hydcu] localhost kernel: ? kfd_ioctl_create_queue+0x5a0/0x5a0 [hydcu] localhost kernel: ? ftrace_graph_caller+0xa0/0xa0 localhost kernel: __x64_sys_ioctl+0x8e/0xd0 localhost kernel: ? syscall_trace_enter.isra.18+0x143/0x1b0 localhost kernel: do_syscall_64+0x33/0x80 localhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 localhost kernel: RIP: 0033:0x152a4dff68d7 Allocate the structure with kcalloc, and remove redundant 0-initialization and a redundant loop condition check. Signed-off-by: Qu Huang <qu.huang@linux.dev> Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com> Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> |
||
|---|---|---|
| .. | ||
| cik_event_interrupt.c | ||
| cik_int.h | ||
| cik_regs.h | ||
| cwsr_trap_handler_gfx8.asm | ||
| cwsr_trap_handler_gfx9.asm | ||
| cwsr_trap_handler_gfx10.asm | ||
| cwsr_trap_handler.h | ||
| Kconfig | ||
| kfd_chardev.c | ||
| kfd_crat.c | ||
| kfd_crat.h | ||
| kfd_debugfs.c | ||
| kfd_device_queue_manager_cik.c | ||
| kfd_device_queue_manager_v9.c | ||
| kfd_device_queue_manager_v10.c | ||
| kfd_device_queue_manager_v11.c | ||
| kfd_device_queue_manager_vi.c | ||
| kfd_device_queue_manager.c | ||
| kfd_device_queue_manager.h | ||
| kfd_device.c | ||
| kfd_doorbell.c | ||
| kfd_events.c | ||
| kfd_events.h | ||
| kfd_flat_memory.c | ||
| kfd_int_process_v9.c | ||
| kfd_int_process_v11.c | ||
| kfd_interrupt.c | ||
| kfd_iommu.c | ||
| kfd_iommu.h | ||
| kfd_kernel_queue.c | ||
| kfd_kernel_queue.h | ||
| kfd_migrate.c | ||
| kfd_migrate.h | ||
| kfd_module.c | ||
| kfd_mqd_manager_cik.c | ||
| kfd_mqd_manager_v9.c | ||
| kfd_mqd_manager_v10.c | ||
| kfd_mqd_manager_v11.c | ||
| kfd_mqd_manager_vi.c | ||
| kfd_mqd_manager.c | ||
| kfd_mqd_manager.h | ||
| kfd_packet_manager_v9.c | ||
| kfd_packet_manager_vi.c | ||
| kfd_packet_manager.c | ||
| kfd_pasid.c | ||
| kfd_pm4_headers_ai.h | ||
| kfd_pm4_headers_aldebaran.h | ||
| kfd_pm4_headers_vi.h | ||
| kfd_pm4_headers.h | ||
| kfd_pm4_opcodes.h | ||
| kfd_priv.h | ||
| kfd_process_queue_manager.c | ||
| kfd_process.c | ||
| kfd_queue.c | ||
| kfd_smi_events.c | ||
| kfd_smi_events.h | ||
| kfd_svm.c | ||
| kfd_svm.h | ||
| kfd_topology.c | ||
| kfd_topology.h | ||
| Makefile | ||
| soc15_int.h | ||