lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <202110111947.2oUxucXl-lkp@intel.com>
Date:   Mon, 11 Oct 2021 14:48:05 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Dani Liberman <dliberman@...ana.ai>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org, Oded Gabbay <ogabbay@...nel.org>
Subject: [kbuild] [ogabbay:habanalabs-next 17/19]
 drivers/misc/habanalabs/common/command_submission.c:2421 hl_cs_poll_fences()
 error: we previously assumed 'fence' could be null (see line 2402)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/ogabbay/linux.git  habanalabs-next
head:   41548e6097f0e2673e99c18aa74c9bbba341c9ba
commit: 2819e6243c5cdf6619cdaddaf117076a043d7bb2 [17/19] habanalabs: fix NULL pointer dereference
config: x86_64-randconfig-m001-20211011 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

smatch warnings:
drivers/misc/habanalabs/common/command_submission.c:2421 hl_cs_poll_fences() error: we previously assumed 'fence' could be null (see line 2402)

vim +/fence +2421 drivers/misc/habanalabs/common/command_submission.c

215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2346  static int hl_cs_poll_fences(struct multi_cs_data *mcs_data)
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2347  {
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2348  	struct hl_fence **fence_ptr = mcs_data->fence_arr;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2349  	struct hl_device *hdev = mcs_data->ctx->hdev;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2350  	int i, rc, arr_len = mcs_data->arr_len;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2351  	u64 *seq_arr = mcs_data->seq_arr;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2352  	ktime_t max_ktime, first_cs_time;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2353  	enum hl_cs_wait_status status;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2354  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2355  	memset(fence_ptr, 0, arr_len * sizeof(*fence_ptr));
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2356  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2357  	/* get all fences under the same lock */
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2358  	rc = hl_ctx_get_fences(mcs_data->ctx, seq_arr, fence_ptr, arr_len);
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2359  	if (rc)
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2360  		return rc;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2361  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2362  	/*
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2363  	 * set to maximum time to verify timestamp is valid: if at the end
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2364  	 * this value is maintained- no timestamp was updated
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2365  	 */
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2366  	max_ktime = ktime_set(KTIME_SEC_MAX, 0);
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2367  	first_cs_time = max_ktime;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2368  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2369  	for (i = 0; i < arr_len; i++, fence_ptr++) {
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2370  		struct hl_fence *fence = *fence_ptr;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2371  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2372  		/*
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2373  		 * function won't sleep as it is called with timeout 0 (i.e.
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2374  		 * poll the fence)
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2375  		 */
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2376  		rc = hl_wait_for_fence(mcs_data->ctx, seq_arr[i], fence,
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2377  						&status, 0, NULL);
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2378  		if (rc) {
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2379  			dev_err(hdev->dev,
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2380  				"wait_for_fence error :%d for CS seq %llu\n",
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2381  								rc, seq_arr[i]);
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2382  			break;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2383  		}
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2384  
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2385  		/*
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2386  		 * It is possible to get an old sequence numbers from user
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2387  		 * which related to already completed CSs and their fences
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2388  		 * already gone. In this case, no need to consider its QID for
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2389  		 * mcs completion.
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2390  		 */
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2391  		if (fence)
                                                                                                                    ^^^^^
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2392  			mcs_data->stream_master_qid_map |=
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2393  					fence->stream_master_qid_map;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2394  
f0d5ad46a0eba1 drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-03  2395  		/*
f0d5ad46a0eba1 drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-03  2396  		 * Using mcs_handling_done to avoid possibility of mcs_data
f0d5ad46a0eba1 drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-03  2397  		 * returns to user indicating CS completed before it finished
f0d5ad46a0eba1 drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-03  2398  		 * all of its mcs handling, to avoid race the next time the
f0d5ad46a0eba1 drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-03  2399  		 * user waits for mcs.
f0d5ad46a0eba1 drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-03  2400  		 */
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06  2401  		if (status == CS_WAIT_STATUS_BUSY ||
2819e6243c5cdf drivers/misc/habanalabs/common/command_submission.c Dani Liberman 2021-10-06 @2402  				(fence && !fence->mcs_handling_done))
                                                                                                                                 ^^^^^
Checks for NULL


215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2403  			continue;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2404  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2405  		mcs_data->completion_bitmap |= BIT(i);
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2406  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2407  		/*
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2408  		 * best effort to extract timestamp. few notes:
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2409  		 * - if even single fence is gone we cannot extract timestamp
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2410  		 *   (as fence not exist anymore)
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2411  		 * - for all completed CSs we take the earliest timestamp.
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2412  		 *   for this we have to validate that:
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2413  		 *       1. given timestamp was indeed set
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2414  		 *       2. the timestamp is earliest of all timestamps so far
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2415  		 */
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2416  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2417  		if (status == CS_WAIT_STATUS_GONE) {
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2418  			mcs_data->update_ts = false;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2419  			mcs_data->gone_cs = true;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2420  		} else if (mcs_data->update_ts &&
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14 @2421  			(ktime_compare(fence->timestamp,
                                                                                                                                       ^^^^^^^
Unchecked dereferences.

215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2422  						ktime_set(0, 0)) > 0) &&
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2423  			(ktime_compare(fence->timestamp, first_cs_time) < 0)) {
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2424  			first_cs_time = fence->timestamp;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2425  		}
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2426  	}
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2427  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2428  	hl_fences_put(mcs_data->fence_arr, arr_len);
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2429  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2430  	if (mcs_data->update_ts &&
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2431  			(ktime_compare(first_cs_time, max_ktime) != 0))
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2432  		mcs_data->timestamp = ktime_to_ns(first_cs_time);
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2433  
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2434  	return rc;
215f0c1775d550 drivers/misc/habanalabs/common/command_submission.c Ohad Sharabi  2021-06-14  2435  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org 

_______________________________________________
kbuild mailing list -- kbuild@...ts.01.org
To unsubscribe send an email to kbuild-leave@...ts.01.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ