lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEKBCKMNZOof8KP5upY45djTC9Bk9+AFHZyZVoid2eevTtjykA@mail.gmail.com>
Date: Sat, 21 Sep 2024 10:10:54 +0545
From: Dipendra Khadka <kdipendra88@...il.com>
To: Christian König <christian.koenig@....com>
Cc: Felix.Kuehling@....com, alexander.deucher@....com, Xinhui.Pan@....com, 
	airlied@...il.com, daniel@...ll.ch, amd-gfx@...ts.freedesktop.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Staging: drivers/gpu/drm/amd/amdgpu: Fix null pointer
 deference in amdkfd_fence_get_timeline_name

On Sat, 21 Sept 2024 at 00:43, Christian König <christian.koenig@....com> wrote:
>
> Am 20.09.24 um 18:31 schrieb Dipendra Khadka:
> > On Fri, 20 Sept 2024 at 16:01, Christian König <christian.koenig@....com> wrote:
> >> Am 20.09.24 um 11:09 schrieb Dipendra Khadka:
> >>> '''
> >>> drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c:108:9: error: Null pointer dereference: fence [nullPointer]
> >>>    return fence->timeline_name;
> >>>           ^
> >>> '''
> >>>
> >>> The method to_amdgpu_amdkfd_fence can return NULL incase of empty f
> >>> or f->ops != &amdkfd_fence_ops.Hence, check has been added .
> >>> If fence is null , then null is returned.
> >> Well NAK, completely nonsense. Calling the function with a NULL fence is
> >> illegal.
> > Thanks for enlightening me .
>
> Well sorry to be so direct, but what the heck did you tried to do here?
>

Hi Christian,

cppcheck reported null pointer dereference in the line  " return
fence->timeline_name;" in the function "static const char
*amdkfd_fence_get_timeline_name(struct dma_fence *f)".
In the function , we are getting the value of fence like this :
"struct amdgpu_amdkfd_fence *fence = to_amdgpu_amdkfd_fence(f);"

When I went through the function " to_amdgpu_amdkfd_fence" whose definition is :
'''
struct amdgpu_amdkfd_fence *to_amdgpu_amdkfd_fence(struct dma_fence *f)
{
struct amdgpu_amdkfd_fence *fence;

if (!f)
return NULL;

fence = container_of(f, struct amdgpu_amdkfd_fence, base);
if (f->ops == &amdkfd_fence_ops)
return fence;

return NULL;
}
'''

Here, the function to_amdgpu_amdkfd_fence can return NULL when f is
empty or f->ops != &amdkfd_fence_ops .So the fence in function
"amdkfd_fence_get_timeline_name" can be NULL.
Hence , I thought dereferencing NULL fence like "return
fence->timeline_name" may result in the runtime crashing. So, I
proposed this fix. Sorry, I was not aware about the behaviour of the
fence.
I am interested in the development and tried to fix this .

> I mean that is broken on so many different levels that I can't
> understand why somebody is suggesting something like that.
>
> Regards,
> Christian.
>
> >
> >> Regards,
> >> Christian.
> >>
> >>> Signed-off-by: Dipendra Khadka <kdipendra88@...il.com>
> >>> ---
> >>>    drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c | 3 +++
> >>>    1 file changed, 3 insertions(+)
> >>>
> >>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
> >>> index 1ef758ac5076..2313babcc944 100644
> >>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
> >>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
> >>> @@ -105,6 +105,9 @@ static const char *amdkfd_fence_get_timeline_name(struct dma_fence *f)
> >>>    {
> >>>        struct amdgpu_amdkfd_fence *fence = to_amdgpu_amdkfd_fence(f);
> >>>
> >>> +     if (!fence)
> >>> +             return NULL;
> >>> +
> >>>        return fence->timeline_name;
> >>>    }
> >>>
> > Regards,
> > Dipendra Khadka
>

Regards,
Dipendra Khadka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ