lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <17eb00ef-f3db-4d42-a3fd-cbe6813075e5@amd.com>
Date: Mon, 23 Sep 2024 15:11:50 +0200
From: Christian König <christian.koenig@....com>
To: Dipendra Khadka <kdipendra88@...il.com>
Cc: Felix.Kuehling@....com, alexander.deucher@....com, Xinhui.Pan@....com,
 airlied@...il.com, daniel@...ll.ch, amd-gfx@...ts.freedesktop.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Staging: drivers/gpu/drm/amd/amdgpu: Fix null pointer
 deference in amdkfd_fence_get_timeline_name

Am 21.09.24 um 06:25 schrieb Dipendra Khadka:
> On Sat, 21 Sept 2024 at 00:43, Christian König <christian.koenig@....com> wrote:
>> Am 20.09.24 um 18:31 schrieb Dipendra Khadka:
>>> On Fri, 20 Sept 2024 at 16:01, Christian König <christian.koenig@....com> wrote:
>>>> Am 20.09.24 um 11:09 schrieb Dipendra Khadka:
>>>>> '''
>>>>> drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c:108:9: error: Null pointer dereference: fence [nullPointer]
>>>>>     return fence->timeline_name;
>>>>>            ^
>>>>> '''
>>>>>
>>>>> The method to_amdgpu_amdkfd_fence can return NULL incase of empty f
>>>>> or f->ops != &amdkfd_fence_ops.Hence, check has been added .
>>>>> If fence is null , then null is returned.
>>>> Well NAK, completely nonsense. Calling the function with a NULL fence is
>>>> illegal.
>>> Thanks for enlightening me .
>> Well sorry to be so direct, but what the heck did you tried to do here?
>>
> Hi Christian,
>
> cppcheck reported null pointer dereference in the line  " return
> fence->timeline_name;" in the function "static const char
> *amdkfd_fence_get_timeline_name(struct dma_fence *f)".
> In the function , we are getting the value of fence like this :
> "struct amdgpu_amdkfd_fence *fence = to_amdgpu_amdkfd_fence(f);"
>
> When I went through the function " to_amdgpu_amdkfd_fence" whose definition is :
> '''
> struct amdgpu_amdkfd_fence *to_amdgpu_amdkfd_fence(struct dma_fence *f)
> {
> struct amdgpu_amdkfd_fence *fence;
>
> if (!f)
> return NULL;
>
> fence = container_of(f, struct amdgpu_amdkfd_fence, base);
> if (f->ops == &amdkfd_fence_ops)
> return fence;
>
> return NULL;
> }
> '''
>
> Here, the function to_amdgpu_amdkfd_fence can return NULL when f is
> empty or f->ops != &amdkfd_fence_ops .So the fence in function
> "amdkfd_fence_get_timeline_name" can be NULL.
> Hence , I thought dereferencing NULL fence like "return
> fence->timeline_name" may result in the runtime crashing. So, I
> proposed this fix. Sorry, I was not aware about the behaviour of the
> fence.
> I am interested in the development and tried to fix this .

Well it's in general a good idea that you looked into this, but you 
should have put more thoughts into it.

That the fence can't be NULL is just implicit when you take a closer 
look at the code.

amdkfd_fence_get_timeline_name() is only called through the pointer in 
amdkfd_fence_ops. This makes the condition "f->ops == &amdkfd_fence_ops" 
always true inside the function.

The only other possibility is that the f parameter is NULL, but that in 
turn is impossible because the function is called like 
f->ops->get_timeline_name(f) and so the caller would have crashed even 
before entering the function.

And finally you didn't looked at the documentation. The kerneldoc for 
get_timeline_name clearly states that the callback is mandatory and 
therefore can't return NULL.

So to sum it up you suggested something which is not only unnecessary, 
but results in documented illegal behavior.

The C language unfortunately doesn't have the necessary annotation 
possibilities that a function can't return a NULL string (at least as 
far as I know). So cppcheck can't know any of this.

Please don't trust the automated tool to much and put a bit more time 
into patches like this.

Regards,
Christian.

>
>> I mean that is broken on so many different levels that I can't
>> understand why somebody is suggesting something like that.
>>
>> Regards,
>> Christian.
>>
>>>> Regards,
>>>> Christian.
>>>>
>>>>> Signed-off-by: Dipendra Khadka <kdipendra88@...il.com>
>>>>> ---
>>>>>     drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c | 3 +++
>>>>>     1 file changed, 3 insertions(+)
>>>>>
>>>>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
>>>>> index 1ef758ac5076..2313babcc944 100644
>>>>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
>>>>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c
>>>>> @@ -105,6 +105,9 @@ static const char *amdkfd_fence_get_timeline_name(struct dma_fence *f)
>>>>>     {
>>>>>         struct amdgpu_amdkfd_fence *fence = to_amdgpu_amdkfd_fence(f);
>>>>>
>>>>> +     if (!fence)
>>>>> +             return NULL;
>>>>> +
>>>>>         return fence->timeline_name;
>>>>>     }
>>>>>
>>> Regards,
>>> Dipendra Khadka
> Regards,
> Dipendra Khadka


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ