All of lore.kernel.org
 help / color / mirror / Atom feed
* amdgpf: BUG: NULL pointer dereference and memory leak
@ 2019-07-30  8:47 亿一
       [not found] ` <CANTwqXBS5RohKsRWmfPDVxSEwri=XhuZVAmPAwdJibJODxcobA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  0 siblings, 1 reply; 4+ messages in thread
From: 亿一 @ 2019-07-30  8:47 UTC (permalink / raw)
  To: alexander.deucher-5C7GfCeVMHo, christian.koenig-5C7GfCeVMHo,
	David1.Zhou-5C7GfCeVMHo
  Cc: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW

Hi  alll,
         While analyzing the source code, I notice that function
amdgpu_cs_process_fence_dep() may exist NULL pointer dereference and
memory leak in the following code fragments:


fence = amdgpu_ctx_get_fence(ctx, entity,
    deps[i].handle);

if (chunk->chunk_id == AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES) {
        struct drm_sched_fence *s_fence = to_drm_sched_fence(fence);
        struct dma_fence *old = fence;

        fence = dma_fence_get(&s_fence->scheduled);
        dma_fence_put(old);
}

if (IS_ERR(fence)) {
         r = PTR_ERR(fence);
         amdgpu_ctx_put(ctx);
         return r;
  } else if (fence) {
          r = amdgpu_sync_fence(p->adev, &p->job->sync, fence,
                                                 true);
          dma_fence_put(fence);
           amdgpu_ctx_put(ctx);
           if (r)
           return r;
           }

function amdgpu_ctx_get_fence may return NULL pointer,  which will
cause NULL pointer dereference. What's more,  IS_ERR() would not
return true when pointer is NULL,  which will cause the ctx reference
leaked.
But I don't know how to fix it, so report it to you all.

Best Regards.
Lin Yi.
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: amdgpf: BUG: NULL pointer dereference and memory leak
       [not found] ` <CANTwqXBS5RohKsRWmfPDVxSEwri=XhuZVAmPAwdJibJODxcobA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2019-07-30  9:04   ` Koenig, Christian
       [not found]     ` <e929562a-96fd-88c8-1b60-f1c863872db8-5C7GfCeVMHo@public.gmane.org>
  0 siblings, 1 reply; 4+ messages in thread
From: Koenig, Christian @ 2019-07-30  9:04 UTC (permalink / raw)
  To: 亿一, Deucher, Alexander, Zhou, David(ChunMing)
  Cc: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW

Am 30.07.19 um 10:47 schrieb 亿一:
> Hi  alll,
>           While analyzing the source code, I notice that function
> amdgpu_cs_process_fence_dep() may exist NULL pointer dereference and
> memory leak in the following code fragments:
>
>
> fence = amdgpu_ctx_get_fence(ctx, entity,
>      deps[i].handle);
>
> if (chunk->chunk_id == AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES) {
>          struct drm_sched_fence *s_fence = to_drm_sched_fence(fence);
>          struct dma_fence *old = fence;
>
>          fence = dma_fence_get(&s_fence->scheduled);
>          dma_fence_put(old);
> }
>
> if (IS_ERR(fence)) {
>           r = PTR_ERR(fence);
>           amdgpu_ctx_put(ctx);
>           return r;
>    } else if (fence) {
>            r = amdgpu_sync_fence(p->adev, &p->job->sync, fence,
>                                                   true);
>            dma_fence_put(fence);
>             amdgpu_ctx_put(ctx);
>             if (r)
>             return r;
>             }
>
> function amdgpu_ctx_get_fence may return NULL pointer,  which will
> cause NULL pointer dereference. What's more,  IS_ERR() would not
> return true when pointer is NULL,  which will cause the ctx reference
> leaked.

That handling is actually correct.

The problem is the "if (chunk->chunk_id == 
AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES)" stuff above.

That comes to early and needs to be moved below checking the fence for 
errors. Going to send a fix for this to the mailing list in a minute.

Thanks for the notice,
Christian.

> But I don't know how to fix it, so report it to you all.
>
> Best Regards.
> Lin Yi.

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: amdgpf: BUG: NULL pointer dereference and memory leak
       [not found]     ` <e929562a-96fd-88c8-1b60-f1c863872db8-5C7GfCeVMHo@public.gmane.org>
@ 2019-07-30  9:14       ` zhoucm1
       [not found]         ` <0952fbf6-e877-957c-f560-8ebf8d8f75ca-5C7GfCeVMHo@public.gmane.org>
  0 siblings, 1 reply; 4+ messages in thread
From: zhoucm1 @ 2019-07-30  9:14 UTC (permalink / raw)
  To: Koenig, Christian, 亿一,
	Deucher, Alexander, Zhou, David(ChunMing)
  Cc: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW



On 2019年07月30日 17:04, Koenig, Christian wrote:
> Am 30.07.19 um 10:47 schrieb 亿一:
>> Hi  alll,
>>            While analyzing the source code, I notice that function
>> amdgpu_cs_process_fence_dep() may exist NULL pointer dereference and
>> memory leak in the following code fragments:
>>
>>
>> fence = amdgpu_ctx_get_fence(ctx, entity,
>>       deps[i].handle);
>>
>> if (chunk->chunk_id == AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES) {
>>           struct drm_sched_fence *s_fence = to_drm_sched_fence(fence);
>>           struct dma_fence *old = fence;
>>
>>           fence = dma_fence_get(&s_fence->scheduled);
>>           dma_fence_put(old);
>> }
>>
>> if (IS_ERR(fence)) {
>>            r = PTR_ERR(fence);
>>            amdgpu_ctx_put(ctx);
>>            return r;
>>     } else if (fence) {
>>             r = amdgpu_sync_fence(p->adev, &p->job->sync, fence,
>>                                                    true);
>>             dma_fence_put(fence);
>>              amdgpu_ctx_put(ctx);
>>              if (r)
>>              return r;
>>              }
>>
>> function amdgpu_ctx_get_fence may return NULL pointer,  which will
>> cause NULL pointer dereference. What's more,  IS_ERR() would not
>> return true when pointer is NULL,  which will cause the ctx reference
>> leaked.
> That handling is actually correct.
>
> The problem is the "if (chunk->chunk_id ==
> AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES)" stuff above.
>
> That comes to early and needs to be moved below checking the fence for
> errors. Going to send a fix for this to the mailing list in a minute.
Lin Yi is right I think, we leaked ctx reference when fence is NULL.

-David
>
> Thanks for the notice,
> Christian.
>
>> But I don't know how to fix it, so report it to you all.
>>
>> Best Regards.
>> Lin Yi.

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: amdgpf: BUG: NULL pointer dereference and memory leak
       [not found]         ` <0952fbf6-e877-957c-f560-8ebf8d8f75ca-5C7GfCeVMHo@public.gmane.org>
@ 2019-07-30  9:19           ` Koenig, Christian
  0 siblings, 0 replies; 4+ messages in thread
From: Koenig, Christian @ 2019-07-30  9:19 UTC (permalink / raw)
  To: Zhou, David(ChunMing), 亿一, Deucher, Alexander
  Cc: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW

Am 30.07.19 um 11:14 schrieb zhoucm1:
>
>
> On 2019年07月30日 17:04, Koenig, Christian wrote:
>> Am 30.07.19 um 10:47 schrieb 亿一:
>>> Hi  alll,
>>>            While analyzing the source code, I notice that function
>>> amdgpu_cs_process_fence_dep() may exist NULL pointer dereference and
>>> memory leak in the following code fragments:
>>>
>>>
>>> fence = amdgpu_ctx_get_fence(ctx, entity,
>>>       deps[i].handle);
>>>
>>> if (chunk->chunk_id == AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES) {
>>>           struct drm_sched_fence *s_fence = to_drm_sched_fence(fence);
>>>           struct dma_fence *old = fence;
>>>
>>>           fence = dma_fence_get(&s_fence->scheduled);
>>>           dma_fence_put(old);
>>> }
>>>
>>> if (IS_ERR(fence)) {
>>>            r = PTR_ERR(fence);
>>>            amdgpu_ctx_put(ctx);
>>>            return r;
>>>     } else if (fence) {
>>>             r = amdgpu_sync_fence(p->adev, &p->job->sync, fence,
>>>                                                    true);
>>>             dma_fence_put(fence);
>>>              amdgpu_ctx_put(ctx);
>>>              if (r)
>>>              return r;
>>>              }
>>>
>>> function amdgpu_ctx_get_fence may return NULL pointer,  which will
>>> cause NULL pointer dereference. What's more,  IS_ERR() would not
>>> return true when pointer is NULL,  which will cause the ctx reference
>>> leaked.
>> That handling is actually correct.
>>
>> The problem is the "if (chunk->chunk_id ==
>> AMDGPU_CHUNK_ID_SCHEDULED_DEPENDENCIES)" stuff above.
>>
>> That comes to early and needs to be moved below checking the fence for
>> errors. Going to send a fix for this to the mailing list in a minute.
> Lin Yi is right I think, we leaked ctx reference when fence is NULL.

Indeed, but what I meant was the a NULL fence here is not an error.

Just send out a patch to fix that stuff up, please review.

Christian.

>
> -David
>>
>> Thanks for the notice,
>> Christian.
>>
>>> But I don't know how to fix it, so report it to you all.
>>>
>>> Best Regards.
>>> Lin Yi.
>

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-30  9:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-30  8:47 amdgpf: BUG: NULL pointer dereference and memory leak 亿一
     [not found] ` <CANTwqXBS5RohKsRWmfPDVxSEwri=XhuZVAmPAwdJibJODxcobA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2019-07-30  9:04   ` Koenig, Christian
     [not found]     ` <e929562a-96fd-88c8-1b60-f1c863872db8-5C7GfCeVMHo@public.gmane.org>
2019-07-30  9:14       ` zhoucm1
     [not found]         ` <0952fbf6-e877-957c-f560-8ebf8d8f75ca-5C7GfCeVMHo@public.gmane.org>
2019-07-30  9:19           ` Koenig, Christian

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.