On 3/23/26 09:59, Srinivasan Shanmugam wrote:
> In kfd_ioctl_create_process(), the pointer 'p' is used before checking
> if it is NULL.
>
> The code accesses p->context_id before validating 'p'. This can lead
> to a possible NULL pointer dereference.
>
> Move the NULL check before using 'p' so that the pointer is validated
> before access.
>
> Fixes the below:
> drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_chardev.c:3177
> kfd_ioctl_create_process() warn: variable dereferenced before check 'p' (see
> line 3174)
>
> Fixes: cc6b66d661fd ("amdkfd: introduce new ioctl AMDKFD_IOC_CREATE_PROCESS")
> Cc: Zhu Lingshan <[email protected]>
> Cc: Felix Kuehling <[email protected]>
> Cc: Christian König <[email protected]>
> Cc: Alex Deucher <[email protected]>
> Cc: Dan Carpenter <[email protected]>
> Signed-off-by: Srinivasan Shanmugam <[email protected]>
Reviewed-by: Christian König <[email protected]>
> ---
> drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> index 732ad1224a61..1db565442c48 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
> @@ -3170,11 +3170,11 @@ static int kfd_ioctl_create_process(struct file
> *filep, struct kfd_process *p, v
> struct kfd_process *process;
> int ret;
>
> - /* Each FD owns only one kfd_process */
> - if (p->context_id != KFD_CONTEXT_ID_PRIMARY)
> + if (!filep->private_data || !p)
> return -EINVAL;
>
> - if (!filep->private_data || !p)
> + /* Each FD owns only one kfd_process */
> + if (p->context_id != KFD_CONTEXT_ID_PRIMARY)
> return -EINVAL;
>
> mutex_lock(&kfd_processes_mutex);
