Applied. Thanks! Alex
On Mon, May 25, 2026 at 5:59 AM Muhammad Bilal <[email protected]> wrote: > > When usr_queue_id_array is NULL and num_queues is non-zero, > get_queue_ids() returns NULL. The callers check only IS_ERR() on the > return value; since IS_ERR(NULL) == false the check passes, and > suspend_queues() calls q_array_invalidate() which immediately > dereferences NULL while iterating num_queues times. > > Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying > num_queues > 0 with a zero queue_array_ptr, causing a kernel panic. > > A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op > (q_array_invalidate never executes, and resume_queues already guards > all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL) > only when num_queues is non-zero and the pointer is absent; both callers > already propagate IS_ERR() returns correctly to userspace. > > Fixes: a70a93fa568b ("drm/amdkfd: add debug suspend and resume process queues > operation") > Cc: [email protected] > Signed-off-by: Muhammad Bilal <[email protected]> > --- > drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c > b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c > index c08ad718dbd7..8488b3a6c2ba 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c > @@ -3312,7 +3312,7 @@ static uint32_t *get_queue_ids(uint32_t num_queues, > uint32_t *usr_queue_id_array > size_t array_size; > > if (!usr_queue_id_array) > - return NULL; > + return num_queues ? ERR_PTR(-EINVAL) : NULL; > > if (check_mul_overflow((size_t)num_queues, sizeof(uint32_t), > &array_size)) > return ERR_PTR(-EINVAL); > -- > 2.53.0 >
