Re: [PATCH] drm/amdgpu: Fix out-of-bounds write warning
Am 26.04.24 um 05:24 schrieb Ma, Jun:
On 4/25/2024 8:39 PM, Christian König wrote:
Am 25.04.24 um 12:00 schrieb Ma Jun:
Check the ring type value to fix the out-of-bounds
write warning
Signed-off-by: Ma Jun
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
index 06f0a6534a94..1e0b5bb47bc9 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
@@ -353,6 +353,11 @@ int amdgpu_ring_init(struct amdgpu_device *adev, struct
amdgpu_ring *ring,
ring->hw_prio = hw_prio;
if (!ring->no_scheduler) {
+ if (ring->funcs->type >= AMDGPU_HW_IP_NUM) {
+ dev_warn(adev->dev, "ring type %d has no scheduler\n",
ring->funcs->type);
+ return 0;
+ }
+
That check should probably be at the beginning of the function since
trying to initialize a ring with an invalid type should be rejected
immediately.
This check is used to skip the gpu_sched setting for the rings
which don't have scheduler, such as KIQ, MES, UMSCH_MM.
Without this check, there could be an potential out-of-bounds writing
when ring->no__scheduler is not set correctly.
Ah! In this case that that is not really clean.
Probably best approach is to change the "if (!ring->no_scheduler)" instead.
Maybe even move this code here into amdgpu_ctx.c:
hw_ip = ring->funcs->type;
num_sched = &adev->gpu_sched[hw_ip][hw_prio].num_scheds;
adev->gpu_sched[hw_ip][hw_prio].sched[(*num_sched)++] =
&ring->sched;
And then add something like hw_ip <= AMDGPU_HW_IP_NUM.
Background is that it is perfectly valid to have a scheduler for the MES
for example.
Regards,
Christian.
Regards,
Ma Jun
Regards,
Christian.
hw_ip = ring->funcs->type;
num_sched = &adev->gpu_sched[hw_ip][hw_prio].num_scheds;
adev->gpu_sched[hw_ip][hw_prio].sched[(*num_sched)++] =
Re: [PATCH] drm/amdgpu: Fix out-of-bounds write warning
On 4/25/2024 8:39 PM, Christian König wrote:
>
>
> Am 25.04.24 um 12:00 schrieb Ma Jun:
>> Check the ring type value to fix the out-of-bounds
>> write warning
>>
>> Signed-off-by: Ma Jun
>> ---
>> drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 5 +
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
>> b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
>> index 06f0a6534a94..1e0b5bb47bc9 100644
>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
>> @@ -353,6 +353,11 @@ int amdgpu_ring_init(struct amdgpu_device *adev, struct
>> amdgpu_ring *ring,
>> ring->hw_prio = hw_prio;
>>
>> if (!ring->no_scheduler) {
>> +if (ring->funcs->type >= AMDGPU_HW_IP_NUM) {
>> +dev_warn(adev->dev, "ring type %d has no scheduler\n",
>> ring->funcs->type);
>> +return 0;
>> +}
>> +
>
> That check should probably be at the beginning of the function since
> trying to initialize a ring with an invalid type should be rejected
> immediately.
>
This check is used to skip the gpu_sched setting for the rings
which don't have scheduler, such as KIQ, MES, UMSCH_MM.
Without this check, there could be an potential out-of-bounds writing
when ring->no__scheduler is not set correctly.
Regards,
Ma Jun
> Regards,
> Christian.
>
>> hw_ip = ring->funcs->type;
>> num_sched = &adev->gpu_sched[hw_ip][hw_prio].num_scheds;
>> adev->gpu_sched[hw_ip][hw_prio].sched[(*num_sched)++] =
>
Re: [PATCH] drm/amdgpu: Fix out-of-bounds write warning
Am 25.04.24 um 12:00 schrieb Ma Jun:
Check the ring type value to fix the out-of-bounds
write warning
Signed-off-by: Ma Jun
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
index 06f0a6534a94..1e0b5bb47bc9 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
@@ -353,6 +353,11 @@ int amdgpu_ring_init(struct amdgpu_device *adev, struct
amdgpu_ring *ring,
ring->hw_prio = hw_prio;
if (!ring->no_scheduler) {
+ if (ring->funcs->type >= AMDGPU_HW_IP_NUM) {
+ dev_warn(adev->dev, "ring type %d has no scheduler\n",
ring->funcs->type);
+ return 0;
+ }
+
That check should probably be at the beginning of the function since
trying to initialize a ring with an invalid type should be rejected
immediately.
Regards,
Christian.
hw_ip = ring->funcs->type;
num_sched = &adev->gpu_sched[hw_ip][hw_prio].num_scheds;
adev->gpu_sched[hw_ip][hw_prio].sched[(*num_sched)++] =
Re: [PATCH] drm/amdgpu: fix out of bounds write
On 10/27/21 8:22 AM, Harry Wentland wrote:
On 2021-10-27 10:39, Guenter Roeck wrote:
On Wed, Oct 13, 2021 at 04:04:13PM -0400, Thelford Williams wrote:
Size can be any value and is user controlled resulting in overwriting the
40 byte array wr_buf with an arbitrary length of data from buf.
Signed-off-by: Thelford Williams
Signed-off-by: Alex Deucher
The fix works, but unless I am missing something it is incomplete.
parse_write_buffer_into_params() is called several times, and the
size parameter is always wrong. This patch only fixes one of several
instances of the problem.
Patrik sent a patch that covers all cases:
https://patchwork.freedesktop.org/patch/461554/?series=96341&rev=2
Harry
Thanks!
Guenter
Guenter
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 814f67d86a3c..9b3ad56607bb 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -264,7 +264,7 @@ static ssize_t dp_link_settings_write(struct file *f, const
char __user *buf,
if (!wr_buf)
return -ENOSPC;
- if (parse_write_buffer_into_params(wr_buf, size,
+ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
(long *)param, buf,
max_param_num,
¶m_nums)) {
--
2.33.0
Re: [PATCH] drm/amdgpu: fix out of bounds write
On 2021-10-27 10:39, Guenter Roeck wrote:
> On Wed, Oct 13, 2021 at 04:04:13PM -0400, Thelford Williams wrote:
>> Size can be any value and is user controlled resulting in overwriting the
>> 40 byte array wr_buf with an arbitrary length of data from buf.
>>
>> Signed-off-by: Thelford Williams
>> Signed-off-by: Alex Deucher
>
> The fix works, but unless I am missing something it is incomplete.
> parse_write_buffer_into_params() is called several times, and the
> size parameter is always wrong. This patch only fixes one of several
> instances of the problem.
>
Patrik sent a patch that covers all cases:
https://patchwork.freedesktop.org/patch/461554/?series=96341&rev=2
Harry
> Guenter
>
>> ---
>> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> index 814f67d86a3c..9b3ad56607bb 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
>> @@ -264,7 +264,7 @@ static ssize_t dp_link_settings_write(struct file *f,
>> const char __user *buf,
>> if (!wr_buf)
>> return -ENOSPC;
>>
>> -if (parse_write_buffer_into_params(wr_buf, size,
>> +if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>> (long *)param, buf,
>> max_param_num,
>> ¶m_nums)) {
>> --
>> 2.33.0
Re: [PATCH] drm/amdgpu: fix out of bounds write
On Wed, Oct 13, 2021 at 04:04:13PM -0400, Thelford Williams wrote:
> Size can be any value and is user controlled resulting in overwriting the
> 40 byte array wr_buf with an arbitrary length of data from buf.
>
> Signed-off-by: Thelford Williams
> Signed-off-by: Alex Deucher
The fix works, but unless I am missing something it is incomplete.
parse_write_buffer_into_params() is called several times, and the
size parameter is always wrong. This patch only fixes one of several
instances of the problem.
Guenter
> ---
> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 814f67d86a3c..9b3ad56607bb 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -264,7 +264,7 @@ static ssize_t dp_link_settings_write(struct file *f,
> const char __user *buf,
> if (!wr_buf)
> return -ENOSPC;
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> (long *)param, buf,
> max_param_num,
> ¶m_nums)) {
> --
> 2.33.0
Re: [PATCH] drm/amdgpu: fix out of bounds write
On Wed, Oct 27, 2021 at 12:08 PM Patrik Jakobsson
wrote:
>
> On Wed, Oct 13, 2021 at 10:41 PM Alex Deucher wrote:
> >
> > On Wed, Oct 13, 2021 at 4:04 PM T. Williams wrote:
> > >
> >
> > The description and s-o-b should go here and the patch seems to be
> > mangled. I've manually applied this. Please fix up your mailer in
> > the future.
> >
> > Thanks for the fix.
>
> Hi Thelford and Alex
>
> There are several more instances of size being used instead of
> wr_buf_size in amdgpu_dm_debugfs.c.
>
> IMO the proper fix here would be to revert
> 918698d5c2b50433714d2042f55b55b090faa167
Actually, there's one instance that a revert doesn't cover. Instead I
sent out a patch to fix the remaining ones.
>
> -Patrik
>
> >
> > Alex
> >
> >
> > > ---
> > > drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > index 87daa78a32b8..17f2756a64dc 100644
> > > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > > @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
> > > const char __user *buf,
> > > if (!wr_buf)
> > > return -ENOSPC;
> > >
> > > - if (parse_write_buffer_into_params(wr_buf, size,
> > > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> > >(long *)param, buf,
> > >max_param_num,
> > >¶m_nums)) {
> > > --
> > >
> > > Size can be any value and is user controlled resulting in overwriting the
> > > 40 byte array wr_buf with an arbitrary length of data from buf.
> > >
> > > Signed-off-by: Thelford Williams
Re: [PATCH] drm/amdgpu: fix out of bounds write
On Wed, Oct 13, 2021 at 10:41 PM Alex Deucher wrote:
>
> On Wed, Oct 13, 2021 at 4:04 PM T. Williams wrote:
> >
>
> The description and s-o-b should go here and the patch seems to be
> mangled. I've manually applied this. Please fix up your mailer in
> the future.
>
> Thanks for the fix.
Hi Thelford and Alex
There are several more instances of size being used instead of
wr_buf_size in amdgpu_dm_debugfs.c.
IMO the proper fix here would be to revert
918698d5c2b50433714d2042f55b55b090faa167
-Patrik
>
> Alex
>
>
> > ---
> > drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > index 87daa78a32b8..17f2756a64dc 100644
> > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> > @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
> > const char __user *buf,
> > if (!wr_buf)
> > return -ENOSPC;
> >
> > - if (parse_write_buffer_into_params(wr_buf, size,
> > + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
> >(long *)param, buf,
> >max_param_num,
> >¶m_nums)) {
> > --
> >
> > Size can be any value and is user controlled resulting in overwriting the
> > 40 byte array wr_buf with an arbitrary length of data from buf.
> >
> > Signed-off-by: Thelford Williams
Re: [PATCH] drm/amdgpu: fix out of bounds write
On Wed, Oct 13, 2021 at 4:04 PM T. Williams wrote:
>
The description and s-o-b should go here and the patch seems to be
mangled. I've manually applied this. Please fix up your mailer in
the future.
Thanks for the fix.
Alex
> ---
> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> index 87daa78a32b8..17f2756a64dc 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
> @@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(struct file *f,
> const char __user *buf,
> if (!wr_buf)
> return -ENOSPC;
>
> - if (parse_write_buffer_into_params(wr_buf, size,
> + if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
>(long *)param, buf,
>max_param_num,
>¶m_nums)) {
> --
>
> Size can be any value and is user controlled resulting in overwriting the 40
> byte array wr_buf with an arbitrary length of data from buf.
>
> Signed-off-by: Thelford Williams
