drm/amdgpu: don't access invalid sched · tjh.dev/kernel@2ae520c

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

drm/amdgpu: don't access invalid sched

Since 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()")
accessing job->base.sched can produce unexpected results as the initialisation
of (*job)->base.sched done in amdgpu_job_alloc is overwritten by the
memset.

This commit fixes an issue when a CS would fail validation and would
be rejected after job->num_ibs is incremented. In this case,
amdgpu_ib_free(ring->adev, ...) will be called, which would crash the
machine because the ring value is bogus.

To fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this
because the device is actually not used in this function.

The next commit will remove the ring argument completely.

Fixes: 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()")
Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

authored by

Pierre-Eric Pelloux-Prayer and committed by

Alex Deucher 1 year ago 2ae520cb 6f685a81

+1 -2

1 changed file

expand all

drivers

gpu

drm

amd

amdgpu

amdgpu_job.c

+1 -2

drivers/gpu/drm/amd/amdgpu/amdgpu_job.c

··· 255 255 256 256 void amdgpu_job_free_resources(struct amdgpu_job *job) 257 257 { 258 - struct amdgpu_ring *ring = to_amdgpu_ring(job->base.sched); 259 258 struct dma_fence *f; 260 259 unsigned i; 261 260 ··· 267 268 f = NULL; 268 269 269 270 for (i = 0; i < job->num_ibs; ++i) 270 - amdgpu_ib_free(ring->adev, &job->ibs[i], f); 271 + amdgpu_ib_free(NULL, &job->ibs[i], f); 271 272 } 272 273 273 274 static void amdgpu_job_free_cb(struct drm_sched_job *s_job)