From nobody Sun May 24 18:40:57 2026 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E850A314B6A for ; Sat, 23 May 2026 16:57:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779555458; cv=none; b=ViPvKU1LwkiyAjCzIq58nJanXNEDnYq5cp8wKuyuHfNqO0nPbJu028oYK5fSg4CNPQEOWYTC9BYG9EUKMVgXSmCvx2gwHTBonQ2eWBNBGy5vcu24HZ1wHCpK/2x9sOtQfJ72EtdOXp2HlMxj7bRw13hF5fHxhiPSVMm0MRHkdq4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779555458; c=relaxed/simple; bh=lCl0yF0ww855jeIH3gsLh7TbeXfdKeQ8X5P5XfRSJpg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cea4qgvp5HiZLm3Yu6PLO514leYrnvtPK3m1TMMalMMLfV9boekF9AoA224gIkzFhOdh76J/BCyzPSTAYTvfgerRFzanQDC+YEVokGkDPWD6Zu1rwQmmTqUpX22uRhl8nT81g+MTW1kSlnQOSfn2N68LbaAx+qLYghXiPKPssF0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FxqkILx6; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FxqkILx6" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2bc763e2ba8so41839535ad.3 for ; Sat, 23 May 2026 09:57:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779555456; x=1780160256; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XhLvA3TfrJzOyIZPC1ppqWVZ5nG/suASGnYJNqiPlkY=; b=FxqkILx6R/DjzLgxIeX83sv7RSVulO3oY9AFm4rQQb7ww48ZQ8igzMsBWRKVFbvxK5 xoH4oYOuKyyvohSG+z+e+3+R+qutvAjAAn5Vx8akp7yuqqJhwi64R6hqpAXxK+2t2l0K UiXsqwIfZvdbTOYGG7ZSMIAhOPlldhuvzAGEMy4NJdAUHpZF6JnIr8Z0RuQ5DCHcvkSG 0n4pypYLNTTDdvZUoFl2+yvrKC104/lX019MvGnn4dsj4R3zi7LgKhck5oRrHk3jweJ5 0t0D3lc3b1O33K6lxtM84uAsRfM03tUPZE7LHeNoCdDKYmcVae9WHdZYkDz2Jbid4A8a 5o1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779555456; x=1780160256; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XhLvA3TfrJzOyIZPC1ppqWVZ5nG/suASGnYJNqiPlkY=; b=TPijGFch0XmXa9PDx9U1jNmABFdW/bVDqFMnXQdF81/jnQJ606SDjMprSP8gniwlo7 uXhgLHbzZ3a9V1ObtCHJJGopdHaTtEPxJ0W5hAwKJpDEi+xDeXZdF8xVC6PbnB1qOzh6 MJ+/O3AQ7nJwamoJmUwQ7n+ALN03Qgb0jiisnJNDFvlnWm7bHpFdckNTZ7DRs3NmAzTB zJXxPk8dHDlWrDpr+bSRHl+Py/UeHANwGcdH9efHPcdz8+Cp66O4s75bNb9tecoyyH2u fKniA31ReeAGgBBBVFD6NQEEliVmYNGkjax2gHdiCgU602fJ4fKHRoeN8bohJR+AoFJ9 WeLQ== X-Forwarded-Encrypted: i=1; AFNElJ9SUousCCBuSLMo6c5y969FLrFjO0av/aH3MgLinKruJgWvSNxBMJjWp7T1j9v+RdjNSMjok19ilP7/Ffs=@vger.kernel.org X-Gm-Message-State: AOJu0YxYsV43cQiHIS2S7Y9vR035DoLBkoUHR6iF0TM56T85/tiCQXk+ gBLrzsoGoU6ZVQaPEe9aZiNgGoKzh7xodzq0MzTMarcdYf9eLLdP9x7D X-Gm-Gg: Acq92OFNDe1Lbn+CjoJ4l9reRDqmGFjoMH2z4v1NVp9y1HMBXRTHuzRudJok2xUZaxp QhvF4Oowjd93Sfex2qN5BB9Y9uAgYsIIlDQSGgqtqcETZouFkcHv4ShHVvIBgjhBA5eQAkGzTta GdOYLWU/A7+8c5M7O9V5CTAtEVLt7Os9IYDTQpHfqlK9OPS0d0KOcaFfWKZ3FNIVEd792YTis0D lQNpu0+fLRC32kbt2pnKf7DPf3vVfCdUoURcjtGR6cADkRf/jyoQqsCCiQMiE73xLq9uut7aLsK lXFE8IobzqhD4xWyc3TQR2fRds1F3Ij0FZG1eMZdbE3rmYQ0n0xGJWiU5Lj4PhFP+baPJCHB1uV rUswyrMUDIrPhbmrW55zv+TldIpXYdEYTkDepEyuXkvjfV4yKX4WKXC2yKmopIDMuLWEguy+RLV FNvcroDipq7RD2Blnom0ZTlTHYyEhMtR1O3AZ91tH2sV5AHfjQeaD4idPPstLDNHoX28EKt4+JB VB+NkPDpZPdKLyKWMapd9e4RI/mmlePcK3y3UD0hWOoH+FehI8ekzDczLHYdbb7Z1Q5sOSVcgdF rY9ELzioouQ= X-Received: by 2002:a17:903:2b0c:b0:2ae:825b:49a5 with SMTP id d9443c01a7336-2beb0582ba0mr82866055ad.0.1779555456134; Sat, 23 May 2026 09:57:36 -0700 (PDT) Received: from codespaces-78f0a7.mimvmn1ww3huhhjmzljqefhnig.rx.internal.cloudapp.net ([4.240.39.193]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58c69a0sm47832065ad.59.2026.05.23.09.57.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 May 2026 09:57:35 -0700 (PDT) From: Muhammad Bilal To: Felix.Kuehling@amd.com Cc: alexander.deucher@amd.com, christian.koenig@amd.com, airlied@gmail.com, simona@ffwll.ch, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Muhammad Bilal Subject: [PATCH] drm/amdkfd: fix NULL dereference in get_queue_ids() Date: Sat, 23 May 2026 16:56:46 +0000 Message-ID: <20260523165646.25645-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260523142645.39102-1-meatuni001@gmail.com> References: <20260523142645.39102-1-meatuni001@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When usr_queue_id_array is NULL and num_queues is non-zero, get_queue_ids() returns NULL. The callers check only IS_ERR() on the return value; since IS_ERR(NULL) =3D=3D false the check passes, and suspend_queues() calls q_array_invalidate() which immediately dereferences NULL while iterating num_queues times. Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying num_queues > 0 with a zero queue_array_ptr, causing a kernel panic. A NULL usr_queue_id_array with num_queues =3D=3D 0 is a legitimate no-op (q_array_invalidate never executes, and resume_queues already guards all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL) only when num_queues is non-zero and the pointer is absent; both callers already propagate IS_ERR() returns correctly to userspace. Fixes: a70a93fa568b ("drm/amdkfd: add debug suspend and resume process queu= es operation") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/driver= s/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c index c08ad718dbd7..8488b3a6c2ba 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c @@ -3312,7 +3312,7 @@ static uint32_t *get_queue_ids(uint32_t num_queues, u= int32_t *usr_queue_id_array size_t array_size; =20 if (!usr_queue_id_array) - return NULL; + return num_queues ? ERR_PTR(-EINVAL) : NULL; =20 if (check_mul_overflow((size_t)num_queues, sizeof(uint32_t), &array_size)) return ERR_PTR(-EINVAL); --=20 2.53.0