kernel/linux.git/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c, branch v7.1 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1 2026-06-03T18:54:28+00:00 drm/amdkfd: fix NULL dereference in get_queue_ids() 2026-06-03T18:54:28+00:00 Muhammad Bilal meatuni001@gmail.com 2026-05-23T16:56:46+00:00 urn:sha1:2bd550b547deabef98bd3b017ff743b7c34d3a6d When usr_queue_id_array is NULL and num_queues is non-zero, get_queue_ids() returns NULL. The callers check only IS_ERR() on the return value; since IS_ERR(NULL) == false the check passes, and suspend_queues() calls q_array_invalidate() which immediately dereferences NULL while iterating num_queues times. Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying num_queues > 0 with a zero queue_array_ptr, causing a kernel panic. A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op (q_array_invalidate never executes, and resume_queues already guards all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL) only when num_queues is non-zero and the pointer is absent; both callers already propagate IS_ERR() returns correctly to userspace. Fixes: a70a93fa568b ("drm/amdkfd: add debug suspend and resume process queues operation") Signed-off-by: Muhammad Bilal <meatuni001@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4) Cc: stable@vger.kernel.org drm/amdkfd: fix UAF race in destroy_queue_cpsch 2026-06-03T18:46:55+00:00 Alysa Liu Alysa.Liu@amd.com 2026-05-27T15:31:35+00:00 urn:sha1:181eda5549c5d9fad3fdb88b050fbf0844d884f8 wait_on_destroy_queue() drops locks to wait for queue resume, allowing a concurrent destroy to free the queue. Use is_being_destroyed flag to serialize destruction. Reviewed-by: Amir Shetaia <Amir.Shetaia@amd.com> Signed-off-by: Alysa Liu <Alysa.Liu@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit ac081deaf16a639ea7dff2f285fe421a33c1ade0) drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger 2026-05-27T16:01:13+00:00 Eric Huang jinhuieric.huang@amd.com 2026-05-12T14:19:52+00:00 urn:sha1:93f5534b35a05ef8a0109c1eefa800062fee810a get_queue_ids() computes array_size = num_queues * sizeof(uint32_t), which could overflow on 32-bit size_t build. using array_size() instead, it saturates to SIZE_MAX on overflow. Signed-off-by: Eric Huang <jinhuieric.huang@amd.com> Acked-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 2d57a0475f085c08b49312dfd8edcb461845f285) Cc: stable@vger.kernel.org drm/amdkfd: Check bounds for allocate_sdma_queue restore_sdma_id 2026-05-19T16:11:43+00:00 David Francis David.Francis@amd.com 2026-05-12T19:18:18+00:00 urn:sha1:6dc2c49a705195c89b09b134d0bc4dc5e42d1fea allocate_sdma_queue has an option where the sdma queue id can be specified (used by CRIU). We weren't bounds-checking that value. Confirm it's less than the maximum number of queues. Signed-off-by: David Francis <David.Francis@amd.com> Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit bfe9a7545b2a7be1c543f1741e16f2d5ec4116ae) drm/amdkfd: Check bounds on allocate_doorbell 2026-05-19T16:11:26+00:00 David Francis David.Francis@amd.com 2026-05-12T19:15:33+00:00 urn:sha1:a1d4b228e3dc5134c4bd06e55e81dbb604c8cadb allocated_doorbell has an option to set the doorbell id to a specific value (used by CRIU). This value was not bounds checked. Check to confirm it's less than KFD_MAX_NUM_OF_QUEUES_PER_PROCESS. Signed-off-by: David Francis <David.Francis@amd.com> Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 1f087bb8cf9e8797633da35c85435e557ef74d06) drm/amdkfd: Make all TLB-flushes heavy-weight 2026-05-05T14:13:54+00:00 Felix Kuehling felix.kuehling@amd.com 2026-04-20T15:55:57+00:00 urn:sha1:9b4e3495d1bd2469bf94b74930c153c2d534ddb7 With only one sequence number we cannot track the need for legacy vs heavy-weight flushes reliably. Always use heavy-weight. Signed-off-by: Felix Kuehling <felix.kuehling@amd.com> Reviewed-by: Philip Yang <philip.yang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit c1a3ff1d327820cd9a52bc1056b98681fc088949) Cc: stable@vger.kernel.org drm/amdgpu: Check for multiplication overflow in checkpoint stack size 2026-03-06T21:33:59+00:00 David Francis David.Francis@amd.com 2026-01-16T15:21:15+00:00 urn:sha1:421c0f19043337a553e802b2dfe4b56d538ef4d6 get_checkpoint_info() in kfd_mqd_manager_v9.c finds 32-bit value ctl_stack_size by multiplying two 32-bit values. This can overflow to a lower value, which could result in copying outside the bounds of a buffer in checkpoint_mqd() in the same file. Put in a check for the overflow, and fail with -EINVAL if detected. v2: use check_mul_overflow() Signed-off-by: David Francis <David.Francis@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-22T01:09:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-22T00:37:42+00:00 urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43 This was done entirely with mindless brute force, using git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' | xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/' to convert the new alloc_obj() users that had a simple GFP_KERNEL argument to just drop that argument. Note that due to the extreme simplicity of the scripting, any slightly more complex cases spread over multiple lines would not be triggered: they definitely exist, but this covers the vast bulk of the cases, and the resulting diff is also then easier to check automatically. For the same reason the 'flex' versions will be done as a separate conversion. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> drm/amdkfd: Adjust parameter of allocate_mqd 2026-01-29T17:26:58+00:00 Lang Yu lang.yu@amd.com 2026-01-26T08:57:01+00:00 urn:sha1:3aca6f835ba1635e49d9b76d2102b218643d276e Make allocate_mqd consistent with other callbacks. Prepare for next patch to use mqd_manager->mqd_size. Signed-off-by: Lang Yu <lang.yu@amd.com> Reviewed-by: David Belanger <david.belanger@amd.com> Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com> Reviewed-by: Mukul Joshi <mukul.joshi@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>