CVE-2023-52738
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini
Currently amdgpu calls drm_sched_fini() from the fence driver sw fini routine - such function is expected to be called only after the respective init function - drm_sched_init() - was executed successfully.
Happens that we faced a driver probe failure in the Steam Deck recently, and the function drm_sched_fini() was called even without its counter-part had been previously called, causing the following oops:
amdgpu: probe of 0000:04:00.0 failed with error -110 BUG: kernel NULL pointer dereference, address: 0000000000000090 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338 Hardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022 RIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched] […] Call Trace: <TASK> amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu] amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu] amdgpu_driver_release_kms+0x16/0x30 [amdgpu] devm_drm_dev_init_release+0x49/0x70 […]
To prevent that, check if the drm_sched was properly initialized for a given ring before calling its fini counter-part.
Notice ideally we'd use sched.ready for that; such field is set as the latest thing on drm_sched_init(). But amdgpu seems to "override" the meaning of such field - in the above oops for example, it was a GFX ring causing the crash, and the sched.ready field was set to true in the ring init routine, regardless of the state of the DRM scheduler. Hence, we ended-up using sched.ops as per Christian's suggestion [0], and also removed the no_scheduler check [1].
[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/ [1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 067f44c8b4590c3f24d21a037578a478590f2175 < 2e557c8ca2c585bdef591b8503ba83b85f5d0afd | affected |
| Linux | Linux | 067f44c8b4590c3f24d21a037578a478590f2175 < 2bcbbef9cace772f5b7128b11401c515982de34b | affected |
| Linux | Linux | 067f44c8b4590c3f24d21a037578a478590f2175 < 5ad7bbf3dba5c4a684338df1f285080f2588b535 | affected |
| Linux | Linux | 8ba968ae672b3075794c8086aa164595b0175abe | affected |
| Linux | Linux | 5.14.10 < 5.15 | affected |
| Linux | Linux | 5.15 | affected |
| Linux | Linux | 0 < 5.15 | unaffected |
| Linux | Linux | 5.15.94 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.12 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd
- https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b
- https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535
References
- https://git.kernel.org/stable/c/2e557c8ca2c585bdef591b8503ba83b85f5d0afd
- https://git.kernel.org/stable/c/2bcbbef9cace772f5b7128b11401c515982de34b
- https://git.kernel.org/stable/c/5ad7bbf3dba5c4a684338df1f285080f2588b535
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.