[PATCH] drm/sched: fix NULL deref when logging missing entity runqueue

public inbox for drm-ai-reviews@public-inbox.freedesktop.org
 help / color / mirror / Atom feed

* [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue
@ 2026-06-03  2:56 Candice Li
  2026-06-03  5:58 ` Tvrtko Ursulin
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: Candice Li @ 2026-06-03  2:56 UTC (permalink / raw)
  To: dri-devel; +Cc: Alexander Deucher, Christian Koenig, Hawking Zhang, Candice Li

job->sched is not initialized until drm_sched_job_arm(), so use
pr_err() instead of dev_err(job->sched->dev, ...) when entity->rq
is NULL.

Signed-off-by: Candice Li <candice.li@amd.com>
---
 drivers/gpu/drm/scheduler/sched_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
index bd7936c03da2aa..d21eada76cedf1 100644
--- a/drivers/gpu/drm/scheduler/sched_main.c
+++ b/drivers/gpu/drm/scheduler/sched_main.c
@@ -806,7 +806,7 @@ int drm_sched_job_init(struct drm_sched_job *job,
 		 * or worse--a blank screen--leave a trail in the
 		 * logs, so this can be debugged easier.
 		 */
-		dev_err(job->sched->dev, "%s: entity has no rq!\n", __func__);
+		pr_err("*ERROR* %s: entity has no rq!\n", __func__);
 		return -ENOENT;
 	}
 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue
  2026-06-03  2:56 [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue Candice Li
@ 2026-06-03  5:58 ` Tvrtko Ursulin
  2026-06-03  7:00 ` Christian König
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 7+ messages in thread
From: Tvrtko Ursulin @ 2026-06-03  5:58 UTC (permalink / raw)
  To: Candice Li, dri-devel; +Cc: Alexander Deucher, Christian Koenig, Hawking Zhang


On 03/06/2026 03:56, Candice Li wrote:
> job->sched is not initialized until drm_sched_job_arm(), so use
> pr_err() instead of dev_err(job->sched->dev, ...) when entity->rq
> is NULL.
> 
> Signed-off-by: Candice Li <candice.li@amd.com>
> ---
>   drivers/gpu/drm/scheduler/sched_main.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
> index bd7936c03da2aa..d21eada76cedf1 100644
> --- a/drivers/gpu/drm/scheduler/sched_main.c
> +++ b/drivers/gpu/drm/scheduler/sched_main.c
> @@ -806,7 +806,7 @@ int drm_sched_job_init(struct drm_sched_job *job,
>   		 * or worse--a blank screen--leave a trail in the
>   		 * logs, so this can be debugged easier.
>   		 */
> -		dev_err(job->sched->dev, "%s: entity has no rq!\n", __func__);
> +		pr_err("*ERROR* %s: entity has no rq!\n", __func__);
>   		return -ENOENT;
>   	}
>   


Even better, entity->rq cannot be NULL:

https://lore.kernel.org/dri-devel/20260602153339.43453-1-tvrtko.ursulin@igalia.com/T/#u

Regards,

Tvrtko


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue
  2026-06-03  2:56 [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue Candice Li
  2026-06-03  5:58 ` Tvrtko Ursulin
@ 2026-06-03  7:00 ` Christian König
  2026-06-03  7:06   ` Philipp Stanner
  2026-06-04  1:58 ` Claude review: " Claude Code Review Bot
  2026-06-04  1:58 ` Claude Code Review Bot
  3 siblings, 1 reply; 7+ messages in thread
From: Christian König @ 2026-06-03  7:00 UTC (permalink / raw)
  To: Candice Li, dri-devel, Philipp Stanner; +Cc: Alexander Deucher, Hawking Zhang

On 6/3/26 04:56, Candice Li wrote:
> job->sched is not initialized until drm_sched_job_arm(), so use
> pr_err() instead of dev_err(job->sched->dev, ...) when entity->rq
> is NULL.

You need to CC the designated maintainer on stuff like that! Please use get_maintainer.pl script.

Regards,
Christian.

> 
> Signed-off-by: Candice Li <candice.li@amd.com>
> ---
>  drivers/gpu/drm/scheduler/sched_main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
> index bd7936c03da2aa..d21eada76cedf1 100644
> --- a/drivers/gpu/drm/scheduler/sched_main.c
> +++ b/drivers/gpu/drm/scheduler/sched_main.c
> @@ -806,7 +806,7 @@ int drm_sched_job_init(struct drm_sched_job *job,
>  		 * or worse--a blank screen--leave a trail in the
>  		 * logs, so this can be debugged easier.
>  		 */
> -		dev_err(job->sched->dev, "%s: entity has no rq!\n", __func__);
> +		pr_err("*ERROR* %s: entity has no rq!\n", __func__);
>  		return -ENOENT;
>  	}
>  


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue
  2026-06-03  7:00 ` Christian König
@ 2026-06-03  7:06   ` Philipp Stanner
  2026-06-03  7:10     ` Philipp Stanner
  0 siblings, 1 reply; 7+ messages in thread
From: Philipp Stanner @ 2026-06-03  7:06 UTC (permalink / raw)
  To: Christian König, Candice Li, dri-devel, Philipp Stanner
  Cc: Alexander Deucher, Hawking Zhang

On Wed, 2026-06-03 at 09:00 +0200, Christian König wrote:
> On 6/3/26 04:56, Candice Li wrote:
> > job->sched is not initialized until drm_sched_job_arm(), so use
> > pr_err() instead of dev_err(job->sched->dev, ...) when entity->rq
> > is NULL.
> 
> You need to CC the designated maintainer on stuff like that! Please use get_maintainer.pl script.

Thx, Christian

> 
> Regards,
> Christian.
> 
> > 
> > Signed-off-by: Candice Li <candice.li@amd.com>
> > ---
> >  drivers/gpu/drm/scheduler/sched_main.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
> > index bd7936c03da2aa..d21eada76cedf1 100644
> > --- a/drivers/gpu/drm/scheduler/sched_main.c
> > +++ b/drivers/gpu/drm/scheduler/sched_main.c
> > @@ -806,7 +806,7 @@ int drm_sched_job_init(struct drm_sched_job *job,
> >  		 * or worse--a blank screen--leave a trail in the
> >  		 * logs, so this can be debugged easier.
> >  		 */
> > -		dev_err(job->sched->dev, "%s: entity has no rq!\n", __func__);
> > +		pr_err("*ERROR* %s: entity has no rq!\n", __func__);

I think while at it you want to remove '*ERROR*' – the pr_err etc.
markers contain the qualifiers like _err, _warn etc. so that the level
is already included for free.

Regards
P.

> >  		return -ENOENT;
> >  	}
> >  

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue
  2026-06-03  7:06   ` Philipp Stanner
@ 2026-06-03  7:10     ` Philipp Stanner
  0 siblings, 0 replies; 7+ messages in thread
From: Philipp Stanner @ 2026-06-03  7:10 UTC (permalink / raw)
  To: phasta, Christian König, Candice Li, dri-devel
  Cc: Alexander Deucher, Hawking Zhang, Tvrtko Ursulin

+Cc Tvrtko

On Wed, 2026-06-03 at 09:06 +0200, Philipp Stanner wrote:
> On Wed, 2026-06-03 at 09:00 +0200, Christian König wrote:
> > On 6/3/26 04:56, Candice Li wrote:
> > > job->sched is not initialized until drm_sched_job_arm(), so use
> > > pr_err() instead of dev_err(job->sched->dev, ...) when entity->rq
> > > is NULL.
> > 
> > You need to CC the designated maintainer on stuff like that! Please use get_maintainer.pl script.
> 
> Thx, Christian
> 
> > 
> > Regards,
> > Christian.
> > 
> > > 
> > > Signed-off-by: Candice Li <candice.li@amd.com>
> > > ---
> > >  drivers/gpu/drm/scheduler/sched_main.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
> > > index bd7936c03da2aa..d21eada76cedf1 100644
> > > --- a/drivers/gpu/drm/scheduler/sched_main.c
> > > +++ b/drivers/gpu/drm/scheduler/sched_main.c
> > > @@ -806,7 +806,7 @@ int drm_sched_job_init(struct drm_sched_job *job,
> > >  		 * or worse--a blank screen--leave a trail in the
> > >  		 * logs, so this can be debugged easier.
> > >  		 */
> > > -		dev_err(job->sched->dev, "%s: entity has no rq!\n", __func__);
> > > +		pr_err("*ERROR* %s: entity has no rq!\n", __func__);
> 
> I think while at it you want to remove '*ERROR*' – the pr_err etc.
> markers contain the qualifiers like _err, _warn etc. so that the level
> is already included for free.

OK, I couldn't see that Tvrtko already jumped in because of his other
patch.

https://lore.kernel.org/dri-devel/20260602153339.43453-1-tvrtko.ursulin@igalia.com/T/#u

I think Tvrtko's patch looks not very controversial and allows us to
get rid of that code, so let's opt for that.

Thx
P.

> 
> Regards
> P.
> 
> > >  		return -ENOENT;
> > >  	}
> > >  

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Claude review: drm/sched: fix NULL deref when logging missing entity runqueue
  2026-06-03  2:56 [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue Candice Li
  2026-06-03  5:58 ` Tvrtko Ursulin
  2026-06-03  7:00 ` Christian König
@ 2026-06-04  1:58 ` Claude Code Review Bot
  2026-06-04  1:58 ` Claude Code Review Bot
  3 siblings, 0 replies; 7+ messages in thread
From: Claude Code Review Bot @ 2026-06-04  1:58 UTC (permalink / raw)
  To: dri-devel-reviews

Overall Series Review

Subject: drm/sched: fix NULL deref when logging missing entity runqueue
Author: Candice Li <candice.li@amd.com>
Patches: 5
Reviewed: 2026-06-04T11:58:59.136755

---

This is a single-patch fix for a real NULL pointer dereference in `drm_sched_job_init()`. The analysis is correct: `job->sched` is not initialized until `drm_sched_job_arm()` (line 653), and furthermore `drm_sched_job_init()` itself `memset(job, 0, ...)` at line 611 — but that memset happens *after* the `entity->rq` check, so at the point of the `dev_err()` call, `job->sched` is whatever garbage the caller passed in (uninitialized memory). Dereferencing `job->sched->dev` is a guaranteed NULL or wild-pointer dereference.

The fix is correct in substance. One minor style concern below.

**Verdict: The fix is correct and should be applied, with a minor nit on the log format.**

---
Generated by Claude Code Patch Reviewer

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Claude review: drm/sched: fix NULL deref when logging missing entity runqueue
  2026-06-03  2:56 [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue Candice Li
                   ` (2 preceding siblings ...)
  2026-06-04  1:58 ` Claude review: " Claude Code Review Bot
@ 2026-06-04  1:58 ` Claude Code Review Bot
  3 siblings, 0 replies; 7+ messages in thread
From: Claude Code Review Bot @ 2026-06-04  1:58 UTC (permalink / raw)
  To: dri-devel-reviews

Patch Review

**Bug analysis — correct:**

The commit message accurately describes the problem. In `drm_sched_job_init()`, when `entity->rq` is NULL (line 591), the code immediately tries:

```c
dev_err(job->sched->dev, "%s: entity has no rq!\n", __func__);
```

At this point `job->sched` has not been set — `job->sched` is assigned only in `drm_sched_job_arm()` (line 653). Since the function hasn't even reached the `memset(job, 0, sizeof(*job))` on line 611 yet, `job->sched` is whatever was in the caller's memory, making this a NULL or wild-pointer dereference.

**Fix — correct but has a style nit:**

```c
pr_err("*ERROR* %s: entity has no rq!\n", __func__);
```

Switching from `dev_err()` to `pr_err()` is the right approach since there's no valid device pointer available at this point.

**Nit:** The `*ERROR*` prefix is inconsistent with kernel logging conventions. `pr_err()` already logs at error level and the kernel adds the appropriate severity marker. The existing `*ERROR*` prefix on the credits check at line 601 is pre-existing code, but propagating the pattern isn't ideal. A simple `pr_err("%s: entity has no rq!\n", __func__)` or `pr_err("drm_sched: entity has no rq!\n")` would be cleaner. That said, matching the existing pattern on line 601 is defensible for consistency within this function.

**Missing Fixes tag:** Given this is a real NULL-deref crash fix, the patch should carry a `Fixes:` tag pointing to the commit that introduced the `dev_err()` call with `job->sched->dev`. This helps stable-kernel backport processes.

**Overall:** The fix is correct, minimal, and addresses a real crash. Recommend adding the `Fixes:` tag and optionally dropping the `*ERROR*` prefix.

---
Generated by Claude Code Patch Reviewer

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-06-04  1:58 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-03  2:56 [PATCH] drm/sched: fix NULL deref when logging missing entity runqueue Candice Li
2026-06-03  5:58 ` Tvrtko Ursulin
2026-06-03  7:00 ` Christian König
2026-06-03  7:06   ` Philipp Stanner
2026-06-03  7:10     ` Philipp Stanner
2026-06-04  1:58 ` Claude review: " Claude Code Review Bot
2026-06-04  1:58 ` Claude Code Review Bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox