| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <153580517420.12034.2035309606925619207@skylake-alporthouse-com>
Date: Sat, 01 Sep 2018 13:32:54 +0100
From: Chris Wilson <chris@...is-wilson.co.uk>
To: Jia-Ju Bai <baijiaju1990@...il.com>, airlied@...ux.ie,
gustavo@...ovan.org, maarten.lankhorst@...ux.intel.com,
seanpaul@...omium.org
Cc: dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
Jia-Ju Bai <baijiaju1990@...il.com>
Subject: Re: [PATCH] gpu: drm: drm_mm: Fix a sleep-in-atomic-context bug in
show_leaks()
Quoting Jia-Ju Bai (2018-09-01 13:20:41)
> The driver may sleep with holding a spinlock.
>
> The function call paths (from bottom to top) in Linux-4.16 are:
>
> [FUNC] kmalloc(GFP_KERNEL)
> drivers/gpu/drm/drm_mm.c, 130:
> kmalloc in show_leaks
> drivers/gpu/drm/drm_mm.c, 913:
> show_leaks in drm_mm_takedown
> drivers/gpu/drm/drm_vma_manager.c, 107:
> drm_mm_takedown in drm_vma_offset_manager_destroy
> drivers/gpu/drm/drm_vma_manager.c, 106:
> _raw_write_lock in drm_vma_offset_manager_destroy
>
> [FUNC] kmalloc(GFP_KERNEL)
> drivers/gpu/drm/drm_mm.c, 130:
> kmalloc in show_leaks
> drivers/gpu/drm/drm_mm.c, 913:
> show_leaks in drm_mm_takedown
> drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c, 71:
> drm_mm_takedown in amdgpu_vram_mgr_fini
> drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c, 70:
> spin_lock in amdgpu_vram_mgr_fini
>
> [FUNC] kmalloc(GFP_KERNEL)
> drivers/gpu/drm/drm_mm.c, 130:
> kmalloc in show_leaks
> drivers/gpu/drm/drm_mm.c, 913:
> show_leaks in drm_mm_takedown
> drivers/gpu/drm/ttm/ttm_bo_manager.c, 128:
> drm_mm_takedown in ttm_bo_man_takedown
> drivers/gpu/drm/ttm/ttm_bo_manager.c, 126:
> spin_lock in ttm_bo_man_takedown
>
> To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
The bug are above, since those spinlocks do not protect the data and
imply use-after-free.
-Chris
Powered by blists - more mailing lists