lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 01 Sep 2018 13:32:54 +0100 From: Chris Wilson <chris@...is-wilson.co.uk> To: Jia-Ju Bai <baijiaju1990@...il.com>, airlied@...ux.ie, gustavo@...ovan.org, maarten.lankhorst@...ux.intel.com, seanpaul@...omium.org Cc: dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org, Jia-Ju Bai <baijiaju1990@...il.com> Subject: Re: [PATCH] gpu: drm: drm_mm: Fix a sleep-in-atomic-context bug in show_leaks() Quoting Jia-Ju Bai (2018-09-01 13:20:41) > The driver may sleep with holding a spinlock. > > The function call paths (from bottom to top) in Linux-4.16 are: > > [FUNC] kmalloc(GFP_KERNEL) > drivers/gpu/drm/drm_mm.c, 130: > kmalloc in show_leaks > drivers/gpu/drm/drm_mm.c, 913: > show_leaks in drm_mm_takedown > drivers/gpu/drm/drm_vma_manager.c, 107: > drm_mm_takedown in drm_vma_offset_manager_destroy > drivers/gpu/drm/drm_vma_manager.c, 106: > _raw_write_lock in drm_vma_offset_manager_destroy > > [FUNC] kmalloc(GFP_KERNEL) > drivers/gpu/drm/drm_mm.c, 130: > kmalloc in show_leaks > drivers/gpu/drm/drm_mm.c, 913: > show_leaks in drm_mm_takedown > drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c, 71: > drm_mm_takedown in amdgpu_vram_mgr_fini > drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c, 70: > spin_lock in amdgpu_vram_mgr_fini > > [FUNC] kmalloc(GFP_KERNEL) > drivers/gpu/drm/drm_mm.c, 130: > kmalloc in show_leaks > drivers/gpu/drm/drm_mm.c, 913: > show_leaks in drm_mm_takedown > drivers/gpu/drm/ttm/ttm_bo_manager.c, 128: > drm_mm_takedown in ttm_bo_man_takedown > drivers/gpu/drm/ttm/ttm_bo_manager.c, 126: > spin_lock in ttm_bo_man_takedown > > To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC. The bug are above, since those spinlocks do not protect the data and imply use-after-free. -Chris
Powered by blists - more mailing lists