lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <de9769b8dc224ca4981e578ebd444171@huawei.com>
Date:   Fri, 7 Jan 2022 10:34:22 +0000
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     "maarten.lankhorst@...ux.intel.com" 
        <maarten.lankhorst@...ux.intel.com>,
        "mripard@...nel.org" <mripard@...nel.org>,
        "tzimmermann@...e.de" <tzimmermann@...e.de>,
        "airlied@...ux.ie" <airlied@...ux.ie>,
        "daniel@...ll.ch" <daniel@...ll.ch>
CC:     "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>,
        "syzbot+c8ae65286134dd1b800d@...kaller.appspotmail.com" 
        <syzbot+c8ae65286134dd1b800d@...kaller.appspotmail.com>
Subject: RE: [PATCH] drm: Fix gem obj imbalance due to calling
 drm_gem_object_put() twice

> From: Roberto Sassu
> Sent: Tuesday, December 21, 2021 12:39 PM
> After commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"),
> drm_gem_mmap_obj() takes a reference of the passed drm_gem_object at the
> beginning of the function to safely dereference the mmap offset pointer,
> and releases it at the end, if an error occurred. However, the cma and
> shmem helpers are also releasing that reference in case of an error,
> which causes the imbalance of the reference counter and the panic
> reported by syzbot.
> 
> Don't release the reference in drm_gem_mmap_obj() if the mmap method was
> called and it returned an error, and uniformly apply the same behavior of
> the cma and shmem helpers to the ttm helper (release the reference in the
> helper, not in the caller, when an error occurs).

Hello

I'm wondering if this patch and:

https://lore.kernel.org/dri-devel/20211213183122.838119-1-roberto.sassu@huawei.com/

could be useful.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua

> Cc: stable@...r.kernel.org
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> Reported-by: syzbot+c8ae65286134dd1b800d@...kaller.appspotmail.com
> Fixes: 9786b65bc61ac ("drm/ttm: fix mmap refcounting")
> ---
>  drivers/gpu/drm/drm_gem.c            | 3 ++-
>  drivers/gpu/drm/drm_gem_ttm_helper.c | 4 +---
>  2 files changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 4dcdec6487bb..7264a1a7a8d2 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -1049,8 +1049,9 @@ int drm_gem_mmap_obj(struct drm_gem_object
> *obj, unsigned long obj_size,
> 
>  	if (obj->funcs->mmap) {
>  		ret = obj->funcs->mmap(obj, vma);
> +		/* All helpers call drm_gem_object_put() */
>  		if (ret)
> -			goto err_drm_gem_object_put;
> +			return ret;
>  		WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));
>  	} else {
>  		if (!vma->vm_ops) {
> diff --git a/drivers/gpu/drm/drm_gem_ttm_helper.c
> b/drivers/gpu/drm/drm_gem_ttm_helper.c
> index ecf3d2a54a98..c44bfdbb722d 100644
> --- a/drivers/gpu/drm/drm_gem_ttm_helper.c
> +++ b/drivers/gpu/drm/drm_gem_ttm_helper.c
> @@ -101,8 +101,6 @@ int drm_gem_ttm_mmap(struct drm_gem_object *gem,
>  	int ret;
> 
>  	ret = ttm_bo_mmap_obj(vma, bo);
> -	if (ret < 0)
> -		return ret;
> 
>  	/*
>  	 * ttm has its own object refcounting, so drop gem reference
> @@ -110,7 +108,7 @@ int drm_gem_ttm_mmap(struct drm_gem_object *gem,
>  	 */
>  	drm_gem_object_put(gem);
> 
> -	return 0;
> +	return ret;
>  }
>  EXPORT_SYMBOL(drm_gem_ttm_mmap);
> 
> --
> 2.32.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ