lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <dd2ee57a-2ab2-db94-36d9-8faced18fe61@riseup.net>
Date:   Wed, 17 Aug 2022 15:43:00 -0300
From:   Maíra Canal <mairacanal@...eup.net>
To:     Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>,
        Melissa Wen <mwen@...lia.com>
Cc:     Christian König <ckoenig.leichtzumerken@...il.com>,
        amd-gfx list <amd-gfx@...ts.freedesktop.org>,
        dri-devel <dri-devel@...ts.freedesktop.org>,
        Linux List Kernel Mailing <linux-kernel@...r.kernel.org>
Subject: Re: [BUG][5.20] refcount_t: underflow; use-after-free



On 8/17/22 14:44, Mikhail Gavrilov wrote:
> On Wed, Aug 17, 2022 at 9:08 PM Melissa Wen <mwen@...lia.com> wrote:
>>
>> Hi Mikhail,
>>
>> IIUC, you got this second user-after-free by applying the first version
>> of Maíra's patch, right? So, that version was adding another unbalanced
>> unlock to the cs ioctl flow, but it was solved in the latest version,
>> that you can find here: https://patchwork.freedesktop.org/patch/497680/
>> If this is the situation, can you check this last version?
>>
>> Thanks,
>>
>> Melissa
> 
> With the last version warning "bad unlock balance detected!" was gone,
> but the user-after-free issue remains.
> And again "Workqueue: events drm_sched_entity_kill_jobs_work [gpu_sched]".

Hi Mikhail,

Looks like 45ecaea738830b9d521c93520c8f201359dcbd95 ("drm/sched: Partial 
revert of 'drm/sched: Keep s_fence->parent pointer'") introduced the 
error. Try reverting it and check if the use-after-free still happens.

Best Regards,
- Maíra Canal

> 
> [  297.834779] ------------[ cut here ]------------
> [  297.834818] refcount_t: underflow; use-after-free.
> [  297.834831] WARNING: CPU: 30 PID: 2377 at lib/refcount.c:28
> refcount_warn_saturate+0xba/0x110
> [  297.834838] Modules linked in: uinput rfcomm snd_seq_dummy
> snd_hrtimer nft_objref nf_conntrack_netbios_ns nf_conntrack_broadcast
> nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet
> nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat
> nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink
> qrtr bnep sunrpc binfmt_misc snd_seq_midi snd_seq_midi_event mt76x2u
> mt76x2_common mt76x02_usb mt76_usb mt76x02_lib snd_hda_codec_realtek
> iwlmvm intel_rapl_msr snd_hda_codec_generic snd_hda_codec_hdmi mt76
> vfat fat snd_hda_intel intel_rapl_common mac80211 snd_intel_dspcfg
> snd_intel_sdw_acpi snd_usb_audio snd_hda_codec snd_usbmidi_lib btusb
> edac_mce_amd iwlwifi libarc4 uvcvideo snd_hda_core btrtl snd_rawmidi
> snd_hwdep videobuf2_vmalloc btbcm kvm_amd videobuf2_memops snd_seq
> iwlmei btintel videobuf2_v4l2 eeepc_wmi snd_seq_device
> videobuf2_common btmtk kvm xpad videodev joydev irqbypass snd_pcm
> asus_wmi hid_logitech_hidpp ff_memless cfg80211 bluetooth rapl mc
> [  297.834932]  ledtrig_audio snd_timer sparse_keymap platform_profile
> wmi_bmof snd video pcspkr k10temp i2c_piix4 rfkill soundcore mei
> asus_ec_sensors acpi_cpufreq zram amdgpu drm_ttm_helper ttm
> crct10dif_pclmul crc32_pclmul crc32c_intel iommu_v2 ucsi_ccg gpu_sched
> typec_ucsi drm_buddy ghash_clmulni_intel drm_display_helper ccp igb
> typec sp5100_tco nvme cec nvme_core dca wmi ip6_tables ip_tables fuse
> [  297.834978] Unloaded tainted modules: amd64_edac():1 amd64_edac():1
> amd64_edac():1 amd64_edac():1 amd64_edac():1 amd64_edac():1
> amd64_edac():1 amd64_edac():1 pcc_cpufreq():1 amd64_edac():1
> pcc_cpufreq():1 amd64_edac():1 pcc_cpufreq():1 pcc_cpufreq():1
> amd64_edac():1 amd64_edac():1 pcc_cpufreq():1 amd64_edac():1
> pcc_cpufreq():1 amd64_edac():1 pcc_cpufreq():1 amd64_edac():1
> pcc_cpufreq():1 pcc_cpufreq():1 amd64_edac():1 amd64_edac():1
> pcc_cpufreq():1 pcc_cpufreq():1 amd64_edac():1 pcc_cpufreq():1
> pcc_cpufreq():1 amd64_edac():1 pcc_cpufreq():1 amd64_edac():1
> pcc_cpufreq():1 pcc_cpufreq():1 amd64_edac():1 pcc_cpufreq():1
> amd64_edac():1 amd64_edac():1 pcc_cpufreq():1 amd64_edac():1
> pcc_cpufreq():1 amd64_edac():1 pcc_cpufreq():1 pcc_cpufreq():1
> amd64_edac():1 amd64_edac():1 pcc_cpufreq():1 pcc_cpufreq():1
> amd64_edac():1 pcc_cpufreq():1 amd64_edac():1 amd64_edac():1
> pcc_cpufreq():1 amd64_edac():1 pcc_cpufreq():1 amd64_edac():1
> pcc_cpufreq():1 pcc_cpufreq():1 pcc_cpufreq():1 fjes():1
> [  297.835055]  pcc_cpufreq():1 fjes():1 pcc_cpufreq():1 fjes():1
> pcc_cpufreq():1 fjes():1 fjes():1 fjes():1 fjes():1 fjes():1
> [  297.835071] CPU: 30 PID: 2377 Comm: kworker/30:6 Tainted: G
> W    L    -------  ---
> 6.0.0-0.rc1.20220817git3cc40a443a04.14.fc38.x86_64 #1
> [  297.835075] Hardware name: System manufacturer System Product
> Name/ROG STRIX X570-I GAMING, BIOS 4403 04/27/2022
> [  297.835078] Workqueue: events drm_sched_entity_kill_jobs_work [gpu_sched]
> [  297.835085] RIP: 0010:refcount_warn_saturate+0xba/0x110
> [  297.835088] Code: 01 01 e8 59 59 6f 00 0f 0b e9 22 46 a5 00 80 3d
> be 7d be 01 00 75 85 48 c7 c7 c0 99 8e aa c6 05 ae 7d be 01 01 e8 36
> 59 6f 00 <0f> 0b e9 ff 45 a5 00 80 3d 99 7d be 01 00 0f 85 5e ff ff ff
> 48 c7
> [  297.835091] RSP: 0018:ffffbd3506df7e60 EFLAGS: 00010286
> [  297.835095] RAX: 0000000000000026 RBX: ffff961b250cbc28 RCX: 0000000000000000
> [  297.835097] RDX: 0000000000000001 RSI: ffffffffaa8d07a4 RDI: 00000000ffffffff
> [  297.835100] RBP: ffff96276a3f5600 R08: 0000000000000000 R09: ffffbd3506df7d10
> [  297.835102] R10: 0000000000000003 R11: ffff9627ae2fffe8 R12: ffff96276a3fc800
> [  297.835105] R13: ffff9618c03e6600 R14: ffff96276a3fc805 R15: ffff961b250cbc30
> [  297.835108] FS:  0000000000000000(0000) GS:ffff96276a200000(0000)
> knlGS:0000000000000000
> [  297.835110] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  297.835113] CR2: 0000621001e4a000 CR3: 000000018d958000 CR4: 0000000000350ee0
> [  297.835116] Call Trace:
> [  297.835118]  <TASK>
> [  297.835121]  process_one_work+0x2a0/0x600
> [  297.835133]  worker_thread+0x4f/0x3a0
> [  297.835139]  ? process_one_work+0x600/0x600
> [  297.835142]  kthread+0xf5/0x120
> [  297.835145]  ? kthread_complete_and_exit+0x20/0x20
> [  297.835151]  ret_from_fork+0x22/0x30
> [  297.835166]  </TASK>
> [  297.835168] irq event stamp: 198245
> [  297.835171] hardirqs last  enabled at (198253):
> [<ffffffffa918ce7e>] __up_console_sem+0x5e/0x70
> [  297.835175] hardirqs last disabled at (198260):
> [<ffffffffa918ce63>] __up_console_sem+0x43/0x70
> [  297.835177] softirqs last  enabled at (196454):
> [<ffffffffa9de3a4e>] addrconf_verify_rtnl+0x23e/0x920
> [  297.835182] softirqs last disabled at (196448):
> [<ffffffffa9de3835>] addrconf_verify_rtnl+0x25/0x920
> [  297.835185] ---[ end trace 0000000000000000 ]---
> 
> 
> Fill kernel log: https://pastebin.com/zbbY2zDU
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ