lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <501a3dd6-d313-a03c-4bd1-74f4d27d0487@amd.com>
Date:   Tue, 11 Jul 2023 09:46:40 +0200
From:   Christian König <christian.koenig@....com>
To:     Luben Tuikov <luben.tuikov@....com>,
        Rob Clark <robdclark@...il.com>,
        dri-devel@...ts.freedesktop.org
Cc:     Rob Clark <robdclark@...omium.org>,
        Alexander Potapenko <glider@...gle.com>,
        David Airlie <airlied@...il.com>,
        Daniel Vetter <daniel@...ll.ch>,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] drm/scheduler: Add missing RCU flag to fence slab

Am 10.07.23 um 23:15 schrieb Luben Tuikov:
> On 2023-07-10 16:56, Rob Clark wrote:
>> From: Rob Clark <robdclark@...omium.org>
>>
>> Fixes the KASAN splat:
>>
>>     ==================================================================
>>     BUG: KASAN: use-after-free in msm_ioctl_wait_fence+0x31c/0x7b0
>>     Read of size 4 at addr ffffff808cb7c2f8 by task syz-executor/12236
>>     CPU: 6 PID: 12236 Comm: syz-executor Tainted: G        W         5.15.119-lockdep-19932-g4a017c53fe63 #1 b15455e5b94c63032dd99eb0190c27e582b357ed
>>     Hardware name: Google Homestar (rev3) (DT)
>>     Call trace:
>>      dump_backtrace+0x0/0x4e8
>>      show_stack+0x34/0x50
>>      dump_stack_lvl+0xdc/0x11c
>>      print_address_description+0x30/0x2d8
>>      kasan_report+0x178/0x1e4
>>      kasan_check_range+0x1b0/0x1b8
>>      __kasan_check_read+0x44/0x54
>>      msm_ioctl_wait_fence+0x31c/0x7b0
>>      drm_ioctl_kernel+0x214/0x418
>>      drm_ioctl+0x524/0xbe8
>>      __arm64_sys_ioctl+0x154/0x1d0
>>      invoke_syscall+0x98/0x278
>>      el0_svc_common+0x214/0x274
>>      do_el0_svc+0x9c/0x19c
>>      el0_svc+0x5c/0xc0
>>      el0t_64_sync_handler+0x78/0x108
>>      el0t_64_sync+0x1a4/0x1a8
>>     Allocated by task 12224:
>>      kasan_save_stack+0x38/0x68
>>      __kasan_slab_alloc+0x6c/0x88
>>      kmem_cache_alloc+0x1b8/0x428
>>      drm_sched_fence_alloc+0x30/0x94
>>      drm_sched_job_init+0x7c/0x178
>>      msm_ioctl_gem_submit+0x2b8/0x5ac4
>>      drm_ioctl_kernel+0x214/0x418
>>      drm_ioctl+0x524/0xbe8
>>      __arm64_sys_ioctl+0x154/0x1d0
>>      invoke_syscall+0x98/0x278
>>      el0_svc_common+0x214/0x274
>>      do_el0_svc+0x9c/0x19c
>>      el0_svc+0x5c/0xc0
>>      el0t_64_sync_handler+0x78/0x108
>>      el0t_64_sync+0x1a4/0x1a8
>>     Freed by task 32:
>>      kasan_save_stack+0x38/0x68
>>      kasan_set_track+0x28/0x3c
>>      kasan_set_free_info+0x28/0x4c
>>      ____kasan_slab_free+0x110/0x164
>>      __kasan_slab_free+0x18/0x28
>>      kmem_cache_free+0x1e0/0x904
>>      drm_sched_fence_free_rcu+0x80/0x9c
>>      rcu_do_batch+0x318/0xcf0
>>      rcu_nocb_cb_kthread+0x1a0/0xc4c
>>      kthread+0x2e4/0x3a0
>>      ret_from_fork+0x10/0x20
>>     Last potentially related work creation:
>>      kasan_save_stack+0x38/0x68
>>      kasan_record_aux_stack+0xd4/0x114
>>      __call_rcu_common+0xd4/0x1478
>>      call_rcu+0x1c/0x28
>>      drm_sched_fence_release_scheduled+0x108/0x158
>>      dma_fence_release+0x178/0x564
>>      drm_sched_fence_release_finished+0xb4/0x124
>>      dma_fence_release+0x178/0x564
>>      __msm_gem_submit_destroy+0x150/0x488
>>      msm_job_free+0x9c/0xdc
>>      drm_sched_main+0xec/0x9ac
>>      kthread+0x2e4/0x3a0
>>      ret_from_fork+0x10/0x20
>>     Second to last potentially related work creation:
>>      kasan_save_stack+0x38/0x68
>>      kasan_record_aux_stack+0xd4/0x114
>>      __call_rcu_common+0xd4/0x1478
>>      call_rcu+0x1c/0x28
>>      drm_sched_fence_release_scheduled+0x108/0x158
>>      dma_fence_release+0x178/0x564
>>      drm_sched_fence_release_finished+0xb4/0x124
>>      dma_fence_release+0x178/0x564
>>      drm_sched_entity_fini+0x170/0x238
>>      drm_sched_entity_destroy+0x34/0x44
>>      __msm_file_private_destroy+0x60/0x118
>>      msm_submitqueue_destroy+0xd0/0x110
>>      __msm_gem_submit_destroy+0x384/0x488
>>      retire_submits+0x6a8/0xa14
>>      recover_worker+0x764/0xa50
>>      kthread_worker_fn+0x3f4/0x9ec
>>      kthread+0x2e4/0x3a0
>>      ret_from_fork+0x10/0x20
>>     The buggy address belongs to the object at ffffff808cb7c280
>>     The buggy address is located 120 bytes inside of
>>     The buggy address belongs to the page:
>>     page:000000008b01d27d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cb7c
>>     head:000000008b01d27d order:1 compound_mapcount:0
>>     flags: 0x8000000000010200(slab|head|zone=2)
>>     raw: 8000000000010200 fffffffe06844d80 0000000300000003 ffffff80860dca00
>>     raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000
>>     page dumped because: kasan: bad access detected
>>     Memory state around the buggy address:
>>      ffffff808cb7c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>      ffffff808cb7c200: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>>     >ffffff808cb7c280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>                                                                     ^
>>      ffffff808cb7c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
>>      ffffff808cb7c380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
>>     ==================================================================
>>
>> Suggested-by: Alexander Potapenko <glider@...gle.com>
>> Signed-off-by: Rob Clark <robdclark@...omium.org>
>> ---
>>   drivers/gpu/drm/scheduler/sched_fence.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/scheduler/sched_fence.c b/drivers/gpu/drm/scheduler/sched_fence.c
>> index ef120475e7c6..b624711c6e03 100644
>> --- a/drivers/gpu/drm/scheduler/sched_fence.c
>> +++ b/drivers/gpu/drm/scheduler/sched_fence.c
>> @@ -35,7 +35,7 @@ static int __init drm_sched_fence_slab_init(void)
>>   {
>>   	sched_fence_slab = kmem_cache_create(
>>   		"drm_sched_fence", sizeof(struct drm_sched_fence), 0,
>> -		SLAB_HWCACHE_ALIGN, NULL);
>> +		SLAB_HWCACHE_ALIGN | SLAB_TYPESAFE_BY_RCU, NULL);
>>   	if (!sched_fence_slab)
>>   		return -ENOMEM;
>>   
> Reviewed-by: Luben Tuikov <luben.tuikov@....com>
>
> But let it simmer for 24 hours so Christian can see it too (CC-ed).

Well that won't work like this, using the the SLAB_TYPESAFE_BY_RCU flag 
was suggested before and is not allowed for dma_fence objects.

The flag SLAB_TYPESAFE_BY_RCU can only be used if the objects in the 
slab can't be reused within an RCU time period or if that reuse doesn't 
matter for the logic. And exactly that is not guaranteed for dma_fence 
objects.

It should also not be necessary because the scheduler fences are 
released using call_rcu:

static void drm_sched_fence_release_scheduled(struct dma_fence *f)
{
         struct drm_sched_fence *fence = to_drm_sched_fence(f);

         dma_fence_put(fence->parent);
         call_rcu(&fence->finished.rcu, drm_sched_fence_free_rcu);
}

That looks more like you have a reference count problem in MSM.

Regards,
Christian.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ