lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240115170120.662220-1-tvrtko.ursulin@linux.intel.com>
Date: Mon, 15 Jan 2024 17:01:17 +0000
From: Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>
To: linux-kernel@...r.kernel.org,
	tvrtko.ursulin@...ux.intel.com
Cc: Tvrtko Ursulin <tvrtko.ursulin@...el.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Umesh Nerlige Ramappa <umesh.nerlige.ramappa@...el.com>,
	Aravind Iddamsetty <aravind.iddamsetty@...ux.intel.com>
Subject: [RFC 0/3] Fixing i915 PMU use after free after driver unbind

From: Tvrtko Ursulin <tvrtko.ursulin@...el.com>

Hi Peter, all,

This is an early RFC to outline a newly discovered problem in the current
handling of driver unbind with active perf fds.

The sequence is basically this:

1. Open a perf fd
2. Unbind a driver
3. Close the dangling fd

Or a slightly more evil variant:

1. Open a perf fd
2. Unbind a driver
3. Bind the driver again
4. Close the dangling fd

I thought we had this covered by recording the unbound status (pmu->closed in
i915_pmu.c) and making sure the struct i915_pmu (and struct perf_pmu) remain
active until the last event is closed (via internal reference counting). But
what I missed until now are two things:

1)
core.c: _free_event() will dereference event->pmu _after_ event->destroy().

KASAN catches this easily and patches 1 & 2 are the attempt to fix that.

2)
A more evil case where pmu->cpu_pmu_context per-cpu allocation gets re-used
_before_ the old perf fd is closed.

There things can nicely explode on the list_del_init inside event_sched_out on
list_del_init(&event->active_list); (with list debugging turned on of course).

Most easily reproducible by simply re-binding i915, which happens to grab the
same per-cpu block and then the new perf_pmu_register zaps the list_head which
the old event will try to unlink itself from.

This is what the third patch attempts to deal with. It is a bit incomplete
though, as I was unsure what is the best approach to fix and so thought to send
it out early for some guidance.

Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@...el.com>
Cc: Aravind Iddamsetty <aravind.iddamsetty@...ux.intel.com>

Tvrtko Ursulin (3):
  perf: Add new late event free callback
  drm/i915/pmu: Move i915 reference drop to new event->free()
  perf: Reference count struct perf_cpu_pmu_context to fix driver unbind

 drivers/gpu/drm/i915/i915_pmu.c |  4 ++--
 include/linux/perf_event.h      |  2 ++
 kernel/events/core.c            | 34 ++++++++++++++++++++++++---------
 3 files changed, 29 insertions(+), 11 deletions(-)

-- 
2.40.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ