| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7d1d03702f4dffd68b18afa4f5ef242b4042188f.camel@mailbox.org>
Date: Mon, 12 May 2025 09:32:49 +0200
From: Philipp Stanner <phasta@...lbox.org>
To: Rob Clark <robdclark@...il.com>, dri-devel@...ts.freedesktop.org
Cc: Rob Clark <robdclark@...omium.org>, Matthew Brost
<matthew.brost@...el.com>, Danilo Krummrich <dakr@...nel.org>, Philipp
Stanner <phasta@...nel.org>, Christian König
<ckoenig.leichtzumerken@...il.com>, Maarten Lankhorst
<maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>, open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] drm/sched: Fix UAF in
drm_sched_fence_get_timeline_name()
Hi,
On Fri, 2025-05-09 at 14:29 -0700, Rob Clark wrote:
> From: Rob Clark <robdclark@...omium.org>
>
> The fence can outlive the sched, so it is not safe to dereference the
> sched in drm_sched_fence_get_timeline_name()
Thx for the fix. Looks correct to me. Some nits
>
> Signed-off-by: Rob Clark <robdclark@...omium.org>
This is clearly a bug. So please provide a Fixes: tag and +Cc the
stable kernel.
> ---
> drivers/gpu/drm/scheduler/sched_fence.c | 3 ++-
> include/drm/gpu_scheduler.h | 11 +++++++++++
> 2 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/scheduler/sched_fence.c
> b/drivers/gpu/drm/scheduler/sched_fence.c
> index e971528504a5..4e529c3ba6d4 100644
> --- a/drivers/gpu/drm/scheduler/sched_fence.c
> +++ b/drivers/gpu/drm/scheduler/sched_fence.c
> @@ -92,7 +92,7 @@ static const char
> *drm_sched_fence_get_driver_name(struct dma_fence *fence)
> static const char *drm_sched_fence_get_timeline_name(struct
> dma_fence *f)
> {
> struct drm_sched_fence *fence = to_drm_sched_fence(f);
> - return (const char *)fence->sched->name;
> + return fence->name;
Adding an empty line while we're here already would be neat.
> }
>
> static void drm_sched_fence_free_rcu(struct rcu_head *rcu)
> @@ -226,6 +226,7 @@ void drm_sched_fence_init(struct drm_sched_fence
> *fence,
> unsigned seq;
>
> fence->sched = entity->rq->sched;
> + fence->name = fence->sched->name;
> seq = atomic_inc_return(&entity->fence_seq);
> dma_fence_init(&fence->scheduled,
> &drm_sched_fence_ops_scheduled,
> &fence->lock, entity->fence_context, seq);
> diff --git a/include/drm/gpu_scheduler.h
> b/include/drm/gpu_scheduler.h
> index 0ae108f6fcaf..d830ffe083f1 100644
> --- a/include/drm/gpu_scheduler.h
> +++ b/include/drm/gpu_scheduler.h
> @@ -295,6 +295,9 @@ struct drm_sched_fence {
> /**
> * @sched: the scheduler instance to which the job having
> this struct
> * belongs to.
> + *
> + * Some care must be taken as to where the sched is derefed,
> as the
> + * fence can outlive the sched.
> */
Just briefly hinting at the lifetime is enough here. Every developer
understands what that implicates.
"Might have a lifetime shorter than the owning &struct drm_sched_fence"
Thx
P.
> struct drm_gpu_scheduler *sched;
> /**
> @@ -305,6 +308,14 @@ struct drm_sched_fence {
> * @owner: job owner for debugging
> */
> void *owner;
> +
> + /**
> + * @name: the timeline name
> + *
> + * This comes from the @sched, but since the fence can
> outlive the
> + * sched, we need to keep our own copy.
> + */
> + const char *name;
> };
>
> struct drm_sched_fence *to_drm_sched_fence(struct dma_fence *f);
Powered by blists - more mailing lists