Userspace can race to free the gobj(robj converted from), robj should not
be accessed again after drm_gem_object_put, otherwith it will result in
use-after-free.
Signed-off-by: Min Li <[email protected]>
---
drivers/gpu/drm/radeon/radeon_gem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
index bdc5af23f005..450c7cbdd28a 100644
--- a/drivers/gpu/drm/radeon/radeon_gem.c
+++ b/drivers/gpu/drm/radeon/radeon_gem.c
@@ -478,7 +478,7 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
drm_gem_object_put(gobj);
up_read(&rdev->exclusive_lock);
- r = radeon_gem_handle_lockup(robj->rdev, r);
+ r = radeon_gem_handle_lockup(rdev, r);
return r;
}
--
2.34.1
Hi Min,
kernel test robot noticed the following build warnings:
[auto build test WARNING on drm-misc/drm-misc-next]
[also build test WARNING on linus/master v6.4-rc3 next-20230525]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Min-Li/drm-radeon-fix-race-condition-UAF-in-radeon_gem_set_domain_ioctl/20230527-155623
base: git://anongit.freedesktop.org/drm/drm-misc drm-misc-next
patch link: https://lore.kernel.org/r/20230526123753.16160-1-lm0963hack%40gmail.com
patch subject: [PATCH] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
config: mips-allyesconfig (https://download.01.org/0day-ci/archive/20230527/[email protected]/config)
compiler: mips-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
mkdir -p ~/bin
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/66fb975494d21e80b90235b7d8bf0953990c5c89
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Min-Li/drm-radeon-fix-race-condition-UAF-in-radeon_gem_set_domain_ioctl/20230527-155623
git checkout 66fb975494d21e80b90235b7d8bf0953990c5c89
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 ~/bin/make.cross W=1 O=build_dir ARCH=mips olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 ~/bin/make.cross W=1 O=build_dir ARCH=mips SHELL=/bin/bash drivers/gpu/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
| Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/
All warnings (new ones prefixed by >>):
drivers/gpu/drm/radeon/radeon_gem.c: In function 'radeon_gem_set_domain_ioctl':
>> drivers/gpu/drm/radeon/radeon_gem.c:462:27: warning: variable 'robj' set but not used [-Wunused-but-set-variable]
462 | struct radeon_bo *robj;
| ^~~~
vim +/robj +462 drivers/gpu/drm/radeon/radeon_gem.c
f72a113a71ab08 Christian K?nig 2014-08-07 453
771fe6b912fca5 Jerome Glisse 2009-06-05 454 int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
771fe6b912fca5 Jerome Glisse 2009-06-05 455 struct drm_file *filp)
771fe6b912fca5 Jerome Glisse 2009-06-05 456 {
771fe6b912fca5 Jerome Glisse 2009-06-05 457 /* transition the BO to a domain -
771fe6b912fca5 Jerome Glisse 2009-06-05 458 * just validate the BO into a certain domain */
dee53e7fb3ee01 Jerome Glisse 2012-07-02 459 struct radeon_device *rdev = dev->dev_private;
771fe6b912fca5 Jerome Glisse 2009-06-05 460 struct drm_radeon_gem_set_domain *args = data;
771fe6b912fca5 Jerome Glisse 2009-06-05 461 struct drm_gem_object *gobj;
4c7886791264f0 Jerome Glisse 2009-11-20 @462 struct radeon_bo *robj;
771fe6b912fca5 Jerome Glisse 2009-06-05 463 int r;
771fe6b912fca5 Jerome Glisse 2009-06-05 464
771fe6b912fca5 Jerome Glisse 2009-06-05 465 /* for now if someone requests domain CPU -
771fe6b912fca5 Jerome Glisse 2009-06-05 466 * just make sure the buffer is finished with */
dee53e7fb3ee01 Jerome Glisse 2012-07-02 467 down_read(&rdev->exclusive_lock);
771fe6b912fca5 Jerome Glisse 2009-06-05 468
771fe6b912fca5 Jerome Glisse 2009-06-05 469 /* just do a BO wait for now */
a8ad0bd84f9860 Chris Wilson 2016-05-09 470 gobj = drm_gem_object_lookup(filp, args->handle);
771fe6b912fca5 Jerome Glisse 2009-06-05 471 if (gobj == NULL) {
dee53e7fb3ee01 Jerome Glisse 2012-07-02 472 up_read(&rdev->exclusive_lock);
bf79cb914dbfe8 Chris Wilson 2010-08-04 473 return -ENOENT;
771fe6b912fca5 Jerome Glisse 2009-06-05 474 }
7e4d15d90afe46 Daniel Vetter 2011-02-18 475 robj = gem_to_radeon_bo(gobj);
771fe6b912fca5 Jerome Glisse 2009-06-05 476
771fe6b912fca5 Jerome Glisse 2009-06-05 477 r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain);
771fe6b912fca5 Jerome Glisse 2009-06-05 478
f11fb66ae92193 Emil Velikov 2020-05-15 479 drm_gem_object_put(gobj);
dee53e7fb3ee01 Jerome Glisse 2012-07-02 480 up_read(&rdev->exclusive_lock);
66fb975494d21e Min Li 2023-05-26 481 r = radeon_gem_handle_lockup(rdev, r);
771fe6b912fca5 Jerome Glisse 2009-06-05 482 return r;
771fe6b912fca5 Jerome Glisse 2009-06-05 483 }
771fe6b912fca5 Jerome Glisse 2009-06-05 484
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Min,
kernel test robot noticed the following build warnings:
[auto build test WARNING on drm-misc/drm-misc-next]
[also build test WARNING on linus/master v6.4-rc3 next-20230525]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Min-Li/drm-radeon-fix-race-condition-UAF-in-radeon_gem_set_domain_ioctl/20230527-155623
base: git://anongit.freedesktop.org/drm/drm-misc drm-misc-next
patch link: https://lore.kernel.org/r/20230526123753.16160-1-lm0963hack%40gmail.com
patch subject: [PATCH] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
config: riscv-randconfig-r042-20230526 (https://download.01.org/0day-ci/archive/20230527/[email protected]/config)
compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project 4faf3aaf28226a4e950c103a14f6fc1d1fdabb1b)
reproduce (this is a W=1 build):
mkdir -p ~/bin
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install riscv cross compiling tool for clang build
# apt-get install binutils-riscv64-linux-gnu
# https://github.com/intel-lab-lkp/linux/commit/66fb975494d21e80b90235b7d8bf0953990c5c89
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Min-Li/drm-radeon-fix-race-condition-UAF-in-radeon_gem_set_domain_ioctl/20230527-155623
git checkout 66fb975494d21e80b90235b7d8bf0953990c5c89
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang ~/bin/make.cross W=1 O=build_dir ARCH=riscv olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang ~/bin/make.cross W=1 O=build_dir ARCH=riscv SHELL=/bin/bash drivers/gpu/drm/radeon/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
| Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/
All warnings (new ones prefixed by >>):
>> drivers/gpu/drm/radeon/radeon_gem.c:462:20: warning: variable 'robj' set but not used [-Wunused-but-set-variable]
struct radeon_bo *robj;
^
1 warning generated.
vim +/robj +462 drivers/gpu/drm/radeon/radeon_gem.c
f72a113a71ab08 Christian K?nig 2014-08-07 453
771fe6b912fca5 Jerome Glisse 2009-06-05 454 int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
771fe6b912fca5 Jerome Glisse 2009-06-05 455 struct drm_file *filp)
771fe6b912fca5 Jerome Glisse 2009-06-05 456 {
771fe6b912fca5 Jerome Glisse 2009-06-05 457 /* transition the BO to a domain -
771fe6b912fca5 Jerome Glisse 2009-06-05 458 * just validate the BO into a certain domain */
dee53e7fb3ee01 Jerome Glisse 2012-07-02 459 struct radeon_device *rdev = dev->dev_private;
771fe6b912fca5 Jerome Glisse 2009-06-05 460 struct drm_radeon_gem_set_domain *args = data;
771fe6b912fca5 Jerome Glisse 2009-06-05 461 struct drm_gem_object *gobj;
4c7886791264f0 Jerome Glisse 2009-11-20 @462 struct radeon_bo *robj;
771fe6b912fca5 Jerome Glisse 2009-06-05 463 int r;
771fe6b912fca5 Jerome Glisse 2009-06-05 464
771fe6b912fca5 Jerome Glisse 2009-06-05 465 /* for now if someone requests domain CPU -
771fe6b912fca5 Jerome Glisse 2009-06-05 466 * just make sure the buffer is finished with */
dee53e7fb3ee01 Jerome Glisse 2012-07-02 467 down_read(&rdev->exclusive_lock);
771fe6b912fca5 Jerome Glisse 2009-06-05 468
771fe6b912fca5 Jerome Glisse 2009-06-05 469 /* just do a BO wait for now */
a8ad0bd84f9860 Chris Wilson 2016-05-09 470 gobj = drm_gem_object_lookup(filp, args->handle);
771fe6b912fca5 Jerome Glisse 2009-06-05 471 if (gobj == NULL) {
dee53e7fb3ee01 Jerome Glisse 2012-07-02 472 up_read(&rdev->exclusive_lock);
bf79cb914dbfe8 Chris Wilson 2010-08-04 473 return -ENOENT;
771fe6b912fca5 Jerome Glisse 2009-06-05 474 }
7e4d15d90afe46 Daniel Vetter 2011-02-18 475 robj = gem_to_radeon_bo(gobj);
771fe6b912fca5 Jerome Glisse 2009-06-05 476
771fe6b912fca5 Jerome Glisse 2009-06-05 477 r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain);
771fe6b912fca5 Jerome Glisse 2009-06-05 478
f11fb66ae92193 Emil Velikov 2020-05-15 479 drm_gem_object_put(gobj);
dee53e7fb3ee01 Jerome Glisse 2012-07-02 480 up_read(&rdev->exclusive_lock);
66fb975494d21e Min Li 2023-05-26 481 r = radeon_gem_handle_lockup(rdev, r);
771fe6b912fca5 Jerome Glisse 2009-06-05 482 return r;
771fe6b912fca5 Jerome Glisse 2009-06-05 483 }
771fe6b912fca5 Jerome Glisse 2009-06-05 484
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Am 26.05.23 um 14:37 schrieb Min Li:
> Userspace can race to free the gobj(robj converted from), robj should not
> be accessed again after drm_gem_object_put, otherwith it will result in
> use-after-free.
>
> Signed-off-by: Min Li <[email protected]>
> ---
> drivers/gpu/drm/radeon/radeon_gem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> index bdc5af23f005..450c7cbdd28a 100644
> --- a/drivers/gpu/drm/radeon/radeon_gem.c
> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> @@ -478,7 +478,7 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
>
> drm_gem_object_put(gobj);
> up_read(&rdev->exclusive_lock);
> - r = radeon_gem_handle_lockup(robj->rdev, r);
> + r = radeon_gem_handle_lockup(rdev, r);
This also makes the robj unused which the kernel test robot also
complained about.
Please remove that local variable and re-submit.
Apart from that the patch looks good to me,
Christian.
> return r;
> }
>