Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp3315737imb; Tue, 5 Mar 2019 06:28:55 -0800 (PST) X-Google-Smtp-Source: APXvYqxxT/YPeHPy/Vmp5JP/DweqpeoQ1Z0VTCa2cL5b07KZzncEhsg76lwwGs2K7fwqgqyvvtTS X-Received: by 2002:a17:902:7590:: with SMTP id j16mr1493592pll.304.1551796134921; Tue, 05 Mar 2019 06:28:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551796134; cv=none; d=google.com; s=arc-20160816; b=AhHbRIoqdQ0bheLe1eGe1Z2Kq5NONtI2Fw9JaLgMxFdPhA7yVECAZn2i0dMfvP6wA6 B2W5aAvdjTszghvXwBX9JBME5+bE2iCO4u0a+aSlWvJ3i/PCt3XUv8WroLi19DwR3DJz yl9Jq9JvXu/dn9GpBoocru0pSYYCFZb0rnbHk3JDrV8VNvbRX+KQ60WFvtec/VgrkAEz Nk6LX//EFWzf3acES+OQLkfoFbRf5IoMm8bZhPdkZ3OXQJCuLoy0eWLp2Kw+ZC0Jcask K+ilIbWwEzD4zxsofqnKwyrshx3DPw3Qcdl6kSWZRrTLqcKRfn/sYPUFOJmyc9ezvzvM FI0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=HDS5cGbvimqByipqgym8LRQG2coW9/EpAfS9RoloVZw=; b=FQAFrYjqYP4vR19rtRHSWapstUQBvFc6t7b6Hu93ROypvWPeODikEMC1My7SBj2xqr 2rNzRFHpItEz7EvBfLmb9Yfju2OU2Qpuv/P84zCBwvisYr4CvFXIa15QGc8lUq9UVK1h F/qEETCHQxhQmTxG8trJRtATSQFeZoMmE9FBweXUBlYIpica7h4A5NIwZTA9GlOXrZH/ JRVW0Hv+a7HVfr9BxqPPgoN6ZWDRRDUJQXPk4jiJ3kK9tJEeMZcinNfSkDOxMAL8+dI4 qmqZlmnaWiXGChX6Goj7NGtuqgmWI20hQSmTDE+6ycL+RlfJN3lZXDRHUgTtsL8a5wmh 2kZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oO482uLC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q11si7752588pgv.337.2019.03.05.06.28.39; Tue, 05 Mar 2019 06:28:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oO482uLC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727726AbfCEO0K (ORCPT + 99 others); Tue, 5 Mar 2019 09:26:10 -0500 Received: from mail-it1-f193.google.com ([209.85.166.193]:40165 "EHLO mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726250AbfCEO0K (ORCPT ); Tue, 5 Mar 2019 09:26:10 -0500 Received: by mail-it1-f193.google.com with SMTP id l139so4683147ita.5 for ; Tue, 05 Mar 2019 06:26:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HDS5cGbvimqByipqgym8LRQG2coW9/EpAfS9RoloVZw=; b=oO482uLCLvptkNe1aE0rBpZAkgHvsfj1TxoNFfW4bFX9kfmCDgK3ymfMvxNsBU22DW m0030yj2Mkz8Mx2z+SgLZKCV9wQObXPtYXUzh9Q7aHp9VsodzJs64Y9cv1u3I8f6Gdi2 xlPDOPn5d6eXBJlD+SQGLFRq7epdvWPDP4Sidxb6l6aBp0RmfxJv010oDkqosy38b19c VtZIgM2RvzavRsWKrb0QJYQq+V1E9O3fmtEXX7DyEiIXNRCk2spnRD7Ia+T7eycssrUw /fC4O5u9+1IYNSEH3nSXvC4oWS19sVOZaQ5wjqC0f+6564QIUqYEkfLQWz5GcKjBeKHc 7s5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HDS5cGbvimqByipqgym8LRQG2coW9/EpAfS9RoloVZw=; b=uQidiiIUhD0WCo3KsT3xtE6HJ/xuLCF/FVoVMzrq93sAURx381xE1P4li56z76ieio gznd3Nc739vDwVCrCL31ou8BAkg4paQdwESUif1DfZG+m2cUAtj/vpamtzSdCg+71uNV rRe/wdurknw102UypVmotR3Cy7qWqemshoARgEIfnZ8YHF87kqtHlw3HW/JYbLF9yVCt n9wSNifhqeYad+bFVmZXSLdmN5URVQReosAGTghI63lnFbap6KxiZzIGhmfMwVaQ0ZVG KbQWwyEr8sWsSkiuXOSYh6B77CdzgOXxK5mnBD+zoz7JCsl4OuvAL2/eQEk0ylelOpIi cXvQ== X-Gm-Message-State: APjAAAVR1YffPJN6Ejr9L1F1KZWNw3HRcdiOeginH9SsbRo8UUkBmAGW hpUVATXCBxsQHdDsRhnmw8pENp9j1CeYSJpCDgKhTQ== X-Received: by 2002:a24:3b01:: with SMTP id c1mr2439912ita.144.1551795968921; Tue, 05 Mar 2019 06:26:08 -0800 (PST) MIME-Version: 1.0 References: <20190226213053.GC218103@gmail.com> <20190226220858.214438-1-ebiggers@kernel.org> <20190227231202.tycdbcqtk5ylwp4k@smtp.gmail.com> <20190304232312.qy6x2xmtueq22m3j@smtp.gmail.com> In-Reply-To: <20190304232312.qy6x2xmtueq22m3j@smtp.gmail.com> From: Dmitry Vyukov Date: Tue, 5 Mar 2019 15:25:57 +0100 Message-ID: Subject: Re: [PATCH] drm/vkms: fix use-after-free when drm_gem_handle_create() fails To: Rodrigo Siqueira Cc: Eric Biggers , DRI , syzkaller-bugs , LKML , Haneen Mohammed , Daniel Vetter , Chris Wilson , stable Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 5, 2019 at 12:23 AM Rodrigo Siqueira wrote: > > On 02/28, Dmitry Vyukov wrote: > > On Thu, Feb 28, 2019 at 12:12 AM Rodrigo Siqueira > > wrote: > > > > > > On 02/26, Eric Biggers wrote: > > > > From: Eric Biggers > > > > > > > > If drm_gem_handle_create() fails in vkms_gem_create(), then the > > > > vkms_gem_object is freed twice: once when the reference is dropped by > > > > drm_gem_object_put_unlocked(), and again by the extra calls to > > > > drm_gem_object_release() and kfree(). > > > > > > > > Fix it by skipping the second release and free. > > > > > > > > This bug was originally found in the vgem driver by syzkaller using > > > > fault injection, but I noticed it's also present in the vkms driver. > > > > > > > > Fixes: 559e50fd34d1 ("drm/vkms: Add dumb operations") > > > > Cc: Rodrigo Siqueira > > > > Cc: Haneen Mohammed > > > > Cc: Daniel Vetter > > > > Cc: Chris Wilson > > > > Cc: stable@vger.kernel.org > > > > Signed-off-by: Eric Biggers > > > > --- > > > > drivers/gpu/drm/vkms/vkms_gem.c | 5 +---- > > > > 1 file changed, 1 insertion(+), 4 deletions(-) > > > > > > > > diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c > > > > index 138b0bb325cf9..69048e73377dc 100644 > > > > --- a/drivers/gpu/drm/vkms/vkms_gem.c > > > > +++ b/drivers/gpu/drm/vkms/vkms_gem.c > > > > @@ -111,11 +111,8 @@ struct drm_gem_object *vkms_gem_create(struct drm_device *dev, > > > > > > > > ret = drm_gem_handle_create(file, &obj->gem, handle); > > > > drm_gem_object_put_unlocked(&obj->gem); > > > > - if (ret) { > > > > - drm_gem_object_release(&obj->gem); > > > > - kfree(obj); > > > > + if (ret) > > > > return ERR_PTR(ret); > > > > - } > > > > > > > > return &obj->gem; > > > > } > > > > -- > > > > 2.21.0.rc2.261.ga7da99ff1b-goog > > > > > > > > > > Hi, > > > > > > Thanks for your patch! :) > > > > > > The patch looks good for me. I also tested it under the IGT tests on my > > > local VM and everything was fine. > > Hi, > > Patch applied to drm-misc-fixes. > > > Hi Rodrigo, > > > > What are IGT tests? How can I run them? > > Hi Dmitry, > > IGT is a test suite focused on DRM drivers. > > You can clone the project using the link below: > > https://gitlab.freedesktop.org/drm/igt-gpu-tools.git > > In the README, you will find the software dependencies. After you > install all the required package, just use: > > mkdir build && meson build && cd build && ninja Hi Rodrigo, Thanks for the info, but this did not work for me. I installed all recommended packages (including libdw-dev), but then got: igt-gpu-tools$ mkdir -p build && meson build && cd build && ninja The Meson build system Version: 0.46.1 Source dir: /src/igt-gpu-tools Build dir: /src/igt-gpu-tools/build Build type: native build Project name: igt-gpu-tools Native C compiler: ccache cc (gcc 7.3.0 "cc (Debian 7.3.0-5) 7.3.0") Build machine cpu family: x86_64 Build machine cpu: x86_64 Compiler for C supports arguments -Wbad-function-cast: YES Compiler for C supports arguments -Wdeclaration-after-statement: YES Compiler for C supports arguments -Wformat=2: YES Compiler for C supports arguments -Wimplicit-fallthrough=0: YES Compiler for C supports arguments -Wlogical-op: YES Compiler for C supports arguments -Wmissing-declarations: YES Compiler for C supports arguments -Wmissing-format-attribute: YES Compiler for C supports arguments -Wmissing-noreturn: YES Compiler for C supports arguments -Wmissing-prototypes: YES Compiler for C supports arguments -Wnested-externs: YES Compiler for C supports arguments -Wold-style-definition: YES Compiler for C supports arguments -Wpointer-arith: YES Compiler for C supports arguments -Wredundant-decls: YES Compiler for C supports arguments -Wshadow: YES Compiler for C supports arguments -Wstrict-prototypes: YES Compiler for C supports arguments -Wuninitialized: YES Compiler for C supports arguments -Wunused: YES Compiler for C supports arguments -Wno-clobbered -Wclobbered: YES Compiler for C supports arguments -Wno-maybe-uninitialized -Wmaybe-uninitialized: YES Compiler for C supports arguments -Wno-missing-field-initializers -Wmissing-field-initializers: YES Compiler for C supports arguments -Wno-pointer-arith -Wpointer-arith: YES Compiler for C supports arguments -Wno-sign-compare -Wsign-compare: YES Compiler for C supports arguments -Wno-type-limits -Wtype-limits: YES Compiler for C supports arguments -Wno-unused-parameter -Wunused-parameter: YES Compiler for C supports arguments -Wno-unused-result -Wunused-result: YES Compiler for C supports arguments -Werror=address: YES Compiler for C supports arguments -Werror=array-bounds: YES Compiler for C supports arguments -Werror=implicit: YES Compiler for C supports arguments -Werror=init-self: YES Compiler for C supports arguments -Werror=int-to-pointer-cast: YES Compiler for C supports arguments -Werror=main: YES Compiler for C supports arguments -Werror=missing-braces: YES Compiler for C supports arguments -Werror=nonnull: YES Compiler for C supports arguments -Werror=pointer-to-int-cast: YES Compiler for C supports arguments -Werror=return-type: YES Compiler for C supports arguments -Werror=sequence-point: YES Compiler for C supports arguments -Werror=trigraphs: YES Compiler for C supports arguments -Werror=write-strings: YES Found pkg-config: /usr/bin/pkg-config (0.29) Native dependency libdrm found: YES 2.4.91 Native dependency libdrm_intel found: YES 2.4.91 Native dependency libdrm_nouveau found: YES 2.4.91 Native dependency libdrm_amdgpu found: YES 2.4.91 Native dependency pciaccess found: YES 0.13.4 Native dependency libkmod found: YES 24 Native dependency libprocps found: YES 3.3.15 Native dependency libunwind found: YES 1.21 meson.build:151:0: ERROR: Could not generate cargs for libdw: A full log can be found at /src/igt-gpu-tools/build/meson-logs/meson-log.txt and meson-log.txt ends with: Compiler for C supports arguments -Werror=write-strings: YES Found pkg-config: /usr/bin/pkg-config (0.29) Determining dependency 'libdrm' with pkg-config executable '/usr/bin/pkg-config' Native dependency libdrm found: YES 2.4.91 Determining dependency 'libdrm_intel' with pkg-config executable '/usr/bin/pkg-config' Native dependency libdrm_intel found: YES 2.4.91 Determining dependency 'libdrm_nouveau' with pkg-config executable '/usr/bin/pkg-config' Native dependency libdrm_nouveau found: YES 2.4.91 Determining dependency 'libdrm_amdgpu' with pkg-config executable '/usr/bin/pkg-config' Native dependency libdrm_amdgpu found: YES 2.4.91 Determining dependency 'pciaccess' with pkg-config executable '/usr/bin/pkg-config' Native dependency pciaccess found: YES 0.13.4 Determining dependency 'libkmod' with pkg-config executable '/usr/bin/pkg-config' Native dependency libkmod found: YES 24 Determining dependency 'libprocps' with pkg-config executable '/usr/bin/pkg-config' Native dependency libprocps found: YES 3.3.15 Determining dependency 'libunwind' with pkg-config executable '/usr/bin/pkg-config' Native dependency libunwind found: YES 1.21 Determining dependency 'libdw' with pkg-config executable '/usr/bin/pkg-config' meson.build:151:0: ERROR: Could not generate cargs for libdw: