Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp685592ybe; Fri, 13 Sep 2019 04:44:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqw3LhkXuYVJGRMY5OHfZm6frOaG7deFSiTsjGL529s5r6aYA18P1w4YzAHOqA6iOKZoFf86 X-Received: by 2002:a17:906:c283:: with SMTP id r3mr12956273ejz.63.1568375064962; Fri, 13 Sep 2019 04:44:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568375064; cv=none; d=google.com; s=arc-20160816; b=1CUV9KYB4loouu7LBZsz8c+7KjHmvFcBS8xh9TGmmJ8hh4941ciHc1pIEmYiZ6H+ym qWqLaOi49+Vc4TfuF2LU+eHKyMPrqyOpwhZ7+CXJ4YlEhjAsIlMCJVW6mKN3euNW1I+Y U7jFu4u6WX6uEOgThzvnc4wvN9f6DOyd/34uFJL3BCPMr7F/UErfsb7jweRigj/P6ENZ Tm47el4RdAS/KAn5jATupjET9y06nQgNKv6SHbjxC+MRyBuyUQeOG09lfV2qFUqROnyX u834MU/NtBQ+iP4KOP9J76PwKH3VL701K3y2g5RLpg/3HchR2E5yaeVaj9iCLkIPcrtU uohQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=X/ZWBIb/E+LlmpfHJk53GARy+bv+0PNrMnJ5rS6zamM=; b=CTB5yDN4fuq4zvKwzgFUgqQojBQwv8TBiYs1gt3o+dfal2ENa4mwHET0P1UFr+AY26 WTZEnVlFr0OI6OSyZ5m+OLUJxWcri3/WS7M+4M+hkXxwPobvJxylqgLmiwpA6gMOfrB8 mrRJ0bCzpHoCdVCuyo90w9wbDFcLsAjhPK93o43vteBefPP13ogEkGyViLczaTW2s7iI RsWhJSQUNOMKtQEahUf6NttwuTw3JDl6mQSuL/9JBHk2eEH8ppF4/7LNIK4sak08fCCt yfxzCU+/62CNyEcwJNnOAc7yYrcOBfiFaas+A3jypsrwtFuQvsyGtaFCyPy17ZoJImqS XBlw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u23si12224239eja.305.2019.09.13.04.43.58; Fri, 13 Sep 2019 04:44:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387841AbfIMJM5 (ORCPT + 99 others); Fri, 13 Sep 2019 05:12:57 -0400 Received: from foss.arm.com ([217.140.110.172]:40796 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387716AbfIMJM5 (ORCPT ); Fri, 13 Sep 2019 05:12:57 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4F2FD28; Fri, 13 Sep 2019 02:12:56 -0700 (PDT) Received: from [10.1.196.133] (e112269-lin.cambridge.arm.com [10.1.196.133]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 823273F59C; Fri, 13 Sep 2019 02:12:55 -0700 (PDT) Subject: Re: [PATCH] drm/panfrost: Prevent race when handling page fault To: Daniel Vetter Cc: Tomeu Vizoso , David Airlie , "linux-kernel@vger.kernel.org" , dri-devel , Alyssa Rosenzweig References: <20190905121141.42820-1-steven.price@arm.com> From: Steven Price Message-ID: <3a82ea91-c178-0ada-d762-3f3802dfc7c5@arm.com> Date: Fri, 13 Sep 2019 10:12:54 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/09/2019 20:36, Daniel Vetter wrote: > On Fri, Sep 6, 2019 at 2:42 PM Steven Price wrote: >> >> On 06/09/2019 12:10, Rob Herring wrote: >>> On Thu, Sep 5, 2019 at 1:11 PM Steven Price wrote: >>>> >>>> When handling a GPU page fault addr_to_drm_mm_node() is used to >>>> translate the GPU address to a buffer object. However it is possible for >>>> the buffer object to be freed after the function has returned resulting >>>> in a use-after-free of the BO. >>>> >>>> Change addr_to_drm_mm_node to return the panfrost_gem_object with an >>>> extra reference on it, preventing the BO from being freed until after >>>> the page fault has been handled. >>>> >>>> Signed-off-by: Steven Price >>>> --- >>>> >>>> I've managed to trigger this, generating the following stack trace. >>> >>> Humm, the assumption was that a fault could only happen during a job >>> and so a reference would already be held. Otherwise, couldn't the GPU >>> also be accessing the BO after it is freed? >> >> Ah, I guess I missed that in the commit message. This is assuming that >> user space doesn't include the BO in the job even though the GPU then >> does try to access it. AIUI mesa wouldn't do this, but this is still >> easily possible if user space wants to crash the kernel. > > Do we have some nice regression tests for uapi exploits and corner > cases like this? Maybe even in igt? > -Daniel Not currently, I've been playing with the idea of getting the closed-source DDK blob running on Panfrost and this is what generates the "not-quite-mesa" usage. It would definitely be good extend the test cases in IGT, I have a synthetic test which can trigger this - I just need to get approval to post it. Steve