Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1703341ybh; Thu, 23 Jul 2020 15:59:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz5o4w9iHjgSoaOPcduy6KlrmapYxd8x8mXyVBIfmN0C8vGPw8/Bgj4eCQqVCa+KG6wHCmA X-Received: by 2002:aa7:c909:: with SMTP id b9mr6273661edt.111.1595545156571; Thu, 23 Jul 2020 15:59:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595545156; cv=none; d=google.com; s=arc-20160816; b=fVisNaCqnw8rxGbVFmKg2lLMnBQu/XsTBcluoTy478GUzck8haOv+yilYUEQuZGUVD 5RX9+H3AW2Qd9PTJiLDyaAjN0GptyGv6qm3ZSnPXY7x3fGj8IkFrX71DUFnJmu6nOo4X b+e7ZTMMcOOe71MfNWM99hasVgle1dH3Z/iixFmb9ZyOK4kPocQ1yvSHXF1aMo3CvyPF ZEfGTJMG8QEBqBDhYBDImEUoDoW5iNKOFk0jO6uqipOgx+agXrF5D9UF4lRx85wcm50l YRF3P3wrAgWjbUVD0YMqtvJNvK612XgGTKARn4bLw0ismPTTQ6U5arbtCASkL2iqYptG 48gA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:reply-to:cc:from:to :dkim-signature:date; bh=lg9xOnMsFhhdqALv0aeP/Vx2Gofelvm+74wmCknZsFo=; b=qRSPz5j3956olVj3awFOnf2fcrIo9hPd7bz2qj/JKboIgULzbolP47QoVMUH8wsL9n URUAqfDmo1OrwpXo7i+GD3Xh8PnviVH7Cn2U2MMPWqTLBYU58dwL2rLxcu/IDx98Z9XV kA4k0H+ZQr+us0tj74DGc5wDjOPNLveZxYdIc2dA1GHfwQIvLeCTTbEkRg2RSD9kJ6/I q4RW4xmI0vCKZt0leV4vunJXHUMm1IUtRCAXh/bV5CyVAr4RLzlkriKaen0W6wUVNeHS FBjrHdYPwIFZnViwXuDxidCj93z1ChalBs+fHbUD1YNfB6zdWzv/PGb3Ze/4MjaMnNhL xrew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail header.b=wJWQyTrN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n5si2855895ejc.171.2020.07.23.15.58.54; Thu, 23 Jul 2020 15:59:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail header.b=wJWQyTrN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727091AbgGWW6f (ORCPT + 99 others); Thu, 23 Jul 2020 18:58:35 -0400 Received: from mail4.protonmail.ch ([185.70.40.27]:22437 "EHLO mail4.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726608AbgGWW6e (ORCPT ); Thu, 23 Jul 2020 18:58:34 -0400 Date: Thu, 23 Jul 2020 22:58:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1595545112; bh=lg9xOnMsFhhdqALv0aeP/Vx2Gofelvm+74wmCknZsFo=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=wJWQyTrNxzYCugTunHerczbSVBPFAyOkFnBt7X5S1XVzsUu/CqTghfT5XKiJqfCMb G1g3xRBuQI4aoyJodntEqzHGTw4zt+dQyEA0OkIP7e/Z9Q+YFww7/QLZdrEgJ35/qn M4P8GF7YJgW5MjILTKRXcogl6z7WEMPnUhlcPT04= To: Kees Cook From: Mazin Rezk Cc: Mazin Rezk , "linux-kernel@vger.kernel.org" , "amd-gfx@lists.freedesktop.org" , "dri-devel@lists.freedesktop.org" , "akpm@linux-foundation.org" , "christian.koenig@amd.com" , "harry.wentland@amd.com" , "nicholas.kazlauskas@amd.com" , "sunpeng.li@amd.com" , "alexander.deucher@amd.com" , "1i5t5.duncan@cox.net" <1i5t5.duncan@cox.net>, "mphantomx@yahoo.com.br" , "regressions@leemhuis.info" , "anthony.ruhier@gmail.com" , "pmenzel@molgen.mpg.de" Reply-To: Mazin Rezk Subject: Re: [PATCH] amdgpu_dm: fix nonblocking atomic commit use-after-free Message-ID: <4KGdosy_NHW6FYCc2rCq4e71vYI7e4InqrLJ4S1GJsLcfjHv_INF-CzIYusOFqznOxyvflBTlFCXvyy7J37fn-QKfNOQK78MM38VdjdUXks=@protonmail.com> In-Reply-To: <202007231524.A24720C@keescook> References: <202007231524.A24720C@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.5 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HK_RANDOM_REPLYTO shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mail.protonmail.ch Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, July 23, 2020 6:32 PM, Kees Cook wrote= : > On Thu, Jul 23, 2020 at 09:10:15PM +0000, Mazin Rezk wrote: > > > When amdgpu_dm_atomic_commit_tail is running in the workqueue, > > drm_atomic_state_put will get called while amdgpu_dm_atomic_commit_tail= is > > running, causing a race condition where state (and then dm_state) is > > sometimes freed while amdgpu_dm_atomic_commit_tail is running. This bug= has > > occurred since 5.7-rc1 and is well documented among polaris11 users [1]= . > > Prior to 5.7, this was not a noticeable issue since the freelist pointe= r > > was stored at the beginning of dm_state (base), which was unused. After > > changing the freelist pointer to be stored in the middle of the struct,= the > > freelist pointer overwrote the context, causing dc_state to become garb= age > > data and made the call to dm_enable_per_frame_crtc_master_sync derefere= nce > > a freelist pointer. > > This patch fixes the aforementioned issue by calling drm_atomic_state_g= et > > in amdgpu_dm_atomic_commit before drm_atomic_helper_commit is called an= d > > drm_atomic_state_put after amdgpu_dm_atomic_commit_tail is complete. > > According to my testing on 5.8.0-rc6, this should fix bug 207383 on > > Bugzilla [1]. > > [1] https://bugzilla.kernel.org/show_bug.cgi?id=3D207383 > > Nice work tracking this down! > > > Fixes: 3202fa62f ("slub: relocate freelist pointer to middle of object"= ) > > I do, however, object to this Fixes tag. :) The flaw appears to have > been with amdgpu_dm's reference tracking of "state" in the nonblocking > case. (How this reference counting is supposed to work correctly, though, > I'm not sure.) If I look at where the drm helper was split from being > the default callback, it looks like this was what introduced the bug: > > da5c47f682ab ("drm/amd/display: Remove acrtc->stream") > > ? 3202fa62f certainly exposed it much more quickly, but there was a race > even without 3202fa62f where something could have realloced the memory > and written over it. > > -------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------------- > > Kees Cook Thanks, I'll be sure to avoid using 3202fa62f as the cause next time. I just thought to do that because it was what made the use-after-free cause a noticeable bug. Also, by the way, I just realised the patch didn't completely solve the bug= . Sorry about that, making an LKML thread on this was hasty on my part. Shoul= d I get further confirmation from the Bugzilla thread before submitting a pat= ch for this bug in the future? Thanks, Mazin Rezk