Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2656641ybh;
        Fri, 24 Jul 2020 20:07:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxDPLnZ3FQN7nlcmiNst7WEd6pT8CwWPb3BKzCl5rBJuktyHmwGQxAdIAvanNAOx3AhBNlk
X-Received: by 2002:a17:906:c1c3:: with SMTP id bw3mr3368783ejb.8.1595646451554;
        Fri, 24 Jul 2020 20:07:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595646451; cv=none;
        d=google.com; s=arc-20160816;
        b=rBw3OYWnr5mARA2IZ153YFaNnhKsSQ5e2wudHQE/bkyAw03oThY/Tgblj2vUgBVJCD
         DeQJMNTQo4rGbEp8DTF2Cwq+0HvkFZ3TkIFNUUpO3B+Z9YS4iXC959asqL8QrolcPbN5
         ZQY5zzcMcx78NtXT2Pv1cBvK0WNA9JcU4XoXQawxl+tmO92v/kEqMcsXGRjn3XfH9jHE
         un3YAX6IOlrHBEPvAdybLcuFe8+vTH6R0Z0w/73X3CczJEs1U+iaqjOfk5sWHtvfCD6g
         8WT17GtRXfmd4PNvxHwd29h9Man6SjJyNhkv8sDYafsBI01ya4yzi/z+2AUT4mWZNd1e
         eCMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:reply-to:cc:from:to
         :dkim-signature:date;
        bh=VJe3Huszu4b40ueORs4rAhjQ2OOkJfwTddBXPKHHSRk=;
        b=uyIMA8qk3qvPP5DEagqSpl/lN5eB/2KJWhtLnyYnGs6NriaJ0dQqIpcublx0CIRIGi
         4hbQqR5pZN/S7I6Kp3540RXNAxU48ELbkA2UWkLhUOumOYQK3s9yzgWIWDKaCo2Eya9N
         LlvSqn6Il7uYEbG1w7e+fpOJJ3FZk9r8BUfp6BHm0YwaNzQDoaJEoXEmWPIiTKhGMIWk
         9CcJzzNL0dB63EHdVA7oaKfl8BXMEQwQuIG3X9zhYGiNXsBqlwbZ7nR3fMnVttHnHj53
         Qe4z65yoRHaZth96LqE2Qbv7reoWczg+d9w8oppC5XVrjtCLqi+xNljCLtTyWD3IYcHS
         f5WA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@protonmail.com header.s=protonmail header.b=o+agpC85;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c10si1658279ejx.641.2020.07.24.20.07.09;
        Fri, 24 Jul 2020 20:07:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@protonmail.com header.s=protonmail header.b=o+agpC85;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726837AbgGYDEB (ORCPT <rfc822;peterpeng024@gmail.com>
        + 99 others); Fri, 24 Jul 2020 23:04:01 -0400
Received: from mail4.protonmail.ch ([185.70.40.27]:11830 "EHLO
        mail4.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726572AbgGYDEB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 Jul 2020 23:04:01 -0400
Date:   Sat, 25 Jul 2020 03:03:52 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
        s=protonmail; t=1595646237;
        bh=VJe3Huszu4b40ueORs4rAhjQ2OOkJfwTddBXPKHHSRk=;
        h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
        b=o+agpC85tmfB27Cm6+UmoM76q10l2qgG2bir5AuK1CeJ143FzcpDnCfA8xXKp+EwV
         FoqWa8ez02dj9c7ha5lhsP+MBfUO4SRqph8l//tjNZbdSZ1yxC2zP1b6l3osDI0fZ9
         rMoQfvdvdIX6m3SUDBd+N9QMkukC3pL9+oLwFnR4=
To:     Paul Menzel <pmenzel@molgen.mpg.de>
From:   Mazin Rezk <mnrzk@protonmail.com>
Cc:     Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org,
        amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
        Andrew Morton <akpm@linux-foundation.org>,
        =?utf-8?Q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>,
        Harry Wentland <Harry.Wentland@amd.com>,
        Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>,
        sunpeng.li@amd.com, Alexander Deucher <Alexander.Deucher@amd.com>,
        1i5t5.duncan@cox.net, mphantomx@yahoo.com.br,
        regressions@leemhuis.info, anthony.ruhier@gmail.com
Reply-To: Mazin Rezk <mnrzk@protonmail.com>
Subject: Re: [PATCH] amdgpu_dm: fix nonblocking atomic commit use-after-free
Message-ID: <_vGVoFJcOuoIAvGYtkyemUvqEFeZ-AdO4Jk8wsyVv3MwO-6NEVtULxnZzuBJNeHNkCsQ5Kxn5TPQ_VJ6qyj9wXXXX8v-hc3HptnCAu0UYsk=@protonmail.com>
In-Reply-To: <3c92db94-3b62-a70b-8ace-f5e34e8f268f@molgen.mpg.de>
References: <YIGsJ9LlFquvBI2iWPKhJwjKBwDUr_C-38oVpLJJHJ5rDCY_Zrrv392o6UPNxHoeQrcpLYC9U4fZdpD9ilz6Amg2IxkSexGLQMCQIBek8rc=@protonmail.com> <202007231524.A24720C@keescook> <a86cba0b-4513-e7c3-ae75-bb331433f664@molgen.mpg.de> <202007241016.922B094AAA@keescook> <3c92db94-3b62-a70b-8ace-f5e34e8f268f@molgen.mpg.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.5 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HK_RANDOM_REPLYTO
        shortcircuit=no autolearn=disabled version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mail.protonmail.ch
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Friday, July 24, 2020 5:19 PM, Paul Menzel <pmenzel@molgen.mpg.de> wrote=
:

> Dear Kees,
>
> Am 24.07.20 um 19:33 schrieb Kees Cook:
>
> > On Fri, Jul 24, 2020 at 09:45:18AM +0200, Paul Menzel wrote:
> >
> > > Am 24.07.20 um 00:32 schrieb Kees Cook:
> > >
> > > > On Thu, Jul 23, 2020 at 09:10:15PM +0000, Mazin Rezk wrote:
> > > > As Linux 5.8-rc7 is going to be released this Sunday, I wonder, if =
commit
> > > > 3202fa62f ("slub: relocate freelist pointer to middle of object") s=
hould be
> > > > reverted for now to fix the regression for the users according to L=
inux=E2=80=99 no
> > > > regression policy. Once the AMDGPU/DRM driver issue is fixed, it ca=
n be
> > > > reapplied. I know it=E2=80=99s not optimal, but as some testing is =
going to be
> > > > involved for the fix, I=E2=80=99d argue it=E2=80=99s the best optio=
n for the users.
> >
> > Well, the SLUB defense was already released in v5.7, so I'm not sure it
> > really helps for amdgpu_dm users seeing it there too.
>
> In my opinion, it would help, as the stable release could pick up the
> revert, ones it=E2=80=99s in Linus=E2=80=99 master branch.
>
> > There was a fix to disable the async path for this driver that worked
> > around the bug too, yes? That seems like a safer and more focused
> > change that doesn't revert the SLUB defense for all users, and would
> > actually provide a complete, I think, workaround whereas reverting
> > the SLUB change means the race still exists. For example, it would be
> > hit with slab poisoning, etc.
>
> I do not know. If there is such a fix, that would be great. But if you
> do not know, how should a normal user? ;-)
>
> Kind regards,
>
> Paul
>
> Kind regards,
>
> Paul

If we're talking about workarounds now, I suggest simply swapping the base
and context variables in struct dm_atomic_state. By that way, we won't need
to change non-amdgpu parts of the code (e.g. by reverting the SLUB patch).

Prior to 3202fa62f, the freelist pointer was stored in dm_state->base which
was never dereferenced and therefore caused no noticeable issue. After
3202fa62f, the freelist pointer is stored in the middle of the struct (i.e.
dm_state->context).

Swapping the position of the base and context variables in dm_atomic_state
should, in theory, revert this code back to it's pre-5.7 state since the
code would be back to overwriting base instead.

If we decide to use this workaround, I can write the patch and do more
extended tests to confirm it works around the issues.

That said, I haven't seen the async disabling patch. If you could link to
it, I'd be glad to test it out and perhaps we can use that instead.

Thanks,
Mazin Rezk