Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2709463ybh; Fri, 24 Jul 2020 22:24:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwHGpdIuMaX+t0oh0WyB+IyVdle0E+1CFyRl2coMtemPaoSZ8NsgWiu9ENCNh88twaIJNQl X-Received: by 2002:a05:6402:1d97:: with SMTP id dk23mr12301598edb.1.1595654663472; Fri, 24 Jul 2020 22:24:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595654663; cv=none; d=google.com; s=arc-20160816; b=jVqbfWfk+A3SyHlLr741tvyUoNjYhgmjkq2SKL1YSxDDWjwBzZ9TnldOJKsUXfOQkp TxEzaEMN9pu5ZBg6hzcfwo5TL1A5YtDMvtVY8JjMjXzf/Oxr2VRh8hpHL16A7KYxGqMJ C7vC6f5gjEOpW+lVfFwtQ8P5k8P9bNCjIKR2pQ2cgHugCpKRbtH6D3T+X60qAu6CqnWR rgm651mYcFSm9p7nLGQZf5R2teQGD/xCoGwV0vmx2hYyJyIIUM0UYMlT44voU0g1PgF7 mU/QmCtv6f2fktdULMJ3wjqFq/uuXCb0PuLWiI4ioVL5ZujPHalgo4qLv6dUOgA+pFRh 3u0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:reply-to:cc:from:to :dkim-signature:date; bh=fNtUVokgzqgxDWagukyFnXesfhfXrJW8Fu9a6W33bSc=; b=KpDeP9zo5BRfBMla29ELXKCLTdzm2slVZ+Jj1RKSt4sQFcREZcr/y2O+BBnpwBZT6r X4suU06Df5+sSmo+KwcsC/Cs4wxdFB4XUVyhECiY9MVHXLCzO790tv4tyWXJUdnw5i5+ Hd7Tnpfa/vZiH2UN4t7gmMVpRZwYhWsQSQeNqyDq+U+MGXdFkwlz9uvqsoqpAYRdnD/m UZv8YUru+GqEElqkDNowSxz4+TqPMWOJpdg1hSzIK+lT6bt81FoAPqL715p3waB8zk/H 9QUBEe535uT+5kzOWc7dXQvXUs2ECc+uPGzK141t95Qeb/0HznsIiKMk1zaoUqVTCYOl op6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail header.b=OQzc1PSE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l23si864951ejq.620.2020.07.24.22.23.59; Fri, 24 Jul 2020 22:24:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail header.b=OQzc1PSE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726591AbgGYFUq (ORCPT + 99 others); Sat, 25 Jul 2020 01:20:46 -0400 Received: from mail-40135.protonmail.ch ([185.70.40.135]:20590 "EHLO mail-40135.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725874AbgGYFUq (ORCPT ); Sat, 25 Jul 2020 01:20:46 -0400 Date: Sat, 25 Jul 2020 05:20:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1595654443; bh=fNtUVokgzqgxDWagukyFnXesfhfXrJW8Fu9a6W33bSc=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=OQzc1PSECV5erApTpM9sgdrgHIVCb90BdRniY6MR5dux8QWFg7kfwtmEiZuYQDrYl Gpp3PRhkEfg6G86Ji8X9kKwj/khlrEuqyFsVqJhHuy2rNKfbXfL2S/nnC6B5y5RF+1 teW/dchZ6Jzl4dKUsWs7bcGILdMbRFGofvrld0xs= To: Duncan <1i5t5.duncan@cox.net> From: Mazin Rezk Cc: Paul Menzel , Kees Cook , linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, Andrew Morton , =?utf-8?Q?Christian_K=C3=B6nig?= , Harry Wentland , Nicholas Kazlauskas , sunpeng.li@amd.com, Alexander Deucher , mphantomx@yahoo.com.br, regressions@leemhuis.info, anthony.ruhier@gmail.com Reply-To: Mazin Rezk Subject: Re: [PATCH] amdgpu_dm: fix nonblocking atomic commit use-after-free Message-ID: In-Reply-To: <20200724215914.6297cc7e@ws> References: <202007231524.A24720C@keescook> <202007241016.922B094AAA@keescook> <3c92db94-3b62-a70b-8ace-f5e34e8f268f@molgen.mpg.de> <_vGVoFJcOuoIAvGYtkyemUvqEFeZ-AdO4Jk8wsyVv3MwO-6NEVtULxnZzuBJNeHNkCsQ5Kxn5TPQ_VJ6qyj9wXXXX8v-hc3HptnCAu0UYsk=@protonmail.com> <20200724215914.6297cc7e@ws> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.5 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HK_RANDOM_REPLYTO shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mail.protonmail.ch Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Saturday, July 25, 2020 12:59 AM, Duncan <1i5t5.duncan@cox.net> wrote: > On Sat, 25 Jul 2020 03:03:52 +0000 > Mazin Rezk mnrzk@protonmail.com wrote: > > > > Am 24.07.20 um 19:33 schrieb Kees Cook: > > > > > > > There was a fix to disable the async path for this driver that > > > > worked around the bug too, yes? That seems like a safer and more > > > > focused change that doesn't revert the SLUB defense for all > > > > users, and would actually provide a complete, I think, workaround > > > > That said, I haven't seen the async disabling patch. If you could > > link to it, I'd be glad to test it out and perhaps we can use that > > instead. > > I'm confused. Not to put words in Kees' mouth; /I/ am confused (which > admittedly could well be just because I make no claims to be a > coder and am simply reading the bug and thread, but I'd appreciate some > "unconfusing" anyway). > > My interpretation of the "async disabling" reference was that it was to > comment #30 on the bug: > > https://bugzilla.kernel.org/show_bug.cgi?id=3D207383#c30 > > ... which (if I'm not confused on this point too) appears to be yours. > There it was stated... > > > > > > > > I've also found that this bug exclusively occurs when commit_work is on > the workqueue. After forcing drm_atomic_helper_commit to run all of the > commits without adding to the workqueue and running the OS, the issue > seems to have disappeared. > <<<< > > Would not forcing all commits to run directly, without placing them on > the workqueue, be "async disabling"? That's what I /thought/ he was > referencing. Oh, I thought he was referring to a different patch. Kees, could I get your confirmation on this? The change I made actually affected all of the DRM code, although this coul= d easily be changed to be specific to amdgpu. (By forcing blocking on amdgpu_dm's non-blocking commit code) That said, I'd still need to test further because I only did test it for a couple of hours then. Although it should work in theory. > > OTOH your base/context swap idea sounds like a possibly "less > disturbance" workaround, if it works, and given the point in the > commit cycle... (But if it's out Sunday it's likely too late to test > and get it in now anyway; if it's another week, tho...) The base/context swap idea should make the use-after-free behave how it did in 5.6. Since the bug doesn't cause an issue in 5.6, it's less of a "less disturbance" workaround and more of a "no disturbance" workaround. Thanks, Mazin Rezk > > -------------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------= ------------------------------------------------------ > > Duncan - No HTML messages please; they are filtered as spam. > "Every nonfree program has a lord, a master -- > and if you use the program, he is your master." Richard Stallman