Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <7cf898fd-f3fe-061d-19ec-68d74627bd7d@amd.com>
Date:   Tue, 9 Aug 2022 15:28:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.11.0
Subject: Re: [PATCH] drivers:gpu:drm:amd:amdgpu:amdgpu_cs.c:fix a potential
 use-after-free
Content-Language: en-US
To:     Wentao_Liang <Wentao_Liang_g@163.com>, alexander.deucher@amd.com,
        Xinhui.Pan@amd.com
Cc:     amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
        linux-kernel@vger.kernel.org
References: <20220728121237.9201-1-Wentao_Liang_g@163.com>
From:   =?UTF-8?Q?Christian_K=c3=b6nig?= <christian.koenig@amd.com>
In-Reply-To: <20220728121237.9201-1-Wentao_Liang_g@163.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?bkpOQjF4eTRHaVRzV2lVd2NIelpoakpkUVdUdmViY0R5T0l4Uk1VWVVNYk5q?=
 =?utf-8?B?NUpaNDBQTm14M2h0VGpRLzJYWW9QTjNYQys2TjhEKzZsREhEaWdYQ3BKTFVI?=
 =?utf-8?B?dmxraTJhMW9KbXQ3d09NU1F1NCtOU2J0ekNpZHJ5TFJBSExhUEM3V29aTXhx?=
 =?utf-8?B?WmdSMTN6b2RQR24zeXJSY3JUd3p4aTJIR2U5YkVEblhNUHdCWGoyUzRNN2Jw?=
 =?utf-8?B?VXV6MWY3WmxibzBLTDJmRTVpa0ZYbjRpd3kycENtOExwNWwwTHZrTXovMFNM?=
 =?utf-8?B?V0YrZHo3NkVpTHRZZHlJZngvOGZiVmgyT0pzRGE1aVNZSHgrUStXLzVNTjlB?=
 =?utf-8?B?WGc2L1gxYjBjNk10cnhBWXU2QnBRMUk2a1ZJMHFRdFZWQ3d4anc1cTNrVWk1?=
 =?utf-8?B?RXBwZThmZzMyQ1RUdjIxZDM2UFRTVkRWb1h0Tnc4VU1zOTdzbzdWQkd6Y1Nh?=
 =?utf-8?B?dnlGekNSTFpBdGVmZUFKUHUzQ25Cemp3a3NrZkpacGdHTnV2ODA2emcyUjNF?=
 =?utf-8?B?RUxhYWQ4Ump0NVl0TnNhY2FiekdtWUswRTdMZzJqM08wbm0yOW5CaU9XZTVq?=
 =?utf-8?B?RXNWcm1NbHJWOC9sa1gySENRN0U3dkJHcDJLVXUwMkFZY2NIRExPQ3VBRHo4?=
 =?utf-8?B?K2hjenF5b2g1ZEljZ2FjT2VmbnlZMFBEQjloa29uSnJ1cFNTeFl5TndjVE0z?=
 =?utf-8?B?VkFrRFlGZGhQand1allkZHZsWTVSN1pyL0VCazAxWEo3cHJ1aEorWjRVRVJ1?=
 =?utf-8?B?Wng0VGlxWS9RS0JVcUluWjZPYnQrQk42M0xPcWErMytZV0JTUDdpZ3dMZnRm?=
 =?utf-8?B?WUVQemphUzVqZDlKWU4zVVdpTlRYbXIrWWJSM2RxTjFsUGVER3UxdGN1Wlpk?=
 =?utf-8?B?UEZOM1BVTk1Bd09OcTJDZlllb0gzb0VUaVA2Qk43b0dWRDYvTVhucC9pN1lC?=
 =?utf-8?B?Qk5nZ1FPdjd1dGdFbjlxVldFUUpzQjEyeGFYa0dHdTRmVjV0UjYyK0lsZ1M4?=
 =?utf-8?B?ZXp2eCtmMXpRTHpDcDBGU2ZGMzFXYVFwNW5nbGZadlNnNnI2ZDlxckthZXVu?=
 =?utf-8?B?R3dISGw5K2ZZaVZUYWNxZjVTanF2QlZFK3RmaGpaTnBTKzBtb05GWEFxZzZP?=
 =?utf-8?B?bXpTUEpyb01zTnRCazR4V0pjcUpCOUVua1BWZGpFRnhSTkxkMWxMVkVmWmtI?=
 =?utf-8?B?cGRaRnkzRXpzWDkvWlQ2cmRrVThTVzhSVnVFUmJVYmZnZmRPTHZ5SFRKa3VJ?=
 =?utf-8?B?VGVOZWZpMUZOKzQrblovODZYbG9SOVJMR2t4ZEZFRndWMWpxY2pJSzlkZytP?=
 =?utf-8?B?NFN0OHhFanV2bHR5ditDaU55eGpWaG4zRXlhOGp6TDBlYmRCbGxTaDJYR1B4?=
 =?utf-8?B?eHNiaTFheS9lbXBFVHlwK0RjbXMxaUg4VEdpakVmdzVkMlhJRUt1eTUvVlNr?=
 =?utf-8?B?UHdzeWVhWnpBbGtLa1cveWxMMWVCY2dxVjlCUkVaazg4cFBJZm84RnJRMjZH?=
 =?utf-8?B?Z2wxdmRKcHBjSithZWNSNDFhZDZ3NnBWSklpa2paK3JpSUs1TFZhZmQxZTd3?=
 =?utf-8?B?UU9mbVhwSTJadmEwM0I0aVJ1M003WU80NDYvbk5OVXFRKzlScm9RRXdiSlVh?=
 =?utf-8?B?U3pkcWw5SzRSc2d2L3U2cGt3RnMzMEdUYTBnNWlFeUZRTkxNWXh5bmtBaUVV?=
 =?utf-8?B?VFhVT3QvZTNoY1JIZ0dDM1RBeHIyTnd2dXJGd0dpb3FWMFNNMnRzTHlnS0lR?=
 =?utf-8?B?bFg2K0RtdjVQWUJrYXd5M2JCbTdncGJTKy9KaXVsbFBUdzk4Q0hKd0NLZzFq?=
 =?utf-8?B?MXdheDdnNTdvQWtybzZ5UzVtTUVYMHN2VWlwNFJaZm9FMFFLV1hlTjFNRy9i?=
 =?utf-8?B?WGVLb0lNeEVjSTZxQnNzSCt0S1IyRUc0aFZ1WkdicEsybFZid2VodHJwNmhn?=
 =?utf-8?B?VjErRVJZWnFvKzM2TWxrM1pOS1RYS3BJajFjbFlGZndCeWZ4a0pUaHpYdUlL?=
 =?utf-8?B?ZU1IdnBOdXdlbDFmL1FVVUd3c1VRYmRsZHh0WmdhaFZHZkdOWGxQZlZqK0dZ?=
 =?utf-8?B?eDQvSUVIRVJqdXJjUUdkcWkwWExoNzU3NDVxTnBCK3NwbGRWRkJJN3g2OEl1?=
 =?utf-8?Q?TI1fBZN1nz7ezhDFUXsow5WI8?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 70b5a1d8-4a1f-40ca-fa47-08da7a0b02f0
X-MS-Exchange-CrossTenant-AuthSource: BN8PR12MB3587.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Aug 2022 13:28:14.1266
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: UyMe0otblRCdCqceXNGz6IRVHFZUIJbew9eJymKOzTwTtBkDYTGTyYXB7Dvf6xkK
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR12MB4141
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Am 28.07.22 um 14:12 schrieb Wentao_Liang:
> in line 1535, "dma_fence_put(fence);" drop the reference to fence and may
> cause fence to be released. However, fence is used subsequently in line
> 1542 "fence->error". This may result in an use-after-free bug.
>
> It can be fixed by recording fence->error in a variable before dropping
> the reference to fence and referencing it after dropping.
>
> The bug has been confirmed by Christian König on 2021-08-16. Now, I
> resend this patch with my real name. I hope the patch can be updated
> in a near future.

The subject line should be something like "drm/amdgpu: fix potential use 
after free".

>
> Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
> index b28af04b0c3e..1d675a5838f2 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
> @@ -1518,7 +1518,7 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev,
>   				     struct drm_amdgpu_fence *fences)
>   {
>   	uint32_t fence_count = wait->in.fence_count;
> -	unsigned int i;
> +	unsigned int i, error;

>   	long r = 1;
>   
>   	for (i = 0; i < fence_count; i++) {
> @@ -1533,14 +1533,15 @@ static int amdgpu_cs_wait_all_fences(struct amdgpu_device *adev,
>   
>   		r = dma_fence_wait_timeout(fence, true, timeout);
>   		dma_fence_put(fence);
> +		error = fence->error;

That's still the wrong order, you need to get the fence error before 
dropping the reference.

Christian.

>   		if (r < 0)
>   			return r;
>   
>   		if (r == 0)
>   			break;
>   
> -		if (fence->error)
> -			return fence->error;
> +		if (error)
> +			return error;
>   	}
>   
>   	memset(wait, 0, sizeof(*wait));