Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp12989993rwl; Wed, 4 Jan 2023 01:44:21 -0800 (PST) X-Google-Smtp-Source: AMrXdXvy13WYiyipZRfIOfqMc42Woy/PBGePNhl37VWY/aM7BRbAexSe/GhuLCg00lslFLVddzZa X-Received: by 2002:a05:6a21:c008:b0:af:8448:5137 with SMTP id bm8-20020a056a21c00800b000af84485137mr60290325pzc.39.1672825461264; Wed, 04 Jan 2023 01:44:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672825461; cv=none; d=google.com; s=arc-20160816; b=UCuHW5hU18WCALEiYr7dw6T9vNXxPvM0UyoSobwFn3j2WB/+ZgOYCjeucMWuRCnMAu oS4EG+BQxIQ7zuAdJjtC0spExC4+ozPzDe+prwX8zsJFJFAmLhJ5TFQT9C3TT78e6X/N yN5cnztuIZsvi6zEw8kTRjCcwz9dRLxYJY1udcvLivDl6Y1DK3eHqssNout4FK8orOwA hyLIK0yIv/tr2MpNu/IPsmvR3VR96FNI4ZDWc9hVZliCoU5evKzf+r3JbrWQjx1FO9iy I2eW/sWDc+qakbgZZCj4XH5Ix1bdbXCNI4EV4wr7aN5HaBxs2YVQOjfknGS5ysjVajEi mtNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :organization:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=Fh75tPJxVl05pC2FtOt1bWxhjPL5oT9knTHK+CABdaI=; b=ATDWf6LZzq1j0R4lrlz/sSLEhOWuQckzc6bg9P7m0LOHgB/3t+Hl7j4rGXXD2k0wEx GekdKO0Kxu3XCGgzJ0ek1luX3xSsVBD2H7dbuPMh3WQFWVe6aEBY5WvFzk/ZCXgbiX+r VBO0FwJxlMW93oUr+nF5PgKEirzRd017O1AXPP9oBoxu/HOA8XNzPyM+5km2E7ZdMNU7 5o9qE7AoSHiQhPGY4Jq5KGOPekxTicivrSZh9vvo0qj0JRM8s1ht8DiZq43EqLN04j7y +OlDwLoxopw9WI18jV0FEY6fIWE+Wnp5u2aNiCpX04no7/Up9Md23p3n5p4FJsSHF05M ejDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="A/ATrrB8"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n1-20020a63b441000000b0046edbb5b20esi2325162pgu.668.2023.01.04.01.44.13; Wed, 04 Jan 2023 01:44:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="A/ATrrB8"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234775AbjADJeR (ORCPT + 57 others); Wed, 4 Jan 2023 04:34:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234220AbjADJeB (ORCPT ); Wed, 4 Jan 2023 04:34:01 -0500 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 91A33D7B for ; Wed, 4 Jan 2023 01:34:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1672824840; x=1704360840; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=KPN8YqY9LSOEXrt90pYffb+Xv9BOeYf4y3o6s7PYJ+s=; b=A/ATrrB8Z7v9Io8KT1L2bZ9fUZ5KeJOKtaLew2T8q90CXlGQRd3GvOxW 6JxOmuEXq8iycJg2uzkHc4+blAS3Y58k09KriGPlrBRmNSfomiBjiRUqK ybryz5nOZXVynbZZUDpdBoB2l00TctSdwYWbQ9t+pNAMuKAFQcBHyvAMC Qf4+c1r6+dq0MjVOtQXOUGx7dk9KbmkIVG9d9FYLAlg9GWLh+CEBvCCUP IjZrq88NUfcZT+3OMJJ/kz74ogx5/CCQmXQzTA6NLTFqpBTTVPF7oJJzm tBCZQAL7BAMhS3bRTkGxYflWCG9W3zjbNVyeQAi92gV0YDQGGDZTELrok g==; X-IronPort-AV: E=McAfee;i="6500,9779,10579"; a="301582481" X-IronPort-AV: E=Sophos;i="5.96,299,1665471600"; d="scan'208";a="301582481" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jan 2023 01:34:00 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10579"; a="743790546" X-IronPort-AV: E=Sophos;i="5.96,299,1665471600"; d="scan'208";a="743790546" Received: from wfurtakx-mobl.ger.corp.intel.com (HELO [10.213.223.45]) ([10.213.223.45]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jan 2023 01:33:56 -0800 Message-ID: <04ec647c-184e-942e-a7ed-4ba393e591b7@linux.intel.com> Date: Wed, 4 Jan 2023 09:33:54 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Subject: Re: [PATCH] drm/i915: Fix potential context UAFs Content-Language: en-US To: Rob Clark , dri-devel@lists.freedesktop.org Cc: Rob Clark , Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , David Airlie , Daniel Vetter , Chris Wilson , Andi Shyti , John Harrison , Matthew Brost , katrinzhou , =?UTF-8?Q?Thomas_Hellstr=c3=b6m?= , "open list:INTEL DRM DRIVERS" , open list References: <20230103234948.1218393-1-robdclark@gmail.com> From: Tvrtko Ursulin Organization: Intel Corporation UK Plc In-Reply-To: <20230103234948.1218393-1-robdclark@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HK_RANDOM_ENVFROM,HK_RANDOM_FROM, NICE_REPLY_A,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/01/2023 23:49, Rob Clark wrote: > From: Rob Clark > > gem_context_register() makes the context visible to userspace, and which > point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl. > So we need to ensure that nothing uses the ctx ptr after this. And we > need to ensure that adding the ctx to the xarray is the *last* thing > that gem_context_register() does with the ctx pointer. Any backtraces from oopses or notes on how it was found to record in the commit message? > Signed-off-by: Rob Clark Fixes: a4c1cdd34e2c ("drm/i915/gem: Delay context creation (v3)") References: 3aa9945a528e ("drm/i915: Separate GEM context construction and registration to userspace") Cc: # v5.15+ > --- > drivers/gpu/drm/i915/gem/i915_gem_context.c | 24 +++++++++++++++------ > 1 file changed, 18 insertions(+), 6 deletions(-) > > diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c b/drivers/gpu/drm/i915/gem/i915_gem_context.c > index 7f2831efc798..6250de9b9196 100644 > --- a/drivers/gpu/drm/i915/gem/i915_gem_context.c > +++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c > @@ -1688,6 +1688,10 @@ void i915_gem_init__contexts(struct drm_i915_private *i915) > init_contexts(&i915->gem.contexts); > } > > +/* > + * Note that this implicitly consumes the ctx reference, by placing > + * the ctx in the context_xa. > + */ > static void gem_context_register(struct i915_gem_context *ctx, > struct drm_i915_file_private *fpriv, > u32 id) > @@ -1703,10 +1707,6 @@ static void gem_context_register(struct i915_gem_context *ctx, > snprintf(ctx->name, sizeof(ctx->name), "%s[%d]", > current->comm, pid_nr(ctx->pid)); > > - /* And finally expose ourselves to userspace via the idr */ > - old = xa_store(&fpriv->context_xa, id, ctx, GFP_KERNEL); > - WARN_ON(old); > - > spin_lock(&ctx->client->ctx_lock); > list_add_tail_rcu(&ctx->client_link, &ctx->client->ctx_list); > spin_unlock(&ctx->client->ctx_lock); > @@ -1714,6 +1714,10 @@ static void gem_context_register(struct i915_gem_context *ctx, > spin_lock(&i915->gem.contexts.lock); > list_add_tail(&ctx->link, &i915->gem.contexts.list); > spin_unlock(&i915->gem.contexts.lock); > + > + /* And finally expose ourselves to userspace via the idr */ > + old = xa_store(&fpriv->context_xa, id, ctx, GFP_KERNEL); > + WARN_ON(old); Have you seen that this hunk is needed or just moving it for a good measure? To be clear, it is probably best to move it even if the current placement cannot cause any problems, I am just double-checking if you had any concrete observations here while mulling over easier stable backports if we would omit it. > } > > int i915_gem_context_open(struct drm_i915_private *i915, > @@ -2199,14 +2203,22 @@ finalize_create_context_locked(struct drm_i915_file_private *file_priv, > if (IS_ERR(ctx)) > return ctx; > > + /* > + * One for the xarray and one for the caller. We need to grab > + * the reference *prior* to making the ctx visble to userspace > + * in gem_context_register(), as at any point after that > + * userspace can try to race us with another thread destroying > + * the context under our feet. > + */ > + i915_gem_context_get(ctx); > + > gem_context_register(ctx, file_priv, id); > > old = xa_erase(&file_priv->proto_context_xa, id); > GEM_BUG_ON(old != pc); > proto_context_close(file_priv->dev_priv, pc); > > - /* One for the xarray and one for the caller */ > - return i915_gem_context_get(ctx); > + return ctx; Otherwise userspace can look up a context which hasn't had it's reference count increased yep. I can add the Fixes: and Stable: tags while merging if no complaints. Reviewed-by: Tvrtko Ursulin Regards, Tvrtko > } > > struct i915_gem_context *