Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp4354150rwl;
        Tue, 28 Mar 2023 06:12:23 -0700 (PDT)
X-Google-Smtp-Source: AKy350Y/JiceFP5i57mZfV50IkKfyKeBiYDKhYDwyUrSYw8jmooCTQhpTdfU/Rg6QHtPP4sCYh2I
X-Received: by 2002:a17:906:5589:b0:88a:2e57:9813 with SMTP id y9-20020a170906558900b0088a2e579813mr17327368ejp.33.1680009143022;
        Tue, 28 Mar 2023 06:12:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680009143; cv=none;
        d=google.com; s=arc-20160816;
        b=FZM6Hl0clOebto0qAH/Nb4r1ofbY3H2qFk9nFIvXgJ/wKJI8aeH5hxGiLAWA8Jntr7
         FvrtlbYLx94ihF4A4qwS7UnfzyL71OdrbQ4loF+saSvM4cmSdc4/kKiLHmFX2t/5u0JI
         72sj//JnuOW03T9CmVOTdXWHcUHRflPDpM6NyUluk0IjSTmxLbvTh0BaysRg/Bw4U0+j
         gzrhwUMc9hhipACiRNmEv1lBM8jfNM2jG+5pJBGbvUcITx6nvhSXY5bSld3FJ/ysLQJk
         UQTC4SEG/zBFn16JOYAlHxCw4A6oI/FdJVYCthvfYJpHACL//c3w/Hrrh7MtOA0XRxyZ
         I+Tw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to
         :organization:from:references:cc:to:content-language:subject
         :user-agent:mime-version:date:message-id:dkim-signature;
        bh=P+nVTTD//2jOFIgnM/uZwbCmKRTo3Q9R93ZuWJQYXgo=;
        b=Az+GwPKyTup4Fvsboy0gXX12mWVTHHPwZJr8g+kR9/sg5p2TOspIknJngLSaX8Cqm8
         /Q0unnd9pZgBqo1hS+ZhR65MKeHOWC3IQCjVxXwsMh39JUBzTK1nHjtRQozwB/Ft5r7j
         66ZQuvuWCzi06iYS2OA1R0/9PclmfkllzPypM7tFDDseD2WWGmoh+63d6BNeDYaIK1Uk
         a0/yyNa7H7OzykiXlz0GNTgzXkvBQRsZoYbVemX1i0xRPeM12DC1KvJciQ3hegILRDiX
         M6Z5azytHSWZNm0zXQpwe3AxVAi1E0nbU/RmIrh/nIzgvcIk1Dfvc2xi37WyuSQTV3Sn
         wCtA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=WM6I0bTs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d25-20020a170906305900b008be2daad93dsi25825016ejd.839.2023.03.28.06.11.51;
        Tue, 28 Mar 2023 06:12:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=WM6I0bTs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232507AbjC1NKU (ORCPT <rfc822;andrew.melo@gmail.com>
        + 99 others); Tue, 28 Mar 2023 09:10:20 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47808 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232604AbjC1NKS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Mar 2023 09:10:18 -0400
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D2488BB98
        for <linux-kernel@vger.kernel.org>; Tue, 28 Mar 2023 06:09:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1680008960; x=1711544960;
  h=message-id:date:mime-version:subject:to:cc:references:
   from:in-reply-to:content-transfer-encoding;
  bh=hEsefQeZT5HOexkYp5BwuMTDiULU+5IKf5YZR+PdMrw=;
  b=WM6I0bTsizoIEvLeqeSbpMmoZA1c3MkYpzB4lOzpKGNP+sHW+4dPtHW+
   Ug4ELSyqOYlZIgkPBvcMDSxbEUiC/JQwewbWYEdcXHWp+YI2Tx8dJr21v
   VQEu/E+b9gh3ETD7QoesReforHeF66kzUzLtiomEaKr9Jh3TIokNvbqnL
   g4S7mlyEBP4Pv2/vpwVg/uB9NyQ0je3z12A0xjsWCnOYukWHhpsWB+38G
   xB6UUvgHjR6EIWecLGe1A4LZJualy8tHUnWD9kyvpq9g28v/PvpenScF1
   ELrGy9bTdNotKmdsKykenndDMFOLY6cTpTr304yWAeR0OYam+IWM+YBk4
   Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10662"; a="340581919"
X-IronPort-AV: E=Sophos;i="5.98,297,1673942400"; 
   d="scan'208";a="340581919"
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2023 06:08:51 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10662"; a="748396269"
X-IronPort-AV: E=Sophos;i="5.98,297,1673942400"; 
   d="scan'208";a="748396269"
Received: from wheelerj-mobl.ger.corp.intel.com (HELO [10.213.213.242]) ([10.213.213.242])
  by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2023 06:08:49 -0700
Message-ID: <e7541f73-f100-3b1f-de80-376fa55f2479@linux.intel.com>
Date:   Tue, 28 Mar 2023 14:08:47 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.8.0
Subject: Re: [PATCH 1/1] drm/i915: fix race condition UAF in
 i915_perf_add_config_ioctl
Content-Language: en-US
To:     Min Li <lm0963hack@gmail.com>, jani.nikula@linux.intel.com,
        Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>,
        Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc:     joonas.lahtinen@linux.intel.com, rodrigo.vivi@intel.com,
        airlied@gmail.com, daniel@ffwll.ch,
        intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
        linux-kernel@vger.kernel.org
References: <20230328093627.5067-1-lm0963hack@gmail.com>
From:   Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Organization: Intel Corporation UK Plc
In-Reply-To: <20230328093627.5067-1-lm0963hack@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_EF,HK_RANDOM_ENVFROM,HK_RANDOM_FROM,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 28/03/2023 10:36, Min Li wrote:
> Userspace can guess the id value and try to race oa_config object creation
> with config remove, resulting in a use-after-free if we dereference the
> object after unlocking the metrics_lock.  For that reason, unlocking the
> metrics_lock must be done after we are done dereferencing the object.
> 
> Signed-off-by: Min Li <lm0963hack@gmail.com>

Fixes: f89823c21224 ("drm/i915/perf: Implement I915_PERF_ADD/REMOVE_CONFIG interface")
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
Cc: <stable@vger.kernel.org> # v4.14+

> ---
>   drivers/gpu/drm/i915/i915_perf.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
> index 824a34ec0b83..93748ca2c5da 100644
> --- a/drivers/gpu/drm/i915/i915_perf.c
> +++ b/drivers/gpu/drm/i915/i915_perf.c
> @@ -4634,13 +4634,13 @@ int i915_perf_add_config_ioctl(struct drm_device *dev, void *data,
>   		err = oa_config->id;
>   		goto sysfs_err;
>   	}
> -
> -	mutex_unlock(&perf->metrics_lock);
> +	id = oa_config->id;
>   
>   	drm_dbg(&perf->i915->drm,
>   		"Added config %s id=%i\n", oa_config->uuid, oa_config->id);
> +	mutex_unlock(&perf->metrics_lock);
>   
> -	return oa_config->id;
> +	return id;
>   
>   sysfs_err:
>   	mutex_unlock(&perf->metrics_lock);

LGTM.

Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>

Umesh or Lionel could you please double check? I can merge if confirmed okay.

Regards,

Tvrtko