Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp4965266rwl; Tue, 28 Mar 2023 14:02:38 -0700 (PDT) X-Google-Smtp-Source: AKy350ajcNIZ7eejJVA0O97W1RHndWLRHgPKNBdmMQ+SgUi3waNjLDPwG+bEXvjMSeTglc+fb6to X-Received: by 2002:a50:e619:0:b0:4af:6a7e:9218 with SMTP id y25-20020a50e619000000b004af6a7e9218mr16156638edm.42.1680037358437; Tue, 28 Mar 2023 14:02:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680037358; cv=none; d=google.com; s=arc-20160816; b=fIwvXX7/yQGnQ/cnxWNCBj8Eo+L5ggKEpbkXZN6lWSkpAxNH5GLXfZ+GVKzu4HO0PA 6o8R8FywX791DV10SqQIElL277yJx6mAUzT6YyuBgHAFlqoj3hrYAif/+6VwwtygWMr9 oLkYIRMRt5hHE2oIT0IFUY3ctHeJOjkc2FW/6XhhMANWmpRfvxEQs+5wvhQP7QfH3EWw TvdcCSFv0fpesn8m7hFvPL+XTGXD0I/ZG3Qtr8yTDv1SvpF/ghmRXtypJMGcZGEV+7yP rCjFaxDQEFSqmOAQ/leHv45/Ku5CDzr/vtaHpSMmRFGBpppuxngeb9//abaMOR7csa72 +CVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Nd3EdyT8DkvFeAY53mI2RO8hD1n6anOHF0JzEA1aRPU=; b=Ix270WGOOzDMzW34NmniNmk3GbuPFnmoTnli+dFtI4Nlzlne+y4OmqN1pEW/ZZptO2 dzYKB/qJaQCOoYReDZvO5QSO554tFkVBrZ7XmMLW1VQB7iiTf2c+Z3QMNzahO86tBLjF sknYS5iCJB39Oe6UA+bgDQPVVVPW4o2fxPZvcFqxjGQBXNMhWw6XjB3FT5EPxmUEkv3J DhJSYrPopUTIZYTRQ8R6zEmSW2pjGi9EN7qgnWT7ySGdOOG2vwbvWLi++pxUZqh27Fk8 BQs22Q1mMl/gl2DYtGMsVHp6EprOhRR0+iIyeMg3Ror9rhEtXzrxxmWNPSo98fstQjf1 eerQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GEeDnHCt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f9-20020a056402068900b0050230ec7e00si8949616edy.377.2023.03.28.14.02.09; Tue, 28 Mar 2023 14:02:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GEeDnHCt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229702AbjC1U6q (ORCPT + 99 others); Tue, 28 Mar 2023 16:58:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34406 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229744AbjC1U6a (ORCPT ); Tue, 28 Mar 2023 16:58:30 -0400 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08C8126A0 for ; Tue, 28 Mar 2023 13:58:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1680037082; x=1711573082; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=BfVPOYVp2pmPvssW/9f7r7P90C48/4ru1Ch9FixAMO8=; b=GEeDnHCtmCLB+IcFmJ5iNzmg0jlCE5IVH49qZzMMnsr23NyM1RZEWu4c 5k9bCxWoCrXlLiUG2kYvJg9rYCLz0e/ai/o28dglarNkru1Zc1jWbJZDQ zqFDzyhUH8Pi/oeZdNlHsCJ52iDzz5WCzRKcOZeg/CXOEP4oyzJyAzJcv +mXWi2Z3mY9XXLiL7aOge8QVML06RqDyZC91cYEAJtJf/POa2EbnEGBHt 1wHWxPXYs4qGZseuLmyxChvW7vDE7DOf0t3Jh6ZbWEKAx1KQi31g5dP+J d+0SO7PIfjEbHAAt4V4omkGQ6G7qu/E0EWvhfoo9Xy+a3BsUwfTUP7t9c A==; X-IronPort-AV: E=McAfee;i="6600,9927,10663"; a="426964409" X-IronPort-AV: E=Sophos;i="5.98,297,1673942400"; d="scan'208";a="426964409" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2023 13:58:01 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10663"; a="634197652" X-IronPort-AV: E=Sophos;i="5.98,297,1673942400"; d="scan'208";a="634197652" Received: from fhannebi-mobl.ger.corp.intel.com (HELO intel.com) ([10.252.50.224]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2023 13:57:58 -0700 Date: Tue, 28 Mar 2023 22:57:32 +0200 From: Andi Shyti To: Min Li Cc: jani.nikula@linux.intel.com, intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, daniel@ffwll.ch, rodrigo.vivi@intel.com, airlied@gmail.com Subject: Re: [Intel-gfx] [PATCH 1/1] drm/i915: fix race condition UAF in i915_perf_add_config_ioctl Message-ID: References: <20230328093627.5067-1-lm0963hack@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230328093627.5067-1-lm0963hack@gmail.com> X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Min, On Tue, Mar 28, 2023 at 05:36:27PM +0800, Min Li wrote: > Userspace can guess the id value and try to race oa_config object creation > with config remove, resulting in a use-after-free if we dereference the > object after unlocking the metrics_lock. For that reason, unlocking the > metrics_lock must be done after we are done dereferencing the object. > > Signed-off-by: Min Li Thank you for your patch! Reviewed-by: Andi Shyti Andi > --- > drivers/gpu/drm/i915/i915_perf.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c > index 824a34ec0b83..93748ca2c5da 100644 > --- a/drivers/gpu/drm/i915/i915_perf.c > +++ b/drivers/gpu/drm/i915/i915_perf.c > @@ -4634,13 +4634,13 @@ int i915_perf_add_config_ioctl(struct drm_device *dev, void *data, > err = oa_config->id; > goto sysfs_err; > } > - > - mutex_unlock(&perf->metrics_lock); > + id = oa_config->id; > > drm_dbg(&perf->i915->drm, > "Added config %s id=%i\n", oa_config->uuid, oa_config->id); > + mutex_unlock(&perf->metrics_lock); > > - return oa_config->id; > + return id; > > sysfs_err: > mutex_unlock(&perf->metrics_lock); > -- > 2.25.1