Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp4988302rwl;
        Tue, 28 Mar 2023 14:26:36 -0700 (PDT)
X-Google-Smtp-Source: AKy350YFvM3mIZmcIw4x4nD08GFMi5wq386mz9ihbd67CSLG0yTaNlvIBxyhWfjBQdMLo5PGYuCx
X-Received: by 2002:a17:903:4305:b0:1a1:85d4:a775 with SMTP id jz5-20020a170903430500b001a185d4a775mr14712855plb.29.1680038796332;
        Tue, 28 Mar 2023 14:26:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680038796; cv=none;
        d=google.com; s=arc-20160816;
        b=N9AN2OO54kH2IlRt9F84TaH52FPJizTijulBJF24L39fAQMqAQGU8OEpIPOyTYXoMH
         2Ggbmjcfuu7grmEgHAuZdOMgcsn6KFrHb1x/xVze/tQ/bCoNFVUA+raXdIGWM3p7C0nq
         IoU212kNA4MeodjiuSqPGeyzjYYkTX0ugVPMk4V4kIprwTuQRktDO4a8QZkt1/v1azVm
         kfiZTnWWl4CTqfspIUjwyVCGyqYJlqo04MgAOPQhk3zTKBhukpTQf3Z73+6ZytU2ocIO
         /GiHWEznqfGtCX73hHwIPRpBkTLn0AlRS175XEx4trU5wd5z6fLtlSdL+nZjQcbY8KRi
         HNyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=Uc7WuxxwMPflhXlRmT9/H4IiIoZ9STb1ks53OkvOKbE=;
        b=o+MGCEAoPsCW2f8wxD0wHVB0A0B/b9hZ1/fjk1emeGMknCIDVYxl0D8HCkFYulT+tv
         jIZS2IPW7Vh6/sgP1fpkp9mjuc0S3/oqjWGLYCjrEU6Xh7JXOeq+YPNvhMZqOJzmzf42
         AG7OFnKRc/d8Do1cDsBdY7A7YRDGos1qNKkXUAyQVf5/LY0MQZawBfYzrl8fgVGSPast
         lb7HVNiZQoz0LhJNEsA2eTjPEmoiqY6fczEqfTUCbeVF6HPH0BkxmD5fELvvWnbOKouq
         fdmG9IVFGKZsjtOVwOhQceGmOdRKrwLiwXbagTZBsSayv5wY+gpl4Ubn9jFWR7UnVcf4
         w3aw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=LglhwN39;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id b7-20020a656687000000b004e018302ac3si20772768pgw.612.2023.03.28.14.26.22;
        Tue, 28 Mar 2023 14:26:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=LglhwN39;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229780AbjC1VIu (ORCPT <rfc822;andrey.bzh.r@gmail.com>
        + 99 others); Tue, 28 Mar 2023 17:08:50 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50056 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229569AbjC1VIs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Mar 2023 17:08:48 -0400
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FF63210C;
        Tue, 28 Mar 2023 14:08:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1680037718; x=1711573718;
  h=date:from:to:cc:subject:message-id:references:
   mime-version:in-reply-to;
  bh=6GLo3d35oVtHdFhb6UNpuguyDFJRdNOuxUvgwUhlmnY=;
  b=LglhwN39RVgEo5FLlQyQGAK7E30JKuG6QDcXLAacgGymVQqdiPyM9BsR
   PktPGUQtOjjF+E9K7+bhDXyds1N41adi2+hJ+URoTDczRt1nyf2HfXu9c
   VKXxaTb6EWB3IoGbaTMokBgLTqN2h3QtU2NZGHGsSWlQCc8ciB5r4OP8w
   ovFBAEz9OkSGFT24L602Kk3rloMh1zso3/DQcrU/Ce8AgNKUHgXLyZLWB
   DV9L2v1qD9FpjwpnrJNLFjoBkmNbM2S9P1JR3Mcfl5gX0DD7vHum0dfVl
   xnEZd8Qm1wxv/atGHEvT9cggufuivuepzgqofbUPRr4oC+NU1Hw5O+e4J
   g==;
X-IronPort-AV: E=McAfee;i="6600,9927,10663"; a="338193556"
X-IronPort-AV: E=Sophos;i="5.98,297,1673942400"; 
   d="scan'208";a="338193556"
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2023 14:08:38 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10663"; a="827628736"
X-IronPort-AV: E=Sophos;i="5.98,297,1673942400"; 
   d="scan'208";a="827628736"
Received: from fhannebi-mobl.ger.corp.intel.com (HELO intel.com) ([10.252.50.224])
  by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2023 14:08:36 -0700
Date:   Tue, 28 Mar 2023 23:08:11 +0200
From:   Andi Shyti <andi.shyti@linux.intel.com>
To:     Min Li <lm0963hack@gmail.com>
Cc:     jani.nikula@linux.intel.com, intel-gfx@lists.freedesktop.org,
        linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
        daniel@ffwll.ch, rodrigo.vivi@intel.com, airlied@gmail.com,
        stable@vger.kernel.org
Subject: Re: [Intel-gfx] [PATCH 1/1] drm/i915: fix race condition UAF in
 i915_perf_add_config_ioctl
Message-ID: <ZCNXO/NJecxaGwep@ashyti-mobl2.lan>
References: <20230328093627.5067-1-lm0963hack@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230328093627.5067-1-lm0963hack@gmail.com>
X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 28, 2023 at 05:36:27PM +0800, Min Li wrote:
> Userspace can guess the id value and try to race oa_config object creation
> with config remove, resulting in a use-after-free if we dereference the
> object after unlocking the metrics_lock.  For that reason, unlocking the
> metrics_lock must be done after we are done dereferencing the object.
> 
> Signed-off-by: Min Li <lm0963hack@gmail.com>

I think we should also add

Fixes: f89823c21224 ("drm/i915/perf: Implement I915_PERF_ADD/REMOVE_CONFIG interface")
Cc: <stable@vger.kernel.org> # v4.14+

Andi

> ---
>  drivers/gpu/drm/i915/i915_perf.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
> index 824a34ec0b83..93748ca2c5da 100644
> --- a/drivers/gpu/drm/i915/i915_perf.c
> +++ b/drivers/gpu/drm/i915/i915_perf.c
> @@ -4634,13 +4634,13 @@ int i915_perf_add_config_ioctl(struct drm_device *dev, void *data,
>  		err = oa_config->id;
>  		goto sysfs_err;
>  	}
> -
> -	mutex_unlock(&perf->metrics_lock);
> +	id = oa_config->id;
>  
>  	drm_dbg(&perf->i915->drm,
>  		"Added config %s id=%i\n", oa_config->uuid, oa_config->id);
> +	mutex_unlock(&perf->metrics_lock);
>  
> -	return oa_config->id;
> +	return id;
>  
>  sysfs_err:
>  	mutex_unlock(&perf->metrics_lock);
> -- 
> 2.25.1