Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp341410rwl; Wed, 29 Mar 2023 02:36:53 -0700 (PDT) X-Google-Smtp-Source: AKy350Zv7znHEe+OVXbVKoSQAt4sf8WxWesDuEeMeKT8zpMrnEz03o9reu7eZzt9/33rAxYn4hTO X-Received: by 2002:a17:902:f34d:b0:1a1:cef2:accf with SMTP id q13-20020a170902f34d00b001a1cef2accfmr14546879ple.30.1680082612932; Wed, 29 Mar 2023 02:36:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680082612; cv=none; d=google.com; s=arc-20160816; b=i7OGZ6ag9uiLcFcFyzgi4yXC/shlgLvteTvAukLjx4Rw45rpXmyan1VMAYUz4upoJ0 rDA3gLAdpL/2/3UFQFVUN02SmwfNzznosA+eh0lM+GMXL+N/GTLYb78r5Va6ZpFXLrbc sVvfQE/o67QXeo6L35xCbvVkiZKX1ujSNxHUdA4zDt6tUC3QGk0z6DQSSFR32CitMozB 5E6mtMJDq/H54lXv2IudMezQQpp6g6NG2Z+2f3CDsQEmhkufKCF5oByKRo1vqxSY0oIi WeEs/xmSX3Ko/vJ2hmYJsKe/fLCdAKi03wKhrYxncs5XJL+w+yafXiPZTDoSjnsRTrkW XiAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :organization:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=kl6lKL2CoExO/vmvQtN4AsUWorKQhoZGdMQEEHVebF8=; b=qKhTX5QkwV26eZg9qZWTuDhhOd1rt+Y353YzHaKa51sT/GYhqVrF9cWKHny+REaBc5 n8ds2TUj70zQcoFYgb4hgbsO88G5WMioYEQIVS3X+GPRP8/koxpCfyvKaGJft75UaorR wU+OTlHL868vr/ku2n1Ynw19uDmSWSi2FPrtPUD7IRbciiFOr20YAlNLL7q8DXWohv+w edAenUX0Iu4vA+ram5wNArJx+MO14RDRCT32E+C44C2oOq8DouTqcMh+rx2KI4QUARzC wIeZPCM+u9Jm5jrLaoiCmPIsxWs+JqIwozqFh9qUZvg0PumoxLPe5iSEMYqFzZJuj8I3 6eJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=HqaxUq5B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l2-20020a170902d34200b001a19bd8aa63si30845843plk.36.2023.03.29.02.36.41; Wed, 29 Mar 2023 02:36:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=HqaxUq5B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230283AbjC2JUm (ORCPT + 99 others); Wed, 29 Mar 2023 05:20:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230280AbjC2JUl (ORCPT ); Wed, 29 Mar 2023 05:20:41 -0400 Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 688C635B5 for ; Wed, 29 Mar 2023 02:20:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1680081638; x=1711617638; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=6P6pcEtEes8ruh+DwU2GE43Pr4b3BbuPa3FdWkhb1Dk=; b=HqaxUq5BR4mjttQLlN7gMAZl71Li1FcaBogFcyU2bJKazuJfIrSwZl5+ kr40yApAvv30RWbdryFPDHV4VISyNrKw6WRwPKgK24W7XGWxeuJy1o+0u 3lhM8ryOsktE3Tx8TQfFdjczXYeUCLUSYTnT2zF7UyaH/86QSHvdAHSfl 9lJl1kakbkiap6tBpogNJ/wwuhNURw4/vcGGl2qj6ab8cJum6ocizXPRv aAq1l/RaXAbLaz3lVEsDMmrQht6m9G31Ruk5Eo6Thcrrs8fFcX2LyIMb4 opKFiHzjeCNSm8JhCd8RDz5B0ve3xK8yMr29fRc4Ze14leKsDHP2vy5sh g==; X-IronPort-AV: E=McAfee;i="6600,9927,10663"; a="403448634" X-IronPort-AV: E=Sophos;i="5.98,300,1673942400"; d="scan'208";a="403448634" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Mar 2023 02:20:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10663"; a="773502427" X-IronPort-AV: E=Sophos;i="5.98,300,1673942400"; d="scan'208";a="773502427" Received: from jabolger-mobl2.ger.corp.intel.com (HELO [10.213.199.158]) ([10.213.199.158]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Mar 2023 02:20:34 -0700 Message-ID: <85cc3d07-0a7f-9ba4-45f2-dc6e7befefaf@linux.intel.com> Date: Wed, 29 Mar 2023 10:20:32 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [PATCH 1/1] drm/i915: fix race condition UAF in i915_perf_add_config_ioctl Content-Language: en-US To: Umesh Nerlige Ramappa Cc: Min Li , jani.nikula@linux.intel.com, Lionel Landwerlin , joonas.lahtinen@linux.intel.com, rodrigo.vivi@intel.com, airlied@gmail.com, daniel@ffwll.ch, intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org References: <20230328093627.5067-1-lm0963hack@gmail.com> From: Tvrtko Ursulin Organization: Intel Corporation UK Plc In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HK_RANDOM_ENVFROM,HK_RANDOM_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29/03/2023 01:48, Umesh Nerlige Ramappa wrote: > On Tue, Mar 28, 2023 at 02:08:47PM +0100, Tvrtko Ursulin wrote: >> >> On 28/03/2023 10:36, Min Li wrote: >>> Userspace can guess the id value and try to race oa_config object >>> creation >>> with config remove, resulting in a use-after-free if we dereference the >>> object after unlocking the metrics_lock.  For that reason, unlocking the >>> metrics_lock must be done after we are done dereferencing the object. >>> >>> Signed-off-by: Min Li >> >> Fixes: f89823c21224 ("drm/i915/perf: Implement >> I915_PERF_ADD/REMOVE_CONFIG interface") >> Cc: Lionel Landwerlin >> Cc: Umesh Nerlige Ramappa >> Cc: # v4.14+ >> >>> --- >>>  drivers/gpu/drm/i915/i915_perf.c | 6 +++--- >>>  1 file changed, 3 insertions(+), 3 deletions(-) >>> >>> diff --git a/drivers/gpu/drm/i915/i915_perf.c >>> b/drivers/gpu/drm/i915/i915_perf.c >>> index 824a34ec0b83..93748ca2c5da 100644 >>> --- a/drivers/gpu/drm/i915/i915_perf.c >>> +++ b/drivers/gpu/drm/i915/i915_perf.c >>> @@ -4634,13 +4634,13 @@ int i915_perf_add_config_ioctl(struct >>> drm_device *dev, void *data, >>>          err = oa_config->id; >>>          goto sysfs_err; >>>      } >>> - >>> -    mutex_unlock(&perf->metrics_lock); >>> +    id = oa_config->id; >>>      drm_dbg(&perf->i915->drm, >>>          "Added config %s id=%i\n", oa_config->uuid, oa_config->id); >>> +    mutex_unlock(&perf->metrics_lock); >>> -    return oa_config->id; >>> +    return id; >>>  sysfs_err: >>>      mutex_unlock(&perf->metrics_lock); >> >> LGTM. >> >> Reviewed-by: Tvrtko Ursulin >> >> Umesh or Lionel could you please double check? I can merge if >> confirmed okay. > > LGTM, > > Reviewed-by: Umesh Nerlige Ramappa Pushed to drm-intel-gt-next, thanks for the fix and reviews! Regards, Tvrtko