Received: by 2002:ac8:156:0:b0:3e0:cd10:60c8 with SMTP id f22csp827600qtg; Thu, 6 Apr 2023 02:33:49 -0700 (PDT) X-Google-Smtp-Source: AKy350antQX2SI30wSER5ffdIW2zxE4zuiuYNA/R1U/s5SfYfdIoKpo3CRvwcIVW4j85RvFY+i8W X-Received: by 2002:a17:906:ce41:b0:944:394:93f7 with SMTP id se1-20020a170906ce4100b00944039493f7mr5440833ejb.61.1680773629676; Thu, 06 Apr 2023 02:33:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680773629; cv=none; d=google.com; s=arc-20160816; b=jNbSzodWuz8VQivYhrnQlGrt+5/hrpCH7GeJ+2Sn/JM4+KC6Xt+vywKtPDnVVG/qQN RMxyxt7NFgtGISFzy3XH4/ANWz5BNPuhZkmjRIhBJXwDAWRqvK15JCWxrXn0hiSvsej+ rCjoxg5uTt4l+wqgbdBx1ETPVjlT6voZ6/Dx9nN+OCOOf6nJLyeu6WbXw9R8tHZUepVk uZHMbdqHQscqw+l+7tBmZ3b+SMMFn8whYO9iq+/FfrW4l0qEKDJf/Acy/Jw4VY8e3Qxi o6L+jx2CTqQqZRESVKYxQw8wBciVqZoHMg5qhgfGVnVpOjRGeRcCSr7TrrOh3zKG0/tO v1qQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=w+2Lp5myWxcZdorF9ykCLdt63WC1okDfFP00N9Yl4aE=; b=ZYNcTBH7NzzSX+KaanvkcfjSm48H/mDUls1+FostAonnvpbcYFvwh2Iq5lPmUC+VqO v8NK2sPoB3I9ba5TnGa8TLqxtON5jLGO8wSeAQD0QpJKujJq05lt8SMUaRNXMxxCmH0Z MM5yjdJFAItYgFXexjzeAB42LeE9pT60rXsoeSJQ3JQXR8gqZGb5sb3+LtgDBorOZN1r wAOc3+xtMdu74GaO23mvMLMcCLpEoALL4pj4ZQ2Jb4OJ5NtaEDNRkj4Pg0B3QGu0aAHa 6nlwjH8ubQyPitHH6Z76m8W/z3MDS/C5SZ7egVB/Y+gvi9IKI0GFrWyE3QeE+/GB6K/X lVQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@asahilina.net header.s=default header.b=kg3pvIO+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=asahilina.net Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hr35-20020a1709073fa300b009333e2401d0si1288361ejc.48.2023.04.06.02.33.20; Thu, 06 Apr 2023 02:33:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@asahilina.net header.s=default header.b=kg3pvIO+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=asahilina.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229812AbjDFJ1i (ORCPT + 99 others); Thu, 6 Apr 2023 05:27:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37922 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229677AbjDFJ1g (ORCPT ); Thu, 6 Apr 2023 05:27:36 -0400 Received: from mail.marcansoft.com (marcansoft.com [212.63.210.85]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67B2661AE; Thu, 6 Apr 2023 02:27:34 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: lina@asahilina.net) by mail.marcansoft.com (Postfix) with ESMTPSA id 03AC842529; Thu, 6 Apr 2023 09:27:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=asahilina.net; s=default; t=1680773252; bh=adiaPke7ib31zLxkeKxCgB0OeLdl6R7DeSrb3OTrYb4=; h=Date:Subject:From:To:Cc:References:In-Reply-To; b=kg3pvIO+mjbEdCO39a2fr5YvX5/alo1Myov+swiupQXyWXzoRzUR9sYVuqWss7Kkt PEKHiRlX0y+FVa69sMmhY1tp+d+9kAhmiaNGIq9x5wbQiO3+f0XDioIPvgweORoiUJ VFZ4qosUUmykgNoj+peK8OXqrQ5m6gBN1hMwOTqxzbNmmdEBB8iSL7VoWFqNMML1KX pwpsvvcZfQB0ht9mIOuUPGKY0/Z87EpJjpcbTN/aEY3CoaTB++VvUXSmhba9tCVoK+ jEPzGcfCofoh3GUcG7mxYz1FBQk9uSsnd4KyN0q2Iqmp1sUjWXsWPB9rIqc2EdFVLl OwTm/bFtcKSlg== Message-ID: <4ea53272-6324-96e6-ab29-82bccb624683@asahilina.net> Date: Thu, 6 Apr 2023 18:27:27 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: [PATCH] drm/scheduler: Fix UAF in drm_sched_fence_get_timeline_name Content-Language: en-US From: Asahi Lina To: =?UTF-8?Q?Christian_K=c3=b6nig?= , Luben Tuikov , David Airlie , Daniel Vetter , Sumit Semwal Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, asahi@lists.linux.dev References: <20230406-scheduler-uaf-1-v1-1-8e5662269d25@asahilina.net> <6b3433ee-0712-f789-51ee-3047ead9bb79@amd.com> <180bd178-e3c0-85e3-785e-fc8a216cf65e@amd.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/04/2023 18.15, Asahi Lina wrote: > On 06/04/2023 18.06, Christian König wrote: >> Am 06.04.23 um 10:49 schrieb Asahi Lina: >>> On 06/04/2023 17.29, Christian König wrote: >>>> Am 05.04.23 um 18:34 schrieb Asahi Lina: >>>>> A signaled scheduler fence can outlive its scheduler, since fences are >>>>> independently reference counted. >>>> >>>> Well that is actually not correct. Schedulers are supposed to stay >>>> around until the hw they have been driving is no longer present. >>> >>> But the fences can outlive that. You can GPU render into an imported >>> buffer, which attaches a fence to it. Then the GPU goes away but the >>> fence is still attached to the buffer. Then you oops when you cat that >>> debugfs file... >> >> No, exactly that's the point you wouldn't ops. >> >>> >>> My use case does this way more often (since schedulers are tied to >>> UAPI objects), which is how I found this, but as far as I can tell >>> this is already broken for all drivers on unplug/unbind/anything else >>> that would destroy the schedulers with fences potentially referenced >>> on separate scanout devices or at any other DMA-BUF consumer. >> >> Even if a GPU is hot plugged the data structures for it should only go >> away with the last reference, since the scheduler fence is referencing >> the hw fence and the hw fence in turn is referencing the driver this >> shouldn't happen. > > So those fences can potentially keep half the driver data structures > alive just for existing in a signaled state? That doesn't seem sensible > (and it definitely doesn't work for our use case where schedulers can be > created and destroyed freely, it could lead to way too much junk > sticking around in memory). > >>> >>>> E.g. the reference was scheduler_fence->hw_fence->driver->scheduler. >>> >>> It's up to drivers not to mess that up, since the HW fence has the >>> same requirements that it can outlive other driver objects, just like >>> any other fence. That's not something the scheduler has to be >>> concerned with, it's a driver correctness issue. >>> >>> Of course, in C you have to get it right yourself, while with correct >>> Rust abstractions will cause your code to fail to compile if you do it >>> wrong ^^ >>> >>> In my particular case, the hw_fence is a very dumb object that has no >>> references to anything, only an ID and a pending op count. Jobs hold >>> references to it and decrement it until it signals, not the other way >>> around. So that object can live forever regardless of whether the rest >>> of the device is gone. >> >> That is then certainly a bug. This won't work that way, and the timelime >> name is just the tip of the iceberg here. >> >> The fence reference count needs to keep both the scheduler and driver >> alive. Otherwise you could for example unload the module and immediately >> ops because your fence_ops go away. > > Yes, I realized the module issue after writing the email. But that's the > *only* thing it needs to hold a reference to! Which is much more > sensible than keeping a huge chunk of UAPI-adjacent data structures > alive for a signaled fence that for all we know might stick around > forever attached to some buffer. > >>>> Your use case is now completely different to that and this won't work >>>> any more. >>>> >>>> This here might just be the first case where that breaks. >>> >>> This bug already exists, it's just a lot rarer for existing use >>> cases... but either way Xe is doing the same thing I am, so I'm not >>> the only one here either. >> >> No it doesn't. You just have implemented the references differently than >> they are supposed to be. >> >> Fixing this one occasion here would mitigate that immediate ops, but >> doesn't fix the fundamental problem. > > Honestly, at this point I'm starting to doubt whether we want to use > drm_scheduler at all, because it clearly wasn't designed for our use > case and every time I try to fix something your answer has been "you're > using it wrong", and at the same time the practically nonexistent > documentation makes it impossible to know how it was actually designed > to be used. Also, requiring that the hw_fence keep the scheduler alive (which is documented nowhere) is a completely ridiculous lifetime requirement and layering violation across multiple subsystems. I have no idea how I'd make Rust abstractions uphold that requirement safely without doing something silly like having abstraction-specific hw_fence wrappers, and then you run into deadlocks due to the scheduler potentially being dropped from the job_done callback when the fence reference is dropped and just... no, please. This is terrible. If you don't want me to fix it we'll have to find another way because I can't work with this. ~~ Lina