Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp18773rwr; Wed, 19 Apr 2023 02:46:16 -0700 (PDT) X-Google-Smtp-Source: AKy350Y6f8Bla1Gvf1A77wGwotcUCQ57Xj8M+j7fDqr3GTjR3x06IcMeZxHzQhdbtTsqJuZLWFJm X-Received: by 2002:a05:6a00:2384:b0:63b:89a9:529f with SMTP id f4-20020a056a00238400b0063b89a9529fmr3605528pfc.14.1681897576029; Wed, 19 Apr 2023 02:46:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681897576; cv=none; d=google.com; s=arc-20160816; b=mHv0YZhg4+mWFwgAMyFXd5XXP1xVPbw6LoEmZ6oLRUJr/y3+MH2KY0bm/+rquU6r4/ hQUZYp1qmeT6DSS54lUpeRGcX8rzbr11iIOPb+nJn4OdqnF/sw7RpRPFwe3mwqmiJiEX GkefJF80W/LINO4zWiO1epCqP27QfzOTkurHl13RxfkTx0NpdowJFoTDlrfW06LaI17d 2TsUemeVNF8IOEl9ZORBd3XHottay8pMQZQE/EWz25n2GwD2tO9+Lp5ydTlJ6mVYJfWA OYEFqjj4OrtgrTXkklQJ0LZWvA14TNXgsBsPF0+LwQYLo4z94//i4SkQtcZl3kpl5wyY Ggxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id; bh=qWBb1Zwnx4vi4sd3JmBuOL+7tZzqOyVEK3Z4XLbWBGQ=; b=miJLEqermctDbr1HzAA1Kua8AqypOj4r6soNGVY4tgkod1y+bEoK4BontMdD2nufmI pWWgwxSXBg3mKd3ZZ0MpN9Fp9QWkgPlhDAkOTljPzmixQXR8Xt6dtV70TAKNoRs5FH5K 7f5C9/cBqtQNMxh6o6vJfIJevDZjgLIo+V2BofwbT8nBMH4a6v0f/kIrDG38sFg8neQ8 Yf4SAvBJoXsYvubMl/LnyO3aluIk7yOQWmzJFwhKn8Xar/C9ZfE6aoy5Ed0Omg4LGnxW Aq/kABjQ0j9DLqPT12BFH9PdJrUyxkwretxH5x3FZjby//Gqiyjiv6Z2rYNMifF+FTLx KIIw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h7-20020a056a00000700b0063b77e2123csi11351408pfk.26.2023.04.19.02.46.04; Wed, 19 Apr 2023 02:46:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232360AbjDSJo0 convert rfc822-to-8bit (ORCPT + 99 others); Wed, 19 Apr 2023 05:44:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41512 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232357AbjDSJoU (ORCPT ); Wed, 19 Apr 2023 05:44:20 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 048A52726 for ; Wed, 19 Apr 2023 02:44:18 -0700 (PDT) Received: from ptz.office.stw.pengutronix.de ([2a0a:edc0:0:900:1d::77] helo=[IPv6:::1]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pp4MG-00024s-3b; Wed, 19 Apr 2023 11:44:12 +0200 Message-ID: <04f039ac71f3c0685a849b492478d18ec6ea4d11.camel@pengutronix.de> Subject: Re: [PATCH v2] drm/scheduler: set entity to NULL in drm_sched_entity_pop_job() From: Lucas Stach To: Steven Price , Danilo Krummrich , luben.tuikov@amd.com, airlied@gmail.com, daniel@ffwll.ch, christian.koenig@amd.com Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Date: Wed, 19 Apr 2023 11:44:10 +0200 In-Reply-To: References: <20230418100453.4433-1-dakr@redhat.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a0a:edc0:0:900:1d::77 X-SA-Exim-Mail-From: l.stach@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Steven, Am Mittwoch, dem 19.04.2023 um 10:39 +0100 schrieb Steven Price: > On 18/04/2023 11:04, Danilo Krummrich wrote: > > It already happend a few times that patches slipped through which > > implemented access to an entity through a job that was already removed > > from the entities queue. Since jobs and entities might have different > > lifecycles, this can potentially cause UAF bugs. > > > > In order to make it obvious that a jobs entity pointer shouldn't be > > accessed after drm_sched_entity_pop_job() was called successfully, set > > the jobs entity pointer to NULL once the job is removed from the entity > > queue. > > > > Moreover, debugging a potential NULL pointer dereference is way easier > > than potentially corrupted memory through a UAF. > > > > Signed-off-by: Danilo Krummrich > > This triggers a splat for me (with Panfrost driver), the cause of which > is the following code in drm_sched_get_cleanup_job(): > > if (job) { > job->entity->elapsed_ns += ktime_to_ns( > ktime_sub(job->s_fence->finished.timestamp, > job->s_fence->scheduled.timestamp)); > } > > which indeed is accessing entity after the job has been returned from > drm_sched_entity_pop_job(). And obviously job->entity is a NULL pointer > with this patch. > > I'm afraid I don't fully understand the lifecycle so I'm not sure if > this is simply exposing an existing bug in drm_sched_get_cleanup_job() > or if this commit needs to be reverted. > Not sure which tree you are on. The offending commit has been reverted in 6.3-rc5. Regards, Lucas > Thanks, > > Steve > > > --- > > drivers/gpu/drm/scheduler/sched_entity.c | 6 ++++++ > > drivers/gpu/drm/scheduler/sched_main.c | 4 ++++ > > 2 files changed, 10 insertions(+) > > > > diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c > > index 15d04a0ec623..a9c6118e534b 100644 > > --- a/drivers/gpu/drm/scheduler/sched_entity.c > > +++ b/drivers/gpu/drm/scheduler/sched_entity.c > > @@ -448,6 +448,12 @@ struct drm_sched_job *drm_sched_entity_pop_job(struct drm_sched_entity *entity) > > drm_sched_rq_update_fifo(entity, next->submit_ts); > > } > > > > + /* Jobs and entities might have different lifecycles. Since we're > > + * removing the job from the entities queue, set the jobs entity pointer > > + * to NULL to prevent any future access of the entity through this job. > > + */ > > + sched_job->entity = NULL; > > + > > return sched_job; > > } > > > > diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c > > index 9b16480686f6..e89a3e469cd5 100644 > > --- a/drivers/gpu/drm/scheduler/sched_main.c > > +++ b/drivers/gpu/drm/scheduler/sched_main.c > > @@ -42,6 +42,10 @@ > > * the hardware. > > * > > * The jobs in a entity are always scheduled in the order that they were pushed. > > + * > > + * Note that once a job was taken from the entities queue and pushed to the > > + * hardware, i.e. the pending queue, the entity must not be referenced anymore > > + * through the jobs entity pointer. > > */ > > > > #include >