Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp5785792rwd; Mon, 5 Jun 2023 08:31:52 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5EmXrr1PEAUu30LwIWbo9rmCtZQQ83vUKTW5AJvgu5JQYkKyn+k7fONQhi9CNwLkKWY9fO X-Received: by 2002:a17:90a:fd8a:b0:24d:ec16:6f8c with SMTP id cx10-20020a17090afd8a00b0024dec166f8cmr3225884pjb.20.1685979112092; Mon, 05 Jun 2023 08:31:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685979112; cv=none; d=google.com; s=arc-20160816; b=kU2XiQHZmSiLLLPWpMN1RqD3E05KJisAk5OMJDZjT3X4U7BGpZQyceqGjSMP2z6ZBM jaUvcp5kAcvhiVOOXA/0BYyS5ez+heaIa8Qedl7I2YflAgqVkA5pNhHLKgDow5lRWJNf OHOHmFV0SRue1ZJ1aN5Z7KP0t3WRtTZd7QW1eLDNilfs5NLl3y1ynuJA2B3Q9Ix2/nb0 wWRyae31pv4uHlxw8UZ/+glg8jJ7o6kNCHKGCUM4WYh837HUqHNF2BhO4wf154QH7F/Z WYFhrflo46pE3wYfXBz0rqjhZWF2Aa1mJ4CaW4FpvZO/FlpuLNYZF3TYFwYaSyRoLB5Y BLAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ownFhAOJ49PkdCY/ElX6rAxTLNeHPzeq4mznvKgyoCM=; b=0Pus10qYQqIhh9fgyrnApTwnmqNjq8V+o6kaZucqQvrsF7WrRu/Pr8Dc2gyzWMWX6M NzF72gapPbL/eux/FnGrh8KfCwfyQABMA8skxIGAAHNDB5qV5Tm4CdbJHy7+81WRRj5V 6hVTVgzUKnSbJyi46Q+E7Rsbe756jHdo+IDFw81IcudUSUJEiUEMb0sfIzYQyFjVi1ln ZztaAe8VBd7Ldh+X8OqFlu3M64dzR1+SEq6sIs6epFf1yz7qE0wwmoB5WoSljx3Rr04d OMvg/zKAOcwS5RU++R9pBoy3stEF4OG/Q8fgGWKIFVD24nmSC5epQ1bXriBReuzmimzm xn3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=PmI2vPsn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s14-20020a17090a760e00b00250a4d72bc9si5622931pjk.108.2023.06.05.08.31.39; Mon, 05 Jun 2023 08:31:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=PmI2vPsn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234893AbjFEPWk (ORCPT + 99 others); Mon, 5 Jun 2023 11:22:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234824AbjFEPWR (ORCPT ); Mon, 5 Jun 2023 11:22:17 -0400 Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E15F01A8; Mon, 5 Jun 2023 08:22:09 -0700 (PDT) Received: by mail-oi1-x235.google.com with SMTP id 5614622812f47-3942c6584f0so3388228b6e.3; Mon, 05 Jun 2023 08:22:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685978529; x=1688570529; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ownFhAOJ49PkdCY/ElX6rAxTLNeHPzeq4mznvKgyoCM=; b=PmI2vPsng+rdUr3wY1rs4RCuBu6dzmI7/2gJjL9H+RgWI+JJhWKnCseHxLxsGLSYt+ VI5l2Oyo3052z/uTfpJi3wPv674gduL/0ctQmP1cnvXkIneLoi/k8xqBkCH6+wQ1p/nh 2z/9JOBkiVHtKHskN+Ph40moVJhs+PEWR5AOhRNN7VV5UkCHv1bxRqjJ9D036msS6Ji/ evOHJ8N/U1op0XQt6YMHnorGrSSOWBNwZD12hH8JnyJFowUh3ed77YHLxHoDWDaZlXgF a1K5icKxJjEptcjjelAProwntmsYZ4Eym7hd+BC4GHy5U4gwuNLv91PyMFtkpCGjL9Ij 4bGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685978529; x=1688570529; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ownFhAOJ49PkdCY/ElX6rAxTLNeHPzeq4mznvKgyoCM=; b=Hr4DumO9jKqEjWLh9iGrYdxcd+kBIhTZvO+PtesecVYvOfVyBPLnAOW+nCGQrC+til O6+di0XCYm12p6nvtnyXq3u9/ot+w7T88DYeAxszimJIDn2wv6hDmhsXdYzi/qKkaIZP j7IQhbfzvDSTm3VXbU4NB3z6WG7LMSAjabFY6ljFoejWceEGM7Voii+gy/R8DkyHmSdg jXHfp+xiZZl4W//Q4TXgairqTKPhHgUJ/CvRewXhrChE5OtY1DX7h4w3hjGQzag/CaIo QIc6LEh7lYP2FHi2XquUPCXHouSRM8i+N3qrv9szffvZDsm3zcofS70V88D8xhLyWf4b y7Bg== X-Gm-Message-State: AC+VfDx+7qdJCzZHjIcV14PwYS09jBESMzAbOUxlFv4MwvOg9MgzLpZW q7ZWUFE64Wb7vKVfv0t/yQQvdMXmhiwAzjae8+8= X-Received: by 2002:a54:4598:0:b0:39a:bc50:db96 with SMTP id z24-20020a544598000000b0039abc50db96mr2647242oib.41.1685978529045; Mon, 05 Jun 2023 08:22:09 -0700 (PDT) MIME-Version: 1.0 References: <20230603074345.17907-1-lm0963hack@gmail.com> In-Reply-To: From: Alex Deucher Date: Mon, 5 Jun 2023 11:21:58 -0400 Message-ID: Subject: Re: [PATCH v2] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl To: =?UTF-8?Q?Christian_K=C3=B6nig?= Cc: Min Li , alexander.deucher@amd.com, Xinhui.Pan@amd.com, linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, dri-devel@lists.freedesktop.org, sumit.semwal@linaro.org, linux-media@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Applied. Thanks! On Mon, Jun 5, 2023 at 4:13=E2=80=AFAM Christian K=C3=B6nig wrote: > > Am 03.06.23 um 09:43 schrieb Min Li: > > Userspace can race to free the gobj(robj converted from), robj should n= ot > > be accessed again after drm_gem_object_put, otherwith it will result in > > use-after-free. > > > > Signed-off-by: Min Li > > Reviewed-by: Christian K=C3=B6nig > > > --- > > Changes in v2: > > - Remove unused robj, avoid compile complain > > > > drivers/gpu/drm/radeon/radeon_gem.c | 4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/rade= on/radeon_gem.c > > index bdc5af23f005..d3f5ddbc1704 100644 > > --- a/drivers/gpu/drm/radeon/radeon_gem.c > > +++ b/drivers/gpu/drm/radeon/radeon_gem.c > > @@ -459,7 +459,6 @@ int radeon_gem_set_domain_ioctl(struct drm_device *= dev, void *data, > > struct radeon_device *rdev =3D dev->dev_private; > > struct drm_radeon_gem_set_domain *args =3D data; > > struct drm_gem_object *gobj; > > - struct radeon_bo *robj; > > int r; > > > > /* for now if someone requests domain CPU - > > @@ -472,13 +471,12 @@ int radeon_gem_set_domain_ioctl(struct drm_device= *dev, void *data, > > up_read(&rdev->exclusive_lock); > > return -ENOENT; > > } > > - robj =3D gem_to_radeon_bo(gobj); > > > > r =3D radeon_gem_set_domain(gobj, args->read_domains, args->write= _domain); > > > > drm_gem_object_put(gobj); > > up_read(&rdev->exclusive_lock); > > - r =3D radeon_gem_handle_lockup(robj->rdev, r); > > + r =3D radeon_gem_handle_lockup(rdev, r); > > return r; > > } > > >