Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp1158555rdb; Wed, 20 Sep 2023 00:55:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFs7vEyQpCuCX+tcZbIlBy4q2gzsPteGyNZLFN0RU6jZHFWJ4pWQb0WkzAx0Lxbu0dbZM3v X-Received: by 2002:a05:6358:50c6:b0:13a:4855:d885 with SMTP id m6-20020a05635850c600b0013a4855d885mr2414946rwm.10.1695196507917; Wed, 20 Sep 2023 00:55:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695196507; cv=none; d=google.com; s=arc-20160816; b=HO2oaX+WtpHT2/mHE0IJwWhgdJLF57TRQv0FTvMioCjYnnrFCLR6C2sFAxtaT6Rgd0 fIiGJuImgmBOiXfJuA/ZBqcXhEpj0QpTuczykxwjAIDkANzAt6zY88DLgXD6sL75Zhc0 phlrzvvVPUWn4kcEI5XbMJLG4YCm7EYXU9ucP3vdPsps0F0/3Nnh3hddaF+e1bY039Tg baZ0nE8a6umn/twcnEf0IYDUy46mufgzNWggZMRtVRM/3VeK1KL4UDpL6bCg8ey/V2Ar hp6kOWL/L428i0mrc4dATDk8r7uS8ZS7RMNPj+LdYzFShmLtztqFwfUu68eqZHPdDZZr jIQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:organization :message-id:user-agent:references:in-reply-to:subject:cc:to:from :date:mime-version; bh=W6wgsxwIUdOFPxRTHaUDxsH8nLyZ+klujBIhgGbtij4=; fh=wnZVJ0oAsgoWqMMnWdst/eb9PCXB2yUy6t4ZZGGWEVU=; b=x70kkzdO91827tb0tPo+729YXRB7XCsqm1cV8+nLiAUALWGZJBV+tnqnmKiY+HsRsc L/Gtnj27UEyEjWuaaCaoI8nmY8uR7t2zGbKq9WUa3kHaVsV+fCAoY8PKmAfL6uUNqamR Scwq/VIDS2xREK2itvDrT8LiFpMZ7CX5A/ZdauwtJZFnorpP+C1aZyxgcPjSKSLsVPwi mGLb7ZhJ/JozhNsR9MLonNmNrBK3s7lDTowIi3g4yzsX0T63YIOWu9j8EkexQmbLjGnN 9wGMjMUkgZjUbgAHVDcpF1+J/YsTE9XYCLP+JV6kut4rdeZ6sSv/Ep5GVu4zc2Vae5yO fCLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id q17-20020a637511000000b0056969e398fcsi2998317pgc.862.2023.09.20.00.55.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Sep 2023 00:55:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 043D582DAFFA; Wed, 20 Sep 2023 00:43:40 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233839AbjITHni (ORCPT + 99 others); Wed, 20 Sep 2023 03:43:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38838 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233608AbjITHnh (ORCPT ); Wed, 20 Sep 2023 03:43:37 -0400 X-Greylist: delayed 4200 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 20 Sep 2023 00:43:29 PDT Received: from 14.mo561.mail-out.ovh.net (14.mo561.mail-out.ovh.net [188.165.43.98]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC234DD for ; Wed, 20 Sep 2023 00:43:29 -0700 (PDT) Received: from director2.ghost.mail-out.ovh.net (unknown [10.109.156.38]) by mo561.mail-out.ovh.net (Postfix) with ESMTP id 063D725DC3 for ; Wed, 20 Sep 2023 06:24:59 +0000 (UTC) Received: from ghost-submission-6684bf9d7b-9dvr6 (unknown [10.110.103.93]) by director2.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 33E281FE5D; Wed, 20 Sep 2023 06:24:59 +0000 (UTC) Received: from RCM-web9.webmail.mail.ovh.net ([151.80.29.21]) by ghost-submission-6684bf9d7b-9dvr6 with ESMTPSA id zUNWCzuQCmU11gkA6QqK6A (envelope-from ); Wed, 20 Sep 2023 06:24:59 +0000 MIME-Version: 1.0 Date: Wed, 20 Sep 2023 09:24:58 +0300 From: =?UTF-8?Q?Jos=C3=A9_Pekkarinen?= To: =?UTF-8?Q?Michel_D=C3=A4nzer?= Cc: maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, daniel@ffwll.ch, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH] drm/atomic-helper: prevent uaf in wait_for_vblanks In-Reply-To: References: <20230918165340.2330-1-jose.pekkarinen@foxhound.fi> User-Agent: Roundcube Webmail/1.4.13 Message-ID: <95caefafeec02b0fa01177c7ebf94838@foxhound.fi> X-Sender: jose.pekkarinen@foxhound.fi Organization: Foxhound Ltd. X-Originating-IP: 185.220.102.7 X-Webmail-UserID: jose.pekkarinen@foxhound.fi Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Ovh-Tracer-Id: 10392900568754923241 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedviedrudekvddguddtkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhepggffhffvvefujghffgfkgihoihgtgfesthekjhdttderjeenucfhrhhomheplfhoshorucfrvghkkhgrrhhinhgvnhcuoehjohhsvgdrphgvkhhkrghrihhnvghnsehfohighhhouhhnugdrfhhiqeenucggtffrrghtthgvrhhnpeekhfeguddufeegvdelgedtvdffgeehvddtkeevkeejvedvgeeitdefleehtdeitdenucfkphepuddvjedrtddrtddruddpudekhedrvddvtddruddtvddrjedpudehuddrkedtrddvledrvddunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpeeojhhoshgvrdhpvghkkhgrrhhinhgvnhesfhhogihhohhunhgurdhfiheqpdhnsggprhgtphhtthhopedupdhrtghpthhtoheplhhinhhugidqkhgvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdfovfetjfhoshhtpehmohehiedupdhmohguvgepshhmthhpohhuth X-Spam-Status: No, score=4.1 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBL_CSS, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: **** X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 20 Sep 2023 00:43:40 -0700 (PDT) On 2023-09-19 19:56, Michel Dänzer wrote: > On 9/18/23 18:53, José Pekkarinen wrote: >> Kasan reported the following in my system: >> >> [ 3935.321003] >> ================================================================== >> [ 3935.321022] BUG: KASAN: slab-use-after-free in >> drm_atomic_helper_wait_for_vblanks.part.0+0x116/0x450 [drm_kms_helper] >> [ 3935.321124] Read of size 1 at addr ffff88818a6f8009 by task >> kworker/u16:3/5268 >> >> [ 3935.321124] CPU: 7 PID: 5268 Comm: kworker/u16:3 Not tainted >> 6.6.0-rc2+ #1 >> [ 3935.321124] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), >> BIOS 0.0.0 02/06/2015 >> [ 3935.321124] Workqueue: events_unbound commit_work [drm_kms_helper] >> [ 3935.321124] Call Trace: >> [ 3935.321124] >> [ 3935.321124] dump_stack_lvl+0x43/0x60 >> [ 3935.321124] print_report+0xcf/0x660 >> [ 3935.321124] ? remove_entity_load_avg+0xdc/0x100 >> [ 3935.321124] ? __virt_addr_valid+0xd9/0x160 >> [ 3935.321124] ? >> drm_atomic_helper_wait_for_vblanks.part.0+0x116/0x450 [drm_kms_helper] >> [ 3935.321124] kasan_report+0xda/0x110 >> [ 3935.321124] ? >> drm_atomic_helper_wait_for_vblanks.part.0+0x116/0x450 [drm_kms_helper] >> [ 3935.321124] drm_atomic_helper_wait_for_vblanks.part.0+0x116/0x450 >> [drm_kms_helper] >> [ 3935.321124] ? >> __pfx_drm_atomic_helper_wait_for_vblanks.part.0+0x10/0x10 >> [drm_kms_helper] >> [ 3935.321124] ? complete_all+0x48/0x100 >> [ 3935.321124] ? _raw_spin_unlock_irqrestore+0x19/0x40 >> [ 3935.321124] ? preempt_count_sub+0x14/0xc0 >> [ 3935.321124] ? _raw_spin_unlock_irqrestore+0x23/0x40 >> [ 3935.321124] ? drm_atomic_helper_commit_hw_done+0x1ac/0x240 >> [drm_kms_helper] >> [ 3935.321124] drm_atomic_helper_commit_tail+0x82/0x90 >> [drm_kms_helper] >> [ 3935.321124] commit_tail+0x15c/0x1d0 [drm_kms_helper] >> [ 3935.323185] process_one_work+0x31a/0x610 >> [ 3935.323185] worker_thread+0x38e/0x5f0 >> [ 3935.323185] ? __pfx_worker_thread+0x10/0x10 >> [ 3935.323185] kthread+0x184/0x1c0 >> [ 3935.323185] ? __pfx_kthread+0x10/0x10 >> [ 3935.323185] ret_from_fork+0x30/0x50 >> [ 3935.323185] ? __pfx_kthread+0x10/0x10 >> [ 3935.323185] ret_from_fork_asm+0x1b/0x30 >> [ 3935.323185] >> >> [ 3935.323185] Allocated by task 3751: >> [ 3935.323185] kasan_save_stack+0x2f/0x50 >> [ 3935.323185] kasan_set_track+0x21/0x30 >> [ 3935.323185] __kasan_kmalloc+0xa6/0xb0 >> [ 3935.323185] drm_atomic_helper_crtc_duplicate_state+0x42/0x70 >> [drm_kms_helper] >> [ 3935.323185] drm_atomic_get_crtc_state+0xc3/0x1e0 [drm] >> [ 3935.323185] page_flip_common+0x42/0x160 [drm_kms_helper] >> [ 3935.323185] drm_atomic_helper_page_flip+0x6b/0xf0 [drm_kms_helper] >> [ 3935.323185] drm_mode_page_flip_ioctl+0x8ad/0x900 [drm] >> [ 3935.323185] drm_ioctl_kernel+0x169/0x240 [drm] >> [ 3935.323185] drm_ioctl+0x399/0x6b0 [drm] >> [ 3935.324772] __x64_sys_ioctl+0xc5/0x100 >> [ 3935.324772] do_syscall_64+0x5b/0xc0 >> [ 3935.324772] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 >> >> [ 3935.324772] Freed by task 3751: >> [ 3935.324772] kasan_save_stack+0x2f/0x50 >> [ 3935.324772] kasan_set_track+0x21/0x30 >> [ 3935.324772] kasan_save_free_info+0x27/0x40 >> [ 3935.324772] ____kasan_slab_free+0x166/0x1c0 >> [ 3935.324772] slab_free_freelist_hook+0x9f/0x1e0 >> [ 3935.324772] __kmem_cache_free+0x187/0x2d0 >> [ 3935.324772] drm_atomic_state_default_clear+0x226/0x5e0 [drm] >> [ 3935.324772] __drm_atomic_state_free+0xc8/0x130 [drm] >> [ 3935.324772] drm_atomic_helper_update_plane+0x17d/0x1b0 >> [drm_kms_helper] >> [ 3935.324772] drm_mode_cursor_universal+0x2a4/0x4d0 [drm] >> [ 3935.324772] drm_mode_cursor_common+0x1cf/0x430 [drm] >> [ 3935.324772] drm_mode_cursor_ioctl+0xc6/0x100 [drm] >> [ 3935.326167] drm_ioctl_kernel+0x169/0x240 [drm] >> [ 3935.326167] drm_ioctl+0x399/0x6b0 [drm] >> [ 3935.326614] __x64_sys_ioctl+0xc5/0x100 >> [ 3935.326614] do_syscall_64+0x5b/0xc0 >> [ 3935.326614] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 >> >> [ 3935.326614] The buggy address belongs to the object at >> ffff88818a6f8000 >> which belongs to the cache kmalloc-512 of size 512 >> [ 3935.326614] The buggy address is located 9 bytes inside of >> freed 512-byte region [ffff88818a6f8000, >> ffff88818a6f8200) >> >> [ 3935.326614] The buggy address belongs to the physical page: >> [ 3935.326614] page:00000000b0fb0816 refcount:1 mapcount:0 >> mapping:0000000000000000 index:0x0 pfn:0x18a6f8 >> [ 3935.326614] head:00000000b0fb0816 order:3 entire_mapcount:0 >> nr_pages_mapped:0 pincount:0 >> [ 3935.326614] anon flags: >> 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) >> [ 3935.326614] page_type: 0xffffffff() >> [ 3935.326614] raw: 0017ffffc0000840 ffff888100042c80 0000000000000000 >> dead000000000001 >> [ 3935.326614] raw: 0000000000000000 0000000080200020 00000001ffffffff >> 0000000000000000 >> [ 3935.326614] page dumped because: kasan: bad access detected >> >> [ 3935.326614] Memory state around the buggy address: >> [ 3935.326614] ffff88818a6f7f00: fc fc fc fc fc fc fc fc fc fc fc fc >> fc fc fc fc >> [ 3935.326614] ffff88818a6f7f80: fc fc fc fc fc fc fc fc fc fc fc fc >> fc fc fc fc >> [ 3935.326614] >ffff88818a6f8000: fa fb fb fb fb fb fb fb fb fb fb fb >> fb fb fb fb >> [ 3935.326772] ^ >> [ 3935.326772] ffff88818a6f8080: fb fb fb fb fb fb fb fb fb fb fb fb >> fb fb fb fb >> [ 3935.326772] ffff88818a6f8100: fb fb fb fb fb fb fb fb fb fb fb fb >> fb fb fb fb >> [ 3935.326772] >> ================================================================== >> >> This suggest there may be some situation where a >> struct drm_crtc_state is referenced after already >> being freed by drm_atomic_state_default_clear. This >> patch will check the new_crtc_state is not null before >> using it. >> >> Signed-off-by: José Pekkarinen >> --- >> drivers/gpu/drm/drm_atomic_helper.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/drm_atomic_helper.c >> b/drivers/gpu/drm/drm_atomic_helper.c >> index 292e38eb6218..cc75d387a542 100644 >> --- a/drivers/gpu/drm/drm_atomic_helper.c >> +++ b/drivers/gpu/drm/drm_atomic_helper.c >> @@ -1647,7 +1647,7 @@ drm_atomic_helper_wait_for_vblanks(struct >> drm_device *dev, >> return; >> >> for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state, >> new_crtc_state, i) { >> - if (!new_crtc_state->active) >> + if (new_crtc_state && !new_crtc_state->active) >> continue; >> >> ret = drm_crtc_vblank_get(crtc); > > I'm not quite seeing the connection between this change and the KASAN > report. > > If new_crtc_state was NULL, I would have expected a normal NULL > pointer dereference oops, not a KASAN report. > > The KASAN report instead indicates that new_crtc_state isn't NULL, but > points to memory which has already been freed. This could be e.g. due > to incorrect reference counting somewhere else. Hi Michel, Thanks for your comments, I found the kasan report also in this version of the patch, so I'm setting bigger traps to the bug to find out what is the issue behind. While what you say it is true, I may invite you to take a look to drm_atomic_state_default_clear, you'll quickly notice that after destroying the crtc_state, it set state pointers to null, so unless something very bad happened in my system, at the time of executing drm_atomic_helper_wait_for_vblanks, if state is freed, its pointer should be null also. Best regards. José.