From: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
To: Maxime Ripard <mripard@kernel.org>
Cc: Daniel Vetter <daniel@ffwll.ch>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>,
intel-xe@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Subject: Re: [Intel-xe] [PATCH 1/3] drm/kunit: Avoid a driver uaf
Date: Tue, 5 Sep 2023 14:43:00 +0200 [thread overview]
Message-ID: <0cb8a51c-a1a8-ba03-03b1-8cdabade0353@linux.intel.com> (raw)
In-Reply-To: <efarj6smmvuqlredgy5aelgvm43xovnqo5fywsindq3bhggvul@3rqq27vmatcm>
Hi maxime,
On 9/5/23 14:06, Maxime Ripard wrote:
> On Tue, Sep 05, 2023 at 10:58:30AM +0200, Thomas Hellström wrote:
>> when using __drm_kunit_helper_alloc_drm_device() the driver may be
>> dereferenced by device-managed resources up until the device is
>> freed, which is typically later than the kunit-managed resource code
>> frees it.
> I'd like to have a bit more context on how a driver can end up in that
> situation?
I interpret the attached traces as follows.
INIT:
Code allocates a struct device as a kunit-managed resource.
Code allocates a drm driver as a kunit-managed resource.
Code allocates a drm device as a device-managed resource.
EXIT:
Kunit resource cleanup frees the drm driver
Kunit resource cleanup frees the struct device, which starts a
device-managed resource cleanup
device-managed cleanup calls drm_dev_put()
drm_dev_put() dereferences the (now freed) drm driver -> Boom.
It should be sufficient to enable KASAN and run the drm_exec_test kunit
test to trigger this.
Thanks,
Thomas
>
> Maxime
WARNING: multiple messages have this Message-ID (diff)
From: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
To: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>,
intel-xe@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Subject: Re: [Intel-xe] [PATCH 1/3] drm/kunit: Avoid a driver uaf
Date: Tue, 5 Sep 2023 14:43:00 +0200 [thread overview]
Message-ID: <0cb8a51c-a1a8-ba03-03b1-8cdabade0353@linux.intel.com> (raw)
In-Reply-To: <efarj6smmvuqlredgy5aelgvm43xovnqo5fywsindq3bhggvul@3rqq27vmatcm>
Hi maxime,
On 9/5/23 14:06, Maxime Ripard wrote:
> On Tue, Sep 05, 2023 at 10:58:30AM +0200, Thomas Hellström wrote:
>> when using __drm_kunit_helper_alloc_drm_device() the driver may be
>> dereferenced by device-managed resources up until the device is
>> freed, which is typically later than the kunit-managed resource code
>> frees it.
> I'd like to have a bit more context on how a driver can end up in that
> situation?
I interpret the attached traces as follows.
INIT:
Code allocates a struct device as a kunit-managed resource.
Code allocates a drm driver as a kunit-managed resource.
Code allocates a drm device as a device-managed resource.
EXIT:
Kunit resource cleanup frees the drm driver
Kunit resource cleanup frees the struct device, which starts a
device-managed resource cleanup
device-managed cleanup calls drm_dev_put()
drm_dev_put() dereferences the (now freed) drm driver -> Boom.
It should be sufficient to enable KASAN and run the drm_exec_test kunit
test to trigger this.
Thanks,
Thomas
>
> Maxime
next prev parent reply other threads:[~2023-09-05 12:43 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-05 8:58 [Intel-xe] [PATCH 0/3] drm/drm_exec, drm/drm_kunit: Fix / WA for uaf and lock alloc tracking Thomas Hellström
2023-09-05 8:58 ` Thomas Hellström
2023-09-05 8:58 ` [Intel-xe] [PATCH 1/3] drm/kunit: Avoid a driver uaf Thomas Hellström
2023-09-05 8:58 ` Thomas Hellström
2023-09-05 12:06 ` [Intel-xe] " Maxime Ripard
2023-09-05 12:06 ` Maxime Ripard
2023-09-05 12:43 ` Thomas Hellström [this message]
2023-09-05 12:43 ` Thomas Hellström
2023-09-06 10:08 ` Maxime Ripard
2023-09-06 10:08 ` Maxime Ripard
2023-09-07 10:32 ` Thomas Hellström
2023-09-07 10:32 ` Thomas Hellström
2023-09-05 8:58 ` [Intel-xe] [PATCH 2/3] drm/tests/drm_exec: Add a test for object freeing within drm_exec_fini() Thomas Hellström
2023-09-05 8:58 ` Thomas Hellström
2023-09-05 12:05 ` [Intel-xe] " Maxime Ripard
2023-09-05 12:32 ` Thomas Hellström
2023-09-05 13:16 ` Maxime Ripard
2023-09-05 13:42 ` Thomas Hellström
2023-09-06 10:07 ` Maxime Ripard
2023-09-06 10:07 ` Maxime Ripard
2023-09-05 8:58 ` [Intel-xe] [PATCH 3/3] drm/drm_exec: Work around a WW mutex lockdep oddity Thomas Hellström
2023-09-05 8:58 ` Thomas Hellström
2023-09-05 9:22 ` [Intel-xe] " Boris Brezillon
2023-09-05 9:22 ` Boris Brezillon
2023-09-05 10:59 ` [Intel-xe] " Danilo Krummrich
2023-09-05 10:59 ` Danilo Krummrich
2023-09-05 13:14 ` [Intel-xe] " Christian König
2023-09-05 13:14 ` Christian König
2023-09-05 14:29 ` [Intel-xe] " Thomas Hellström
2023-09-05 14:29 ` Thomas Hellström
2023-09-06 8:34 ` [Intel-xe] " Christian König
2023-09-06 8:34 ` Christian König
2023-09-07 8:59 ` [Intel-xe] " Thomas Hellström
2023-09-07 8:59 ` Thomas Hellström
2023-09-05 9:01 ` [Intel-xe] ✓ CI.Patch_applied: success for drm/drm_exec, drm/drm_kunit: Fix / WA for uaf and lock alloc tracking Patchwork
2023-09-05 9:01 ` [Intel-xe] ✗ CI.checkpatch: warning " Patchwork
2023-09-05 9:03 ` [Intel-xe] ✓ CI.KUnit: success " Patchwork
2023-09-05 9:10 ` [Intel-xe] ✓ CI.Build: " Patchwork
2023-09-05 9:10 ` [Intel-xe] ✗ CI.Hooks: failure " Patchwork
2023-09-05 9:10 ` [Intel-xe] ✗ CI.checksparse: warning " Patchwork
2023-09-07 14:52 ` [Intel-xe] ✗ CI.Patch_applied: failure for drm/drm_exec, drm/drm_kunit: Fix / WA for uaf and lock alloc tracking. (rev2) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0cb8a51c-a1a8-ba03-03b1-8cdabade0353@linux.intel.com \
--to=thomas.hellstrom@linux.intel.com \
--cc=airlied@gmail.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=mripard@kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.