From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
罗权 <luoquan@qianxin.com>,
"Chris Wilson" <chris@chris-wilson.co.uk>,
"Jon Bloomfield" <jon.bloomfield@intel.com>,
"Tyler Hicks" <tyhicks@canonical.com>
Subject: [PATCH 4.19 16/84] drm/i915: Fix use-after-free when destroying GEM context
Date: Fri, 17 Jan 2020 00:17:50 +0100 [thread overview]
Message-ID: <20200116231715.550710759@linuxfoundation.org> (raw)
In-Reply-To: <20200116231713.087649517@linuxfoundation.org>
From: Tyler Hicks <tyhicks@canonical.com>
This patch is a simplified fix to address a use-after-free in 4.14.x and
4.19.x stable kernels. The flaw is already fixed upstream, starting in
5.2, by commit 7dc40713618c ("drm/i915: Introduce a mutex for
file_priv->context_idr") as part of a more complex patch series that
isn't appropriate for backporting to stable kernels.
Expand mutex coverage, while destroying the GEM context, to include the
GEM context lookup step. This fixes a use-after-free detected by KASAN:
==================================================================
BUG: KASAN: use-after-free in i915_ppgtt_close+0x2ca/0x2f0
Write of size 1 at addr ffff8881368a8368 by task i915-poc/3124
CPU: 0 PID: 3124 Comm: i915-poc Not tainted 4.14.164 #1
Hardware name: HP HP Elite x2 1012 G1 /80FC, BIOS N85 Ver. 01.20 04/05/2017
Call Trace:
dump_stack+0xcd/0x12e
? _atomic_dec_and_lock+0x1b2/0x1b2
? i915_ppgtt_close+0x2ca/0x2f0
? printk+0x8f/0xab
? show_regs_print_info+0x53/0x53
? i915_ppgtt_close+0x2ca/0x2f0
print_address_description+0x65/0x270
? i915_ppgtt_close+0x2ca/0x2f0
kasan_report+0x251/0x340
i915_ppgtt_close+0x2ca/0x2f0
? __radix_tree_insert+0x3f0/0x3f0
? i915_ppgtt_init_hw+0x7c0/0x7c0
context_close+0x42e/0x680
? i915_gem_context_release+0x230/0x230
? kasan_kmalloc+0xa0/0xd0
? radix_tree_delete_item+0x1d4/0x250
? radix_tree_lookup+0x10/0x10
? inet_recvmsg+0x4b0/0x4b0
? kasan_slab_free+0x88/0xc0
i915_gem_context_destroy_ioctl+0x236/0x300
? i915_gem_context_create_ioctl+0x360/0x360
? drm_dev_printk+0x1d0/0x1d0
? memcpy+0x34/0x50
? i915_gem_context_create_ioctl+0x360/0x360
drm_ioctl_kernel+0x1b0/0x2b0
? drm_ioctl_permit+0x2a0/0x2a0
? avc_ss_reset+0xd0/0xd0
drm_ioctl+0x6fe/0xa20
? i915_gem_context_create_ioctl+0x360/0x360
? drm_getstats+0x20/0x20
? put_unused_fd+0x260/0x260
do_vfs_ioctl+0x189/0x12d0
? ioctl_preallocate+0x280/0x280
? selinux_file_ioctl+0x3a7/0x680
? selinux_bprm_set_creds+0xe30/0xe30
? security_file_ioctl+0x69/0xa0
? selinux_bprm_set_creds+0xe30/0xe30
SyS_ioctl+0x6f/0x80
? __sys_sendmmsg+0x4a0/0x4a0
? do_vfs_ioctl+0x12d0/0x12d0
do_syscall_64+0x214/0x5f0
? __switch_to_asm+0x31/0x60
? __switch_to_asm+0x25/0x60
? __switch_to_asm+0x31/0x60
? syscall_return_slowpath+0x2c0/0x2c0
? copy_overflow+0x20/0x20
? __switch_to_asm+0x25/0x60
? syscall_return_via_sysret+0x2a/0x7a
? prepare_exit_to_usermode+0x200/0x200
? __switch_to_asm+0x31/0x60
? __switch_to_asm+0x31/0x60
? __switch_to_asm+0x25/0x60
? __switch_to_asm+0x25/0x60
? __switch_to_asm+0x31/0x60
? __switch_to_asm+0x25/0x60
? __switch_to_asm+0x31/0x60
? __switch_to_asm+0x31/0x60
? __switch_to_asm+0x25/0x60
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x7f7fda5115d7
RSP: 002b:00007f7eec317ec8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7fda5115d7
RDX: 000055b306db9188 RSI: 000000004008646e RDI: 0000000000000003
RBP: 00007f7eec317ef0 R08: 00007f7eec318700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 00007f7eec317fc0
R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffd8007ade0
Allocated by task 2898:
save_stack+0x32/0xb0
kasan_kmalloc+0xa0/0xd0
kmem_cache_alloc_trace+0x5e/0x180
i915_ppgtt_create+0xab/0x2510
i915_gem_create_context+0x981/0xf90
i915_gem_context_create_ioctl+0x1d7/0x360
drm_ioctl_kernel+0x1b0/0x2b0
drm_ioctl+0x6fe/0xa20
do_vfs_ioctl+0x189/0x12d0
SyS_ioctl+0x6f/0x80
do_syscall_64+0x214/0x5f0
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Freed by task 104:
save_stack+0x32/0xb0
kasan_slab_free+0x72/0xc0
kfree+0x88/0x190
i915_ppgtt_release+0x24e/0x460
i915_gem_context_free+0x90/0x480
contexts_free_worker+0x54/0x80
process_one_work+0x876/0x14e0
worker_thread+0x1b8/0xfd0
kthread+0x2f8/0x3c0
ret_from_fork+0x35/0x40
The buggy address belongs to the object at ffff8881368a8000
which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 872 bytes inside of
8192-byte region [ffff8881368a8000, ffff8881368aa000)
The buggy address belongs to the page:
page:ffffea0004da2a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 0000000000000000 0000000000000000 0000000100030003
raw: dead000000000100 dead000000000200 ffff88822a002280 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881368a8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881368a8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881368a8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881368a8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881368a8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fixes: 1acfc104cdf8 ("drm/i915: Enable rcu-only context lookups")
Reported-by: 罗权 <luoquan@qianxin.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: stable@vger.kernel.org # 4.14.x
Cc: stable@vger.kernel.org # 4.19.x
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/i915_gem_context.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/i915/i915_gem_context.c
+++ b/drivers/gpu/drm/i915/i915_gem_context.c
@@ -770,18 +770,19 @@ int i915_gem_context_destroy_ioctl(struc
if (args->ctx_id == DEFAULT_CONTEXT_HANDLE)
return -ENOENT;
+ ret = i915_mutex_lock_interruptible(dev);
+ if (ret)
+ return ret;
+
ctx = i915_gem_context_lookup(file_priv, args->ctx_id);
- if (!ctx)
+ if (!ctx) {
+ mutex_unlock(&dev->struct_mutex);
return -ENOENT;
-
- ret = mutex_lock_interruptible(&dev->struct_mutex);
- if (ret)
- goto out;
+ }
__destroy_hw_context(ctx, file_priv);
mutex_unlock(&dev->struct_mutex);
-out:
i915_gem_context_put(ctx);
return 0;
}
next prev parent reply other threads:[~2020-01-16 23:39 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-16 23:17 [PATCH 4.19 00/84] 4.19.97-stable review Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 01/84] hidraw: Return EPOLLOUT from hidraw_poll Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 02/84] HID: hidraw: Fix returning " Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 03/84] HID: hidraw, uhid: Always report EPOLLOUT Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 04/84] ethtool: reduce stack usage with clang Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 05/84] fs/select: avoid clang stack usage warning Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 06/84] cfg80211/mac80211: make ieee80211_send_layer2_update a public function Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 07/84] mac80211: Do not send Layer 2 Update frame before authorization Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 08/84] f2fs: Move err variable to function scope in f2fs_fill_dentries() Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 09/84] f2fs: check memory boundary by insane namelen Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 10/84] f2fs: check if file namelen exceeds max value Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 11/84] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 12/84] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 13/84] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 14/84] RDMA: Fix goto target to release the allocated memory Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 15/84] dccp: Fix memleak in __feat_register_sp Greg Kroah-Hartman
2020-01-16 23:17 ` Greg Kroah-Hartman [this message]
2020-01-16 23:17 ` [PATCH 4.19 17/84] rtc: mt6397: fix alarm register overwrite Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 18/84] RDMA/bnxt_re: Avoid freeing MR resources if dereg fails Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 19/84] RDMA/bnxt_re: Fix Send Work Entry state check while polling completions Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 20/84] ASoC: soc-core: Set dpcm_playback / dpcm_capture Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 21/84] ASoC: stm32: spdifrx: fix inconsistent lock state Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 22/84] ASoC: stm32: spdifrx: fix race condition in irq handler Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 23/84] mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 24/84] gpio: zynq: Fix for bug in zynq_gpio_restore_context API Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 25/84] iommu: Remove device link to group on failure Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 26/84] gpio: Fix error message on out-of-range GPIO in lookup table Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 27/84] hsr: reset network header when supervision frame is created Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 28/84] s390/qeth: fix false reporting of VNIC CHAR config failure Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 29/84] s390/qeth: Fix vnicc_is_in_use if rx_bcast not set Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 30/84] cifs: Adjust indentation in smb2_open_file Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 31/84] afs: Fix missing cell comparison in afs_test_super() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 32/84] drm/ttm: fix start page for huge page check in ttm_put_pages() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 33/84] drm/ttm: fix incrementing the page pointer for huge pages Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 34/84] btrfs: simplify inode locking for RWF_NOWAIT Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 35/84] RDMA/mlx5: Return proper error value Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 36/84] RDMA/srpt: Report the SCSI residual to the initiator Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 37/84] scsi: enclosure: Fix stale device oops with hot replug Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 38/84] scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 39/84] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 40/84] platform/x86: GPD pocket fan: Use default values when wrong modparams are given Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 41/84] xprtrdma: Fix completion wait during device removal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 42/84] crypto: virtio - implement missing support for output IVs Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 43/84] NFSv2: Fix a typo in encode_sattr() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 44/84] NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 45/84] iio: imu: adis16480: assign bias value only if operation succeeded Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 46/84] mei: fix modalias documentation Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 47/84] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 48/84] pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 49/84] pinctrl: lewisburg: Update pin list according to v1.1v6 Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 50/84] scsi: sd: enable compat ioctls for sed-opal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 51/84] arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 52/84] af_unix: add compat_ioctl support Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 53/84] compat_ioctl: handle SIOCOUTQNSD Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 54/84] PCI: dwc: Fix find_next_bit() usage Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 55/84] PCI/PTM: Remove spurious "d" from granularity message Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 56/84] powerpc/powernv: Disable native PCIe port management Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 57/84] tty: serial: imx: use the sg count from dma_map_sg Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 58/84] tty: serial: pch_uart: correct usage of dma_unmap_sg Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 59/84] media: ov6650: Fix incorrect use of JPEG colorspace Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 60/84] media: ov6650: Fix some format attributes not under control Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 61/84] media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 62/84] media: rcar-vin: Fix incorrect return statement in rvin_try_format() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 63/84] media: v4l: cadence: Fix how unsued lanes are handled in csi2rx_start() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 64/84] media: exynos4-is: Fix recursive locking in isp_video_release() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 65/84] iommu/mediatek: Correct the flush_iotlb_all callback Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 66/84] mtd: spi-nor: fix silent truncation in spi_nor_read() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 67/84] mtd: spi-nor: fix silent truncation in spi_nor_read_raw() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 68/84] spi: atmel: fix handling of cs_change set on non-last xfer Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 69/84] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 70/84] f2fs: fix potential overflow Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 71/84] rtc: msm6242: Fix reading of 10-hour digit Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 72/84] rtc: brcmstb-waketimer: add missed clk_disable_unprepare Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 73/84] gpio: mpc8xxx: Add platform device to gpiochip->parent Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 74/84] scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 75/84] selftests: firmware: Fix it to do root uid check and skip Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 76/84] rseq/selftests: Turn off timeout setting Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 77/84] mips: cacheinfo: report shared CPU map Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 78/84] MIPS: Prevent link failure with kcov instrumentation Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 79/84] drm/arm/mali: make malidp_mw_connector_helper_funcs static Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 80/84] dmaengine: k3dma: Avoid null pointer traversal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 81/84] ioat: ioat_alloc_ring() failure handling Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 82/84] hexagon: parenthesize registers in asm predicates Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 83/84] hexagon: work around compiler crash Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 84/84] ocfs2: call journal flush to mark journal as empty after journal recovery when mount Greg Kroah-Hartman
[not found] ` <20200116231713.087649517-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-01-17 13:20 ` [PATCH 4.19 00/84] 4.19.97-stable review Jon Hunter
2020-01-17 13:20 ` Jon Hunter
2020-01-17 14:18 ` Naresh Kamboju
2020-01-17 16:01 ` Guenter Roeck
2020-01-17 16:06 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116231715.550710759@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chris@chris-wilson.co.uk \
--cc=jon.bloomfield@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luoquan@qianxin.com \
--cc=stable@vger.kernel.org \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.