From: Sam Ravnborg <sam@ravnborg.org>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Rob Clark <robdclark@chromium.org>,
Hillf Danton <hdanton@sina.com>,
Intel Graphics Development <intel-gfx@lists.freedesktop.org>,
stable@vger.kernel.org, Sean Paul <seanpaul@chromium.org>,
DRI Development <dri-devel@lists.freedesktop.org>,
Daniel Vetter <daniel.vetter@intel.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
Emil Velikov <emil.velikov@collabora.com>
Subject: Re: [PATCH] drm/vgem: Close use-after-free race in vgem_gem_create
Date: Sun, 2 Feb 2020 16:39:16 +0100 [thread overview]
Message-ID: <20200202153915.GA8034@ravnborg.org> (raw)
In-Reply-To: <20200202132133.1891846-1-daniel.vetter@ffwll.ch>
Hi Daniel.
On Sun, Feb 02, 2020 at 02:21:33PM +0100, Daniel Vetter wrote:
> There's two references floating around here (for the object reference,
> not the handle_count reference, that's a different thing):
>
> - The temporary reference held by vgem_gem_create, acquired by
> creating the object and released by calling
> drm_gem_object_put_unlocked.
>
> - The reference held by the object handle, created by
> drm_gem_handle_create. This one generally outlives the function,
> except if a 2nd thread races with a GEM_CLOSE ioctl call.
>
> So usually everything is correct, except in that race case, where the
> access to gem_object->size could be looking at freed data already.
> Which again isn't a real problem (userspace shot its feet off already
> with the race, we could return garbage), but maybe someone can exploit
> this as an information leak.
>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Hillf Danton <hdanton@sina.com>
> Cc: Reported-by: syzbot+0dc4444774d419e916c8@syzkaller.appspotmail.com
^^ Small typo
> Cc: stable@vger.kernel.org
> Cc: Emil Velikov <emil.velikov@collabora.com>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Cc: Sean Paul <seanpaul@chromium.org>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Eric Anholt <eric@anholt.net>
> Cc: Sam Ravnborg <sam@ravnborg.org>
> Cc: Rob Clark <robdclark@chromium.org>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/vgem/vgem_drv.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
> index 5bd60ded3d81..909eba43664a 100644
> --- a/drivers/gpu/drm/vgem/vgem_drv.c
> +++ b/drivers/gpu/drm/vgem/vgem_drv.c
> @@ -196,9 +196,10 @@ static struct drm_gem_object *vgem_gem_create(struct drm_device *dev,
> return ERR_CAST(obj);
>
> ret = drm_gem_handle_create(file, &obj->base, handle);
> - drm_gem_object_put_unlocked(&obj->base);
> - if (ret)
> + if (ret) {
> + drm_gem_object_put_unlocked(&obj->base);
> return ERR_PTR(ret);
> + }
>
> return &obj->base;
> }
> @@ -221,7 +222,9 @@ static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
> args->size = gem_object->size;
> args->pitch = pitch;
>
> - DRM_DEBUG("Created object of size %lld\n", size);
> + drm_gem_object_put_unlocked(gem_object);
> +
> + DRM_DEBUG("Created object of size %llu\n", args->size);
>
> return 0;
> }
> --
> 2.24.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Sam Ravnborg <sam@ravnborg.org>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Rob Clark <robdclark@chromium.org>,
Hillf Danton <hdanton@sina.com>,
Intel Graphics Development <intel-gfx@lists.freedesktop.org>,
stable@vger.kernel.org, Sean Paul <seanpaul@chromium.org>,
DRI Development <dri-devel@lists.freedesktop.org>,
Daniel Vetter <daniel.vetter@intel.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
Emil Velikov <emil.velikov@collabora.com>
Subject: Re: [Intel-gfx] [PATCH] drm/vgem: Close use-after-free race in vgem_gem_create
Date: Sun, 2 Feb 2020 16:39:16 +0100 [thread overview]
Message-ID: <20200202153915.GA8034@ravnborg.org> (raw)
In-Reply-To: <20200202132133.1891846-1-daniel.vetter@ffwll.ch>
Hi Daniel.
On Sun, Feb 02, 2020 at 02:21:33PM +0100, Daniel Vetter wrote:
> There's two references floating around here (for the object reference,
> not the handle_count reference, that's a different thing):
>
> - The temporary reference held by vgem_gem_create, acquired by
> creating the object and released by calling
> drm_gem_object_put_unlocked.
>
> - The reference held by the object handle, created by
> drm_gem_handle_create. This one generally outlives the function,
> except if a 2nd thread races with a GEM_CLOSE ioctl call.
>
> So usually everything is correct, except in that race case, where the
> access to gem_object->size could be looking at freed data already.
> Which again isn't a real problem (userspace shot its feet off already
> with the race, we could return garbage), but maybe someone can exploit
> this as an information leak.
>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Hillf Danton <hdanton@sina.com>
> Cc: Reported-by: syzbot+0dc4444774d419e916c8@syzkaller.appspotmail.com
^^ Small typo
> Cc: stable@vger.kernel.org
> Cc: Emil Velikov <emil.velikov@collabora.com>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Cc: Sean Paul <seanpaul@chromium.org>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Eric Anholt <eric@anholt.net>
> Cc: Sam Ravnborg <sam@ravnborg.org>
> Cc: Rob Clark <robdclark@chromium.org>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/vgem/vgem_drv.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
> index 5bd60ded3d81..909eba43664a 100644
> --- a/drivers/gpu/drm/vgem/vgem_drv.c
> +++ b/drivers/gpu/drm/vgem/vgem_drv.c
> @@ -196,9 +196,10 @@ static struct drm_gem_object *vgem_gem_create(struct drm_device *dev,
> return ERR_CAST(obj);
>
> ret = drm_gem_handle_create(file, &obj->base, handle);
> - drm_gem_object_put_unlocked(&obj->base);
> - if (ret)
> + if (ret) {
> + drm_gem_object_put_unlocked(&obj->base);
> return ERR_PTR(ret);
> + }
>
> return &obj->base;
> }
> @@ -221,7 +222,9 @@ static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
> args->size = gem_object->size;
> args->pitch = pitch;
>
> - DRM_DEBUG("Created object of size %lld\n", size);
> + drm_gem_object_put_unlocked(gem_object);
> +
> + DRM_DEBUG("Created object of size %llu\n", args->size);
>
> return 0;
> }
> --
> 2.24.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
WARNING: multiple messages have this Message-ID (diff)
From: Sam Ravnborg <sam@ravnborg.org>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: DRI Development <dri-devel@lists.freedesktop.org>,
Rob Clark <robdclark@chromium.org>,
Hillf Danton <hdanton@sina.com>,
Intel Graphics Development <intel-gfx@lists.freedesktop.org>,
stable@vger.kernel.org, Sean Paul <seanpaul@chromium.org>,
Daniel Vetter <daniel.vetter@intel.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
Emil Velikov <emil.velikov@collabora.com>
Subject: Re: [PATCH] drm/vgem: Close use-after-free race in vgem_gem_create
Date: Sun, 2 Feb 2020 16:39:16 +0100 [thread overview]
Message-ID: <20200202153915.GA8034@ravnborg.org> (raw)
In-Reply-To: <20200202132133.1891846-1-daniel.vetter@ffwll.ch>
Hi Daniel.
On Sun, Feb 02, 2020 at 02:21:33PM +0100, Daniel Vetter wrote:
> There's two references floating around here (for the object reference,
> not the handle_count reference, that's a different thing):
>
> - The temporary reference held by vgem_gem_create, acquired by
> creating the object and released by calling
> drm_gem_object_put_unlocked.
>
> - The reference held by the object handle, created by
> drm_gem_handle_create. This one generally outlives the function,
> except if a 2nd thread races with a GEM_CLOSE ioctl call.
>
> So usually everything is correct, except in that race case, where the
> access to gem_object->size could be looking at freed data already.
> Which again isn't a real problem (userspace shot its feet off already
> with the race, we could return garbage), but maybe someone can exploit
> this as an information leak.
>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Hillf Danton <hdanton@sina.com>
> Cc: Reported-by: syzbot+0dc4444774d419e916c8@syzkaller.appspotmail.com
^^ Small typo
> Cc: stable@vger.kernel.org
> Cc: Emil Velikov <emil.velikov@collabora.com>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Cc: Sean Paul <seanpaul@chromium.org>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Eric Anholt <eric@anholt.net>
> Cc: Sam Ravnborg <sam@ravnborg.org>
> Cc: Rob Clark <robdclark@chromium.org>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/vgem/vgem_drv.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
> index 5bd60ded3d81..909eba43664a 100644
> --- a/drivers/gpu/drm/vgem/vgem_drv.c
> +++ b/drivers/gpu/drm/vgem/vgem_drv.c
> @@ -196,9 +196,10 @@ static struct drm_gem_object *vgem_gem_create(struct drm_device *dev,
> return ERR_CAST(obj);
>
> ret = drm_gem_handle_create(file, &obj->base, handle);
> - drm_gem_object_put_unlocked(&obj->base);
> - if (ret)
> + if (ret) {
> + drm_gem_object_put_unlocked(&obj->base);
> return ERR_PTR(ret);
> + }
>
> return &obj->base;
> }
> @@ -221,7 +222,9 @@ static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
> args->size = gem_object->size;
> args->pitch = pitch;
>
> - DRM_DEBUG("Created object of size %lld\n", size);
> + drm_gem_object_put_unlocked(gem_object);
> +
> + DRM_DEBUG("Created object of size %llu\n", args->size);
>
> return 0;
> }
> --
> 2.24.1
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-02-02 15:39 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-02 13:21 [PATCH] drm/vgem: Close use-after-free race in vgem_gem_create Daniel Vetter
2020-02-02 13:21 ` Daniel Vetter
2020-02-02 13:21 ` [Intel-gfx] " Daniel Vetter
2020-02-02 13:38 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for " Patchwork
2020-02-02 14:34 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2020-02-02 15:39 ` Sam Ravnborg [this message]
2020-02-02 15:39 ` [PATCH] " Sam Ravnborg
2020-02-02 15:39 ` [Intel-gfx] " Sam Ravnborg
2020-02-02 17:37 ` Chris Wilson
2020-02-02 17:37 ` Chris Wilson
2020-02-02 17:37 ` [Intel-gfx] " Chris Wilson
2020-02-06 18:05 ` Daniel Vetter
2020-02-06 18:05 ` Daniel Vetter
2020-02-06 18:05 ` [Intel-gfx] " Daniel Vetter
2020-02-05 8:15 ` [Intel-gfx] ✓ Fi.CI.IGT: success for " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200202153915.GA8034@ravnborg.org \
--to=sam@ravnborg.org \
--cc=dan.carpenter@oracle.com \
--cc=daniel.vetter@ffwll.ch \
--cc=daniel.vetter@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=emil.velikov@collabora.com \
--cc=hdanton@sina.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=robdclark@chromium.org \
--cc=seanpaul@chromium.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.