From: Boris Brezillon <boris.brezillon@collabora.com>
To: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: "Mark Rutland" <mark.rutland@arm.com>,
"Emma Anholt" <emma@anholt.net>,
"Peter Zijlstra" <peterz@infradead.org>,
dri-devel@lists.freedesktop.org,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
kernel@collabora.com, "Will Deacon" <will@kernel.org>,
"David Airlie" <airlied@gmail.com>,
"Steven Price" <steven.price@arm.com>,
intel-gfx@lists.freedesktop.org,
"Daniel Vetter" <daniel@ffwll.ch>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Melissa Wen" <mwen@igalia.com>,
virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, "Chia-I Wu" <olvaffe@gmail.com>,
"Qiang Yu" <yuq825@gmail.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Christian König" <christian.koenig@amd.com>
Subject: Re: [Intel-gfx] [PATCH v15 01/23] drm/shmem-helper: Fix UAF in error path when freeing SGT of imported GEM
Date: Mon, 28 Aug 2023 13:16:47 +0200 [thread overview]
Message-ID: <20230828131647.18888896@collabora.com> (raw)
In-Reply-To: <20230827175449.1766701-2-dmitry.osipenko@collabora.com>
On Sun, 27 Aug 2023 20:54:27 +0300
Dmitry Osipenko <dmitry.osipenko@collabora.com> wrote:
> Freeing drm-shmem GEM right after creating it using
> drm_gem_shmem_prime_import_sg_table() frees SGT of the imported dma-buf
> and then dma-buf frees this SGT second time.
>
> The v3d_prime_import_sg_table() is example of a error code path where
> dma-buf's SGT is freed by drm-shmem and then it's freed second time by
> dma_buf_unmap_attachment() in drm_gem_prime_import_dev().
>
> Add drm-shmem GEM flag telling that this is imported SGT shall not be
> treated as own SGT, fixing the use-after-free bug.
>
> Cc: stable@vger.kernel.org
> Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects")
> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> ---
> drivers/gpu/drm/drm_gem_shmem_helper.c | 3 ++-
> include/drm/drm_gem_shmem_helper.h | 7 +++++++
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
> index a783d2245599..78d9cf2355a5 100644
> --- a/drivers/gpu/drm/drm_gem_shmem_helper.c
> +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
> @@ -141,7 +141,7 @@ void drm_gem_shmem_free(struct drm_gem_shmem_object *shmem)
>
> if (obj->import_attach) {
> drm_prime_gem_destroy(obj, shmem->sgt);
> - } else {
> + } else if (!shmem->imported_sgt) {
> dma_resv_lock(shmem->base.resv, NULL);
>
> drm_WARN_ON(obj->dev, shmem->vmap_use_count);
> @@ -758,6 +758,7 @@ drm_gem_shmem_prime_import_sg_table(struct drm_device *dev,
> return ERR_CAST(shmem);
>
> shmem->sgt = sgt;
> + shmem->imported_sgt = true;
I feel like adding more fields that can be used to do the is_imported()
check is going to be even more confusing. Can we instead have
/* drm_gem_shmem_prime_import_sg_table() can be called from a
* driver specific ->import_sg_table() implementations that
* have extra failable initialization steps. Assign
* drm_gem_object::import_attach here (even though it's
* assigned in drm_gem_prime_import_dev()), so we don't end up
* with driver error paths calling drm_gem_shmem_free() with an
* imported sg_table assigned to drm_gem_shmem_object::sgt and
* drm_gem_object::import_attach left uninitialized.
*/
shmem->base.import_attach = attach;
here?
>
> drm_dbg_prime(dev, "size = %zu\n", size);
>
> diff --git a/include/drm/drm_gem_shmem_helper.h b/include/drm/drm_gem_shmem_helper.h
> index bf0c31aa8fbe..ec70a98a8fe1 100644
> --- a/include/drm/drm_gem_shmem_helper.h
> +++ b/include/drm/drm_gem_shmem_helper.h
> @@ -73,6 +73,13 @@ struct drm_gem_shmem_object {
> */
> unsigned int vmap_use_count;
>
> + /**
> + * @imported_sgt:
> + *
> + * True if SG table belongs to imported dma-buf.
> + */
> + bool imported_sgt : 1;
> +
> /**
> * @pages_mark_dirty_on_put:
> *
WARNING: multiple messages have this Message-ID (diff)
From: Boris Brezillon <boris.brezillon@collabora.com>
To: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: "Mark Rutland" <mark.rutland@arm.com>,
"Emma Anholt" <emma@anholt.net>,
"Peter Zijlstra" <peterz@infradead.org>,
dri-devel@lists.freedesktop.org,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
kernel@collabora.com, "Will Deacon" <will@kernel.org>,
"Steven Price" <steven.price@arm.com>,
intel-gfx@lists.freedesktop.org,
"Boqun Feng" <boqun.feng@gmail.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Melissa Wen" <mwen@igalia.com>,
virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, "Qiang Yu" <yuq825@gmail.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Christian König" <christian.koenig@amd.com>
Subject: Re: [PATCH v15 01/23] drm/shmem-helper: Fix UAF in error path when freeing SGT of imported GEM
Date: Mon, 28 Aug 2023 13:16:47 +0200 [thread overview]
Message-ID: <20230828131647.18888896@collabora.com> (raw)
In-Reply-To: <20230827175449.1766701-2-dmitry.osipenko@collabora.com>
On Sun, 27 Aug 2023 20:54:27 +0300
Dmitry Osipenko <dmitry.osipenko@collabora.com> wrote:
> Freeing drm-shmem GEM right after creating it using
> drm_gem_shmem_prime_import_sg_table() frees SGT of the imported dma-buf
> and then dma-buf frees this SGT second time.
>
> The v3d_prime_import_sg_table() is example of a error code path where
> dma-buf's SGT is freed by drm-shmem and then it's freed second time by
> dma_buf_unmap_attachment() in drm_gem_prime_import_dev().
>
> Add drm-shmem GEM flag telling that this is imported SGT shall not be
> treated as own SGT, fixing the use-after-free bug.
>
> Cc: stable@vger.kernel.org
> Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects")
> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> ---
> drivers/gpu/drm/drm_gem_shmem_helper.c | 3 ++-
> include/drm/drm_gem_shmem_helper.h | 7 +++++++
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
> index a783d2245599..78d9cf2355a5 100644
> --- a/drivers/gpu/drm/drm_gem_shmem_helper.c
> +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
> @@ -141,7 +141,7 @@ void drm_gem_shmem_free(struct drm_gem_shmem_object *shmem)
>
> if (obj->import_attach) {
> drm_prime_gem_destroy(obj, shmem->sgt);
> - } else {
> + } else if (!shmem->imported_sgt) {
> dma_resv_lock(shmem->base.resv, NULL);
>
> drm_WARN_ON(obj->dev, shmem->vmap_use_count);
> @@ -758,6 +758,7 @@ drm_gem_shmem_prime_import_sg_table(struct drm_device *dev,
> return ERR_CAST(shmem);
>
> shmem->sgt = sgt;
> + shmem->imported_sgt = true;
I feel like adding more fields that can be used to do the is_imported()
check is going to be even more confusing. Can we instead have
/* drm_gem_shmem_prime_import_sg_table() can be called from a
* driver specific ->import_sg_table() implementations that
* have extra failable initialization steps. Assign
* drm_gem_object::import_attach here (even though it's
* assigned in drm_gem_prime_import_dev()), so we don't end up
* with driver error paths calling drm_gem_shmem_free() with an
* imported sg_table assigned to drm_gem_shmem_object::sgt and
* drm_gem_object::import_attach left uninitialized.
*/
shmem->base.import_attach = attach;
here?
>
> drm_dbg_prime(dev, "size = %zu\n", size);
>
> diff --git a/include/drm/drm_gem_shmem_helper.h b/include/drm/drm_gem_shmem_helper.h
> index bf0c31aa8fbe..ec70a98a8fe1 100644
> --- a/include/drm/drm_gem_shmem_helper.h
> +++ b/include/drm/drm_gem_shmem_helper.h
> @@ -73,6 +73,13 @@ struct drm_gem_shmem_object {
> */
> unsigned int vmap_use_count;
>
> + /**
> + * @imported_sgt:
> + *
> + * True if SG table belongs to imported dma-buf.
> + */
> + bool imported_sgt : 1;
> +
> /**
> * @pages_mark_dirty_on_put:
> *
next prev parent reply other threads:[~2023-08-28 11:16 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-27 17:54 [Intel-gfx] [PATCH v15 00/23] Add generic memory shrinker to VirtIO-GPU and Panfrost DRM drivers Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 01/23] drm/shmem-helper: Fix UAF in error path when freeing SGT of imported GEM Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 11:16 ` Boris Brezillon [this message]
2023-08-28 11:16 ` Boris Brezillon
2023-09-02 18:15 ` [Intel-gfx] " Dmitry Osipenko
2023-09-02 18:15 ` Dmitry Osipenko
2023-09-04 8:01 ` [Intel-gfx] " Boris Brezillon
2023-09-04 8:01 ` Boris Brezillon
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 02/23] drm/shmem-helper: Use flag for tracking page count bumped by get_pages_sgt() Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 10:55 ` [Intel-gfx] " Boris Brezillon
2023-08-28 10:55 ` Boris Brezillon
2023-09-02 18:28 ` [Intel-gfx] " Dmitry Osipenko
2023-09-02 18:28 ` Dmitry Osipenko
2023-09-04 7:52 ` [Intel-gfx] " Boris Brezillon
2023-09-04 7:52 ` Boris Brezillon
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 03/23] drm/gem: Change locked/unlocked postfix of drm_gem_v/unmap() function names Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 11:25 ` [Intel-gfx] " Boris Brezillon
2023-08-28 11:25 ` Boris Brezillon
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 04/23] drm/gem: Add _locked postfix to functions that have unlocked counterpart Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 11:25 ` [Intel-gfx] " Boris Brezillon
2023-08-28 11:25 ` Boris Brezillon
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 05/23] drm/v3d: Replace open-coded drm_gem_shmem_free() with drm_gem_object_put() Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 06/23] drm/virtio: Replace " Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 07/23] drm/shmem-helper: Make all exported symbols GPL Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 08/23] drm/shmem-helper: Refactor locked/unlocked functions Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 11:28 ` [Intel-gfx] " Boris Brezillon
2023-08-28 11:28 ` Boris Brezillon
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 09/23] drm/shmem-helper: Remove obsoleted is_iomem test Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 11:29 ` [Intel-gfx] " Boris Brezillon
2023-08-28 11:29 ` Boris Brezillon
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 10/23] locking/refcount, kref: Add kref_put_ww_mutex() Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 9:26 ` [Intel-gfx] " Boris Brezillon
2023-08-28 9:26 ` Boris Brezillon
2023-08-29 2:28 ` [Intel-gfx] " Dmitry Osipenko
2023-08-29 2:28 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 11/23] dma-resv: Add kref_put_dma_resv() Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 10:21 ` [Intel-gfx] " Christian König
2023-08-28 10:21 ` Christian König
2023-08-28 10:21 ` Christian König via Virtualization
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 12/23] drm/shmem-helper: Add and use pages_pin_count Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 9:38 ` [Intel-gfx] " Boris Brezillon
2023-08-28 9:38 ` Boris Brezillon
2023-08-28 11:46 ` [Intel-gfx] " Boris Brezillon
2023-08-28 11:46 ` Boris Brezillon
2023-08-29 2:30 ` [Intel-gfx] " Dmitry Osipenko
2023-08-29 2:30 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 13/23] drm/shmem-helper: Use kref for pages_use_count Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 14/23] drm/shmem-helper: Add and use lockless drm_gem_shmem_get_pages() Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 15/23] drm/shmem-helper: Switch drm_gem_shmem_vmap/vunmap to use pin/unpin Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 16/23] drm/shmem-helper: Use kref for vmap_use_count Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 10:00 ` [Intel-gfx] " Boris Brezillon
2023-08-28 10:00 ` Boris Brezillon
2023-09-02 20:22 ` [Intel-gfx] " Dmitry Osipenko
2023-09-02 20:22 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 17/23] drm/shmem-helper: Add and use drm_gem_shmem_resv_assert_held() helper Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-28 10:12 ` [Intel-gfx] " Boris Brezillon
2023-08-28 10:12 ` Boris Brezillon
2023-08-29 2:34 ` [Intel-gfx] " Dmitry Osipenko
2023-08-29 2:34 ` Dmitry Osipenko
2023-08-29 7:29 ` [Intel-gfx] " Boris Brezillon
2023-08-29 7:29 ` Boris Brezillon
2023-08-29 8:52 ` [Intel-gfx] " Christian König
2023-08-29 8:52 ` Christian König
2023-08-29 8:52 ` Christian König via Virtualization
2023-08-29 9:44 ` [Intel-gfx] " Boris Brezillon
2023-08-29 9:44 ` Boris Brezillon
2023-08-29 10:21 ` [Intel-gfx] " Boris Brezillon
2023-08-29 10:21 ` Boris Brezillon
2023-09-02 19:43 ` [Intel-gfx] " Dmitry Osipenko
2023-09-02 19:43 ` Dmitry Osipenko
2023-09-04 8:36 ` [Intel-gfx] " Boris Brezillon
2023-09-04 8:36 ` Boris Brezillon
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 18/23] drm/shmem-helper: Add memory shrinker Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 19/23] drm/shmem-helper: Export drm_gem_shmem_get_pages_sgt_locked() Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 20/23] drm/virtio: Pin display framebuffer BO Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 21/23] drm/virtio: Attach shmem BOs dynamically Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 22/23] drm/virtio: Support memory shrinking Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 17:54 ` [Intel-gfx] [PATCH v15 23/23] drm/panfrost: Switch to generic memory shrinker Dmitry Osipenko
2023-08-27 17:54 ` Dmitry Osipenko
2023-08-27 18:44 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for Add generic memory shrinker to VirtIO-GPU and Panfrost DRM drivers (rev3) Patchwork
2023-08-27 18:44 ` [Intel-gfx] ✗ Fi.CI.SPARSE: " Patchwork
2023-08-27 19:01 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2023-08-27 20:23 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
2023-08-28 14:37 ` [Intel-gfx] [PATCH v15 00/23] Add generic memory shrinker to VirtIO-GPU and Panfrost DRM drivers Helen Mae Koike Fornazier
2023-08-28 14:37 ` Helen Mae Koike Fornazier
2023-08-28 15:24 ` [Intel-gfx] " Helen Mae Koike Fornazier
2023-08-28 15:24 ` Helen Mae Koike Fornazier
2023-08-29 2:36 ` [Intel-gfx] " Dmitry Osipenko
2023-08-29 2:36 ` Dmitry Osipenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230828131647.18888896@collabora.com \
--to=boris.brezillon@collabora.com \
--cc=airlied@gmail.com \
--cc=boqun.feng@gmail.com \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=dmitry.osipenko@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=emma@anholt.net \
--cc=gurchetansingh@chromium.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=kernel@collabora.com \
--cc=kraxel@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mripard@kernel.org \
--cc=mwen@igalia.com \
--cc=olvaffe@gmail.com \
--cc=peterz@infradead.org \
--cc=steven.price@arm.com \
--cc=tzimmermann@suse.de \
--cc=virtualization@lists.linux-foundation.org \
--cc=will@kernel.org \
--cc=yuq825@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.