From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
To: "David Airlie" <airlied@gmail.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Chia-I Wu" <olvaffe@gmail.com>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Christian König" <christian.koenig@amd.com>,
"Qiang Yu" <yuq825@gmail.com>,
"Steven Price" <steven.price@arm.com>,
"Boris Brezillon" <boris.brezillon@collabora.com>,
"Emma Anholt" <emma@anholt.net>, "Melissa Wen" <mwen@igalia.com>
Cc: kernel@collabora.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
virtualization@lists.linux-foundation.org
Subject: [PATCH v16 01/20] drm/shmem-helper: Fix UAF in error path when freeing SGT of imported GEM
Date: Sun, 3 Sep 2023 20:07:17 +0300 [thread overview]
Message-ID: <20230903170736.513347-2-dmitry.osipenko@collabora.com> (raw)
In-Reply-To: <20230903170736.513347-1-dmitry.osipenko@collabora.com>
Freeing drm-shmem GEM right after creating it using
drm_gem_shmem_prime_import_sg_table() frees SGT of the imported dma-buf
and then dma-buf frees this SGT second time.
The v3d_prime_import_sg_table() is example of a error code path where
dma-buf's SGT is freed by drm-shmem and then it's freed second time by
dma_buf_unmap_attachment() in drm_gem_prime_import_dev().
Add drm-shmem GEM flag telling that this is imported SGT shall not be
treated as own SGT, fixing the use-after-free bug.
Cc: stable@vger.kernel.org
Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects")
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
---
drivers/gpu/drm/drm_gem_shmem_helper.c | 13 ++++++++++++-
include/drm/drm_gem_shmem_helper.h | 7 +++++++
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
index e435f986cd13..6693d4061ca1 100644
--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
+++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
@@ -141,7 +141,7 @@ void drm_gem_shmem_free(struct drm_gem_shmem_object *shmem)
if (obj->import_attach) {
drm_prime_gem_destroy(obj, shmem->sgt);
- } else {
+ } else if (!shmem->imported_sgt) {
dma_resv_lock(shmem->base.resv, NULL);
drm_WARN_ON(obj->dev, shmem->vmap_use_count);
@@ -765,6 +765,17 @@ drm_gem_shmem_prime_import_sg_table(struct drm_device *dev,
shmem->sgt = sgt;
+ /*
+ * drm_gem_shmem_prime_import_sg_table() can be called from a
+ * driver specific ->import_sg_table() implementations that
+ * may fail, in that case drm_gem_shmem_free() will be invoked
+ * without assigned drm_gem_object::import_attach.
+ *
+ * This flag lets drm_gem_shmem_free() differentiate whether
+ * SGT belongs to dmabuf and shall not be freed by drm-shmem.
+ */
+ shmem->imported_sgt = true;
+
drm_dbg_prime(dev, "size = %zu\n", size);
return &shmem->base;
diff --git a/include/drm/drm_gem_shmem_helper.h b/include/drm/drm_gem_shmem_helper.h
index bf0c31aa8fbe..ec70a98a8fe1 100644
--- a/include/drm/drm_gem_shmem_helper.h
+++ b/include/drm/drm_gem_shmem_helper.h
@@ -73,6 +73,13 @@ struct drm_gem_shmem_object {
*/
unsigned int vmap_use_count;
+ /**
+ * @imported_sgt:
+ *
+ * True if SG table belongs to imported dma-buf.
+ */
+ bool imported_sgt : 1;
+
/**
* @pages_mark_dirty_on_put:
*
--
2.41.0
next prev parent reply other threads:[~2023-09-03 17:08 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-03 17:07 [PATCH v16 00/20] Add generic memory shrinker to VirtIO-GPU and Panfrost DRM drivers Dmitry Osipenko
2023-09-03 17:07 ` Dmitry Osipenko [this message]
2023-09-03 17:07 ` [PATCH v16 02/20] drm/shmem-helper: Use flag for tracking page count bumped by get_pages_sgt() Dmitry Osipenko
2023-09-05 7:40 ` Boris Brezillon
2023-09-11 23:41 ` Dmitry Osipenko
2023-09-12 7:07 ` Boris Brezillon
2023-09-03 17:07 ` [PATCH v16 03/20] drm/gem: Change locked/unlocked postfix of drm_gem_v/unmap() function names Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 04/20] drm/gem: Add _locked postfix to functions that have unlocked counterpart Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 05/20] drm/v3d: Replace open-coded drm_gem_shmem_free() with drm_gem_object_put() Dmitry Osipenko
2023-09-05 7:33 ` Boris Brezillon
2023-09-03 17:07 ` [PATCH v16 06/20] drm/virtio: Replace " Dmitry Osipenko
2023-09-05 7:20 ` Boris Brezillon
2023-09-11 23:32 ` Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 07/20] drm/shmem-helper: Make all exported symbols GPL Dmitry Osipenko
2023-09-05 7:05 ` Boris Brezillon
2023-09-03 17:07 ` [PATCH v16 08/20] drm/shmem-helper: Refactor locked/unlocked functions Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 09/20] drm/shmem-helper: Remove obsoleted is_iomem test Dmitry Osipenko
2023-09-05 6:46 ` Boris Brezillon
2023-09-13 0:06 ` Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 10/20] drm/shmem-helper: Add and use pages_pin_count Dmitry Osipenko
2023-09-05 6:39 ` Boris Brezillon
2023-09-03 17:07 ` [PATCH v16 11/20] drm/shmem-helper: Use refcount_t for pages_use_count Dmitry Osipenko
2023-09-05 6:56 ` Boris Brezillon
2023-09-03 17:07 ` [PATCH v16 12/20] drm/shmem-helper: Add and use lockless drm_gem_shmem_get_pages() Dmitry Osipenko
2023-09-05 6:58 ` Boris Brezillon
2023-09-03 17:07 ` [PATCH v16 13/20] drm/shmem-helper: Switch drm_gem_shmem_vmap/vunmap to use pin/unpin Dmitry Osipenko
2023-09-05 7:00 ` Boris Brezillon
2023-09-03 17:07 ` [PATCH v16 14/20] drm/shmem-helper: Use refcount_t for vmap_use_count Dmitry Osipenko
2023-09-05 7:05 ` Boris Brezillon
2023-09-03 17:07 ` [PATCH v16 15/20] drm/shmem-helper: Add memory shrinker Dmitry Osipenko
2023-09-05 8:03 ` Boris Brezillon
2023-09-13 0:56 ` Dmitry Osipenko
2023-09-13 7:48 ` Boris Brezillon
2023-09-14 4:02 ` Dmitry Osipenko
2023-09-14 7:36 ` Boris Brezillon
2023-09-14 7:50 ` Dmitry Osipenko
2023-09-14 8:27 ` Boris Brezillon
2023-09-14 11:36 ` Dmitry Osipenko
2023-09-14 11:58 ` Boris Brezillon
2023-09-14 13:01 ` Dmitry Osipenko
2023-09-14 13:27 ` Boris Brezillon
2023-09-14 13:30 ` Boris Brezillon
2023-09-14 13:58 ` Dmitry Osipenko
2023-09-07 10:03 ` Dan Carpenter
2023-09-07 10:03 ` Dan Carpenter
2023-09-11 23:44 ` Dmitry Osipenko
2023-09-11 23:44 ` Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 16/20] drm/shmem-helper: Export drm_gem_shmem_get_pages_sgt_locked() Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 17/20] drm/virtio: Pin display framebuffer BO Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 18/20] drm/virtio: Attach shmem BOs dynamically Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 19/20] drm/virtio: Support memory shrinking Dmitry Osipenko
2023-09-03 17:07 ` [PATCH v16 20/20] drm/panfrost: Switch to generic memory shrinker Dmitry Osipenko
2023-09-04 13:20 ` Steven Price
2023-09-05 8:08 ` Boris Brezillon
2023-09-06 10:55 ` Steven Price
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230903170736.513347-2-dmitry.osipenko@collabora.com \
--to=dmitry.osipenko@collabora.com \
--cc=airlied@gmail.com \
--cc=boris.brezillon@collabora.com \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=emma@anholt.net \
--cc=gurchetansingh@chromium.org \
--cc=kernel@collabora.com \
--cc=kraxel@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=mwen@igalia.com \
--cc=olvaffe@gmail.com \
--cc=steven.price@arm.com \
--cc=tzimmermann@suse.de \
--cc=virtualization@lists.linux-foundation.org \
--cc=yuq825@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.