From: Matthew Brost <matthew.brost@intel.com>
To: Matthew Auld <matthew.auld@intel.com>
Cc: <intel-xe@lists.freedesktop.org>, <stable@vger.kernel.org>
Subject: Re: [PATCH 2/2] drm/xe/vm: prevent UAF in rebind_work_func()
Date: Wed, 24 Apr 2024 03:45:32 +0000 [thread overview]
Message-ID: <ZiiAXBFAjT+PbF2T@DUT025-TGLU.fm.intel.com> (raw)
In-Reply-To: <20240423074721.119633-4-matthew.auld@intel.com>
On Tue, Apr 23, 2024 at 08:47:23AM +0100, Matthew Auld wrote:
> We flush the rebind worker during the vm close phase, however in places
> like preempt_fence_work_func() we seem to queue the rebind worker
> without first checking if the vm has already been closed. The concern
> here is the vm being closed with the worker flushed, but then being
> rearmed later, which looks like potential uaf, since there is no actual
> refcounting to track the queued worker. We can't take the vm->lock here
> in preempt_rebind_work_func() to first check if the vm is closed since
> that will deadlock, so instead flush the worker again when the vm
> refcount reaches zero.
>
> v2:
> - Grabbing vm->lock in the preempt worker creates a deadlock, so
> checking the closed state is tricky. Instead flush the worker when
> the refcount reaches zero. It should be impossible to queue the
> preempt worker without already holding vm ref.
>
Comment in the previous patch applies here as well, with that:
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1676
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1591
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1304
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1249
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Matthew Brost <matthew.brost@intel.com>
> Cc: <stable@vger.kernel.org> # v6.8+
> ---
> drivers/gpu/drm/xe/xe_vm.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
> index 2ba7c920a8af..71de9848bdc2 100644
> --- a/drivers/gpu/drm/xe/xe_vm.c
> +++ b/drivers/gpu/drm/xe/xe_vm.c
> @@ -1509,6 +1509,9 @@ static void vm_destroy_work_func(struct work_struct *w)
> /* xe_vm_close_and_put was not called? */
> xe_assert(xe, !vm->size);
>
> + if (xe_vm_in_preempt_fence_mode(vm))
> + flush_work(&vm->preempt.rebind_work);
> +
> mutex_destroy(&vm->snap_mutex);
>
> if (!(vm->flags & XE_VM_FLAG_MIGRATION))
> --
> 2.44.0
>
next prev parent reply other threads:[~2024-04-24 3:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-23 7:47 [PATCH 1/2] Revert "drm/xe/vm: drop vm->destroy_work" Matthew Auld
2024-04-23 7:47 ` [PATCH 2/2] drm/xe/vm: prevent UAF in rebind_work_func() Matthew Auld
2024-04-24 3:45 ` Matthew Brost [this message]
2024-04-23 7:53 ` ✓ CI.Patch_applied: success for series starting with [1/2] Revert "drm/xe/vm: drop vm->destroy_work" Patchwork
2024-04-23 7:53 ` ✓ CI.checkpatch: " Patchwork
2024-04-23 7:54 ` ✓ CI.KUnit: " Patchwork
2024-04-23 8:08 ` ✓ CI.Build: " Patchwork
2024-04-23 8:12 ` ✓ CI.Hooks: " Patchwork
2024-04-23 8:14 ` ✓ CI.checksparse: " Patchwork
2024-04-23 12:07 ` ✓ CI.FULL: " Patchwork
2024-04-23 16:03 ` ✓ CI.Patch_applied: success for series starting with [1/2] Revert "drm/xe/vm: drop vm->destroy_work" (rev2) Patchwork
2024-04-23 16:04 ` ✓ CI.checkpatch: " Patchwork
2024-04-23 16:05 ` ✓ CI.KUnit: " Patchwork
2024-04-23 16:17 ` ✓ CI.Build: " Patchwork
2024-04-23 16:20 ` ✓ CI.Hooks: " Patchwork
2024-04-23 16:22 ` ✓ CI.checksparse: " Patchwork
2024-04-23 16:44 ` ✓ CI.BAT: " Patchwork
2024-04-24 1:11 ` ✓ CI.FULL: " Patchwork
2024-04-24 3:44 ` [PATCH 1/2] Revert "drm/xe/vm: drop vm->destroy_work" Matthew Brost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZiiAXBFAjT+PbF2T@DUT025-TGLU.fm.intel.com \
--to=matthew.brost@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=matthew.auld@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.