From: Simona Vetter <simona.vetter@ffwll.ch>
To: "Adrián Larumbe" <adrian.larumbe@collabora.com>
Cc: Simona Vetter <simona.vetter@ffwll.ch>,
DRI Development <dri-devel@lists.freedesktop.org>,
intel-xe@lists.freedesktop.org,
Boris Brezillon <boris.brezillon@collabora.com>,
Steven Price <steven.price@arm.com>,
Liviu Dudau <liviu.dudau@arm.com>,
Simona Vetter <simona.vetter@intel.com>
Subject: Re: [PATCH 3/8] drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code
Date: Mon, 2 Jun 2025 16:46:01 +0200 [thread overview]
Message-ID: <aD25KVnitkhn6blT@phenom.ffwll.local> (raw)
In-Reply-To: <jq6d2nxsp7g6sq2uo4bknqgfod7ssdoqyvtlorpq2xij2ikgjc@6y64ebpjeq7p>
On Sun, Jun 01, 2025 at 03:06:15PM +0100, Adrián Larumbe wrote:
> Hi Simona,
>
> On 28.05.2025 11:13, Simona Vetter wrote:
> > The object is potentially already gone after the drm_gem_object_put().
> > In general the object should be fully constructed before calling
> > drm_gem_handle_create(), except the debugfs tracking uses a separate
> > lock and list and separate flag to denotate whether the object is
> > actually initilized.
> >
> > Since I'm touching this all anyway simplify this by only adding the
> > object to the debugfs when it's ready for that, which allows us to
> > delete that separate flag. panthor_gem_debugfs_bo_rm() already checks
> > whether we've actually been added to the list or this is some error
> > path cleanup.
> >
> > Fixes: a3707f53eb3f ("drm/panthor: show device-wide list of DRM GEM objects over DebugFS")
> > Cc: Adrián Larumbe <adrian.larumbe@collabora.com>
> > Cc: Boris Brezillon <boris.brezillon@collabora.com>
> > Cc: Steven Price <steven.price@arm.com>
> > Cc: Liviu Dudau <liviu.dudau@arm.com>
> > Signed-off-by: Simona Vetter <simona.vetter@intel.com>
> > Signed-off-by: Simona Vetter <simona.vetter@ffwll.ch>
> > ---
> > drivers/gpu/drm/panthor/panthor_gem.c | 31 +++++++++++++--------------
> > drivers/gpu/drm/panthor/panthor_gem.h | 3 ---
> > 2 files changed, 15 insertions(+), 19 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/panthor/panthor_gem.c b/drivers/gpu/drm/panthor/panthor_gem.c
> > index 7c00fd77758b..f334444cb5df 100644
> > --- a/drivers/gpu/drm/panthor/panthor_gem.c
> > +++ b/drivers/gpu/drm/panthor/panthor_gem.c
> > @@ -16,9 +16,11 @@
> > #include "panthor_mmu.h"
> >
> > #ifdef CONFIG_DEBUG_FS
> > -static void panthor_gem_debugfs_bo_add(struct panthor_device *ptdev,
> > - struct panthor_gem_object *bo)
> > +static void panthor_gem_debugfs_bo_add(struct panthor_gem_object *bo)
> > {
> > + struct panthor_device *ptdev = container_of(bo->base.base.dev,
> > + struct panthor_device, base);
> > +
> > INIT_LIST_HEAD(&bo->debugfs.node);
> >
> > bo->debugfs.creator.tgid = current->group_leader->pid;
> > @@ -44,12 +46,10 @@ static void panthor_gem_debugfs_bo_rm(struct panthor_gem_object *bo)
> >
> > static void panthor_gem_debugfs_set_usage_flags(struct panthor_gem_object *bo, u32 usage_flags)
> > {
> > - bo->debugfs.flags = usage_flags | PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED;
> > + bo->debugfs.flags = usage_flags;
> > + panthor_gem_debugfs_bo_add(bo);
> > }
> > #else
> > -static void panthor_gem_debugfs_bo_add(struct panthor_device *ptdev,
> > - struct panthor_gem_object *bo)
> > -{}
> > static void panthor_gem_debugfs_bo_rm(struct panthor_gem_object *bo) {}
> > static void panthor_gem_debugfs_set_usage_flags(struct panthor_gem_object *bo, u32 usage_flags) {}
> > #endif
> > @@ -246,7 +246,7 @@ struct drm_gem_object *panthor_gem_create_object(struct drm_device *ddev, size_t
> > drm_gem_gpuva_set_lock(&obj->base.base, &obj->gpuva_list_lock);
> > mutex_init(&obj->label.lock);
> >
> > - panthor_gem_debugfs_bo_add(ptdev, obj);
> > + INIT_LIST_HEAD(&obj->debugfs.node);
>
> This is going to break builds with no DebugFS support.
Oops, forgot to build-test this. Note that runtime testing would be good,
I don't have the hw for that. Or can some CI pick this up somewhere?
> > return &obj->base.base;
> > }
> > @@ -285,6 +285,12 @@ panthor_gem_create_with_handle(struct drm_file *file,
> > bo->base.base.resv = bo->exclusive_vm_root_gem->resv;
> > }
> >
> > + /*
> > + * No explicit flags are needed in the call below, since the
> > + * function internally sets the INITIALIZED bit for us.
> > + */
>
> If we got rid of the INITIALIZED usage flag, then this comment should also be reworded.
Will also fix this for v2.
>
> > + panthor_gem_debugfs_set_usage_flags(bo, 0);
> > +
> > /*
> > * Allocate an id of idr table where the obj is registered
> > * and handle has the id what user can see.
> > @@ -296,12 +302,6 @@ panthor_gem_create_with_handle(struct drm_file *file,
> > /* drop reference from allocate - handle holds it now. */
> > drm_gem_object_put(&shmem->base);
> >
> > - /*
> > - * No explicit flags are needed in the call below, since the
> > - * function internally sets the INITIALIZED bit for us.
> > - */
> > - panthor_gem_debugfs_set_usage_flags(bo, 0);
> > -
> > return ret;
> > }
> >
> > @@ -387,7 +387,7 @@ static void panthor_gem_debugfs_bo_print(struct panthor_gem_object *bo,
> > unsigned int refcount = kref_read(&bo->base.base.refcount);
> > char creator_info[32] = {};
> > size_t resident_size;
> > - u32 gem_usage_flags = bo->debugfs.flags & (u32)~PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED;
> > + u32 gem_usage_flags = bo->debugfs.flags;
> > u32 gem_state_flags = 0;
> >
> > /* Skip BOs being destroyed. */
> > @@ -436,8 +436,7 @@ void panthor_gem_debugfs_print_bos(struct panthor_device *ptdev,
> >
> > scoped_guard(mutex, &ptdev->gems.lock) {
> > list_for_each_entry(bo, &ptdev->gems.node, debugfs.node) {
> > - if (bo->debugfs.flags & PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED)
> > - panthor_gem_debugfs_bo_print(bo, m, &totals);
> > + panthor_gem_debugfs_bo_print(bo, m, &totals);
> > }
> > }
> >
> > diff --git a/drivers/gpu/drm/panthor/panthor_gem.h b/drivers/gpu/drm/panthor/panthor_gem.h
> > index 4dd732dcd59f..8fc7215e9b90 100644
> > --- a/drivers/gpu/drm/panthor/panthor_gem.h
> > +++ b/drivers/gpu/drm/panthor/panthor_gem.h
> > @@ -35,9 +35,6 @@ enum panthor_debugfs_gem_usage_flags {
> >
> > /** @PANTHOR_DEBUGFS_GEM_USAGE_FLAG_FW_MAPPED: BO is mapped on the FW VM. */
> > PANTHOR_DEBUGFS_GEM_USAGE_FLAG_FW_MAPPED = BIT(PANTHOR_DEBUGFS_GEM_USAGE_FW_MAPPED_BIT),
> > -
> > - /** @PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED: BO is ready for DebugFS display. */
> > - PANTHOR_DEBUGFS_GEM_USAGE_FLAG_INITIALIZED = BIT(31),
> > };
> >
> > /**
> > --
> > 2.49.0
>
> There's a Panfrost port of the functionality this patch fixes pending merge into drm-misc,
> so I should probably ask either Boris or Steven to hold off on merging them till I've made
> sure there's no potential UAF in it.
The important part is to do all init before the call to gem_object_put(),
that prevents the UAF. Doing all init before handle_create() is just nice
on top, since that aligns with the core design and avoids the need for a
separate init flag (for which you're at least missing the right memory
barriers here).
Thanks for your comments.
-Sima
--
Simona Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
next prev parent reply other threads:[~2025-06-02 14:46 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 9:12 [PATCH 0/8] drm/gem: Audit around handle_create races Simona Vetter
2025-05-28 9:12 ` [PATCH 1/8] drm/gem: Fix race in drm_gem_handle_create_tail() Simona Vetter
2025-05-28 9:26 ` Simona Vetter
2025-05-28 13:20 ` Jacek Lawrynowicz
2025-06-02 15:15 ` Thomas Zimmermann
2025-06-03 11:45 ` Simona Vetter
2025-06-03 12:40 ` Thomas Zimmermann
2025-06-04 9:02 ` Simona Vetter
2025-05-28 9:13 ` [PATCH 2/8] drm/fdinfo: Switch to idr_for_each() in drm_show_memory_stats() Simona Vetter
2025-05-28 9:22 ` Simona Vetter
2025-05-28 20:10 ` kernel test robot
2025-05-28 9:13 ` [PATCH 3/8] drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code Simona Vetter
2025-05-29 12:31 ` kernel test robot
2025-06-01 14:06 ` Adrián Larumbe
2025-06-02 14:46 ` Simona Vetter [this message]
2025-05-28 9:13 ` [PATCH 4/8] accel/qaic: delete qaic_bo.handle Simona Vetter
2025-05-28 15:15 ` Jeff Hugo
2025-06-02 14:43 ` Simona Vetter
2025-06-03 14:43 ` Jeff Hugo
2025-06-06 16:25 ` Jeff Hugo
2025-05-28 9:13 ` [PATCH 5/8] drm/amd/kfd: Add comment about possible drm_gem_handle_create() race Simona Vetter
2025-05-28 9:13 ` [PATCH 6/8] drm/amdgpu: Add comments about drm_file.object_idr issues Simona Vetter
2025-05-28 9:22 ` Simona Vetter
2025-05-28 9:13 ` [PATCH 7/8] drm/vmwgfx: " Simona Vetter
2025-05-28 9:23 ` Simona Vetter
2025-05-28 9:13 ` [PATCH 8/8] drm/xe: " Simona Vetter
2025-05-28 9:24 ` Simona Vetter
2025-05-28 9:19 ` ✓ CI.Patch_applied: success for drm/gem: Audit around handle_create races Patchwork
2025-05-28 9:20 ` ✗ CI.checkpatch: warning " Patchwork
2025-05-28 9:21 ` ✓ CI.KUnit: success " Patchwork
2025-05-28 9:24 ` ✗ CI.Build: failure " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aD25KVnitkhn6blT@phenom.ffwll.local \
--to=simona.vetter@ffwll.ch \
--cc=adrian.larumbe@collabora.com \
--cc=boris.brezillon@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=liviu.dudau@arm.com \
--cc=simona.vetter@intel.com \
--cc=steven.price@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.