Re: [PATCH] drm: fix send_vblank_event use-after-free error

From: Daniel Vetter <daniel@ffwll.ch>
To: Matthew Auld <matthew.auld@intel.com>
Cc: Daniel Vetter <daniel.vetter@intel.com>,
	intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm: fix send_vblank_event use-after-free error
Date: Mon, 20 Jun 2016 21:18:51 +0200	[thread overview]
Message-ID: <20160620191851.GL23520@phenom.ffwll.local> (raw)
In-Reply-To: <1466440966-5410-1-git-send-email-matthew.auld@intel.com>

On Mon, Jun 20, 2016 at 05:42:46PM +0100, Matthew Auld wrote:
> The drm_pending_event can be freed by drm_send_event_locked, as a
> result we should call trace_drm_vblank_event_delivered before this
> to avoid hitting a user-after-free error when accessing the pid member:
> 
> [  378.438497] BUG: KASAN: use-after-free in send_vblank_event+0xf0/0x310 [drm] at addr ffff8801ac7e50a0
> [  378.438500] Read of size 4 by task Xorg/1562
> [  378.438501] =============================================================================
> [  378.438504] BUG kmalloc-128 (Tainted: G    B          ): kasan: bad access detected
> [  378.438506] -----------------------------------------------------------------------------
> 
> [  378.438509] INFO: Freed in 0x10001309c age=18446737369265680575 cpu=0 pid=0
> [  378.438541]  drm_send_event_locked+0x207/0x2f0 [drm]
> [  378.438544]  __slab_free+0x24c/0x650
> [  378.438546]  kfree+0x3a2/0x760
> [  378.438578]  drm_send_event_locked+0x207/0x2f0 [drm]
> [  378.438610]  send_vblank_event+0xb7/0x310 [drm]
> [  378.438643]  drm_crtc_send_vblank_event+0x130/0x1f0 [drm]
> [  378.438722]  intel_atomic_commit_tail+0x23b5/0x53f0 [i915]
> [  378.438802]  intel_atomic_commit+0xbae/0x12f0 [i915]
> [  378.438839]  drm_atomic_commit+0xb0/0x120 [drm]
> [  378.438855]  drm_atomic_helper_connector_dpms+0x339/0x5d0 [drm_kms_helper]
> [  378.438891]  drm_mode_obj_set_property_ioctl+0x8f1/0xcc0 [drm]
> [  378.438927]  drm_mode_connector_property_set_ioctl+0xf3/0x170 [drm]
> [  378.438959]  drm_ioctl+0x2d7/0xae0 [drm]
> [  378.438962]  do_vfs_ioctl+0x1c9/0x1280
> [  378.438964]  SyS_ioctl+0x79/0x90
> [  378.438967]  entry_SYSCALL_64_fastpath+0x1a/0xa4
> 
> Cc: dri-devel@lists.freedesktop.org
> Cc: Daniel Vetter <daniel.vetter@intel.com>
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>

Nice catch, applied to drm-misc.

Thanks, Daniel

> ---
>  drivers/gpu/drm/drm_irq.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
> index 76e39c5..8ca3d2b 100644
> --- a/drivers/gpu/drm/drm_irq.c
> +++ b/drivers/gpu/drm/drm_irq.c
> @@ -994,10 +994,10 @@ static void send_vblank_event(struct drm_device *dev,
>  	e->event.tv_sec = now->tv_sec;
>  	e->event.tv_usec = now->tv_usec;
>  
> -	drm_send_event_locked(dev, &e->base);
> -
>  	trace_drm_vblank_event_delivered(e->base.pid, e->pipe,
>  					 e->event.sequence);
> +
> +	drm_send_event_locked(dev, &e->base);
>  }
>  
>  /**
> -- 
> 2.5.5
> 
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gfx

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx