From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
To: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>,
<intel-gfx@lists.freedesktop.org>
Cc: dri-devel@lists.freedesktop.org,
"Jani Nikula" <jani.nikula@linux.intel.com>,
"Joonas Lahtinen" <joonas.lahtinen@linux.intel.com>,
"Rodrigo Vivi" <rodrigo.vivi@intel.com>,
"Tvrtko Ursulin" <tursulin@ursulin.net>,
"Simona Vetter" <simona@ffwll.ch>,
"Chris Wilson" <chris.p.wilson@intel.com>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
"Andi Shyti" <andi.shyti@linux.intel.com>,
"Krzysztof Karas" <krzysztof.karas@intel.com>,
"Krzysztof Niemiec" <krzysztof.niemiec@intel.com>,
"Sebastian Brzezinka" <sebastian.brzezinka@intel.com>
Subject: Re: [PATCH] drm/i915: Fix VMA UAF in execbuf setup
Date: Wed, 15 Apr 2026 14:24:27 +0200 [thread overview]
Message-ID: <DHTQ5KJVKH6P.38S6Z11FUX4DU@intel.com> (raw)
In-Reply-To: <20260414195834.115460-2-janusz.krzysztofik@linux.intel.com>
On Tue Apr 14, 2026 at 9:57 PM CEST, Janusz Krzysztofik wrote:
> We now depend on RCU protection when looking up VMAs associated with GEM
> objects of an execbuf task in a radix tree based lookup table of a user
> GEM context for that execbuf. That's not sufficient. While the radix
> tree itself, as well as GEM objects, freed by RCU, are safe, VMA items are
> not, and memory they occupy can be freed concurrently if another thread is
> doing a cleanup.
>
> [550.183466] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP PTI
> [550.183490] CPU: 6 UID: 0 PID: 18815 Comm: gem_reloc_race Tainted: G S U L N 7.0.0-CI_DRM_18329-g4e3f5ea9aacc+ #1 PREEMPT(lazy)
> [550.183508] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER, [L]=SOFTLOCKUP, [N]=TEST
> [550.183517] Hardware name: Dell Inc. XPS 8300 /0Y2MRG, BIOS A06 10/17/2011
> [550.183527] RIP: 0010:eb_lookup_vma+0x89/0x770 [i915]
> [550.183909] Code: 00 00 00 49 8b 44 24 38 4c 89 f6 48 8d b8 20 02 00 00 e8 1a 65 c2 e1 48 89 c3 48 85 c0 0f 84 c8 00 00 00 48 8b b8 c0 00 00 00 <8b> 17 85 d2 0f 84 b7 00 00 00 8d 4a 01 89 d0 f0 0f b1 0f 0f 85 53
> [550.183928] RSP: 0018:ffffc90001aeb7e8 EFLAGS: 00010282
> [550.183938] RAX: ffff888175b4cb40 RBX: ffff888175b4cb40 RCX: 0000000000000000
> [550.183948] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6b6b6b
> [550.183957] RBP: ffffc90001aeb848 R08: 0000000000000000 R09: 0000000000000000
> [550.183966] R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001aeb8b8
> [550.183975] R13: 0000000000000003 R14: 0000000000000003 R15: ffffffffa0ced6f2
> [550.183984] FS: 00007a83cce026c0(0000) GS:ffff8882a3997000(0000) knlGS:0000000000000000
> [550.183995] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [550.184004] CR2: 00007b5f1317e428 CR3: 0000000179690003 CR4: 00000000000626f0
> [550.184016] Call Trace:
> [550.184021] <TASK>
> [550.184031] i915_gem_do_execbuffer+0xc84/0x36e0 [i915]
> [550.184362] ? lock_release+0xd0/0x2b0
> [550.184376] ? is_bpf_text_address+0x74/0x140
> [550.184387] ? kernel_text_address+0x139/0x150
> [550.184398] ? unwind_get_return_address+0x25/0x50
> [550.184410] ? __lock_acquire+0x43e/0x2790
> [550.184421] ? stack_depot_save_flags+0x28/0x960
> [550.184435] ? __lock_acquire+0x43e/0x2790
> [550.184446] ? find_held_lock+0x31/0x90
> [550.184455] ? __create_object+0x68/0xc0
> [550.184470] ? lock_acquire+0xc4/0x2f0
> [550.184479] ? find_held_lock+0x31/0x90
> [550.184489] ? __might_fault+0x53/0xb0
> [550.184505] i915_gem_execbuffer2_ioctl+0x169/0x320 [i915]
>
> Protect a VMA item retrieved from the context lookup table with a mutex
> associated with that table while taking a reference to an underlying GEM
> object.
>
> Fixes: f7ce8639f6ff7 ("drm/i915/gem: Split the context's obj:vma lut into its own mutex")
> Cc: stable@vger.kernel.org # v5.9+
> Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
> ---
Reviewed-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
--
Best regards,
Sebastian
prev parent reply other threads:[~2026-04-15 12:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 19:57 [PATCH] drm/i915: Fix VMA UAF in execbuf setup Janusz Krzysztofik
2026-04-14 20:53 ` ✓ i915.CI.BAT: success for " Patchwork
2026-04-15 5:41 ` ✓ i915.CI.Full: " Patchwork
2026-04-15 10:49 ` [PATCH] " Andi Shyti
2026-04-15 12:24 ` Sebastian Brzezinka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHTQ5KJVKH6P.38S6Z11FUX4DU@intel.com \
--to=sebastian.brzezinka@intel.com \
--cc=andi.shyti@linux.intel.com \
--cc=chris.p.wilson@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jani.nikula@linux.intel.com \
--cc=janusz.krzysztofik@linux.intel.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=krzysztof.karas@intel.com \
--cc=krzysztof.niemiec@intel.com \
--cc=rodrigo.vivi@intel.com \
--cc=simona@ffwll.ch \
--cc=tursulin@ursulin.net \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox