Re: [Intel-xe] [PATCH v3 0/2] drm/tests: Fix for UAF and a test for drm_exec lock alloc tracking warning

Intel-XE Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: "Christian König" <christian.koenig@amd.com>
To: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
	intel-xe@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Cc: Maxime Ripard <mripard@kernel.org>
Subject: Re: [Intel-xe] [PATCH v3 0/2] drm/tests: Fix for UAF and a test for drm_exec lock alloc tracking warning
Date: Fri, 8 Sep 2023 10:52:18 +0200	[thread overview]
Message-ID: <ab9f3c50-8098-bbbf-50e2-a1ba63595a47@amd.com> (raw)
In-Reply-To: <84b2736f-c225-1421-f245-2de042345dea@linux.intel.com>

Am 08.09.23 um 09:37 schrieb Thomas Hellström:
> Hi,
>
> On 9/7/23 16:49, Christian König wrote:
>> Am 07.09.23 um 16:47 schrieb Thomas Hellström:
>>> Hi,
>>>
>>> On 9/7/23 16:37, Christian König wrote:
>>>> Am 07.09.23 um 15:53 schrieb Thomas Hellström:
>>>>> While trying to replicate a weird drm_exec lock alloc tracking 
>>>>> warning
>>>>> using the drm_exec kunit test, the warning was shadowed by a UAF 
>>>>> warning
>>>>> from KASAN due to a bug in the drm kunit helpers.
>>>>>
>>>>> Patch 1 fixes that drm kunit UAF.
>>>>> Patch 2 introduces a drm_exec kunit subtest that fails if the 
>>>>> conditions
>>>>>        for the weird warning are met.
>>>>>
>>>>> The series previously also had a patch with a drm_exec workaround 
>>>>> for the
>>>>> warning but that patch has already been commited to 
>>>>> drm_misc_next_fixes.
>>>>
>>>> Thinking more about this what happens when somebody calls 
>>>> drm_exec_unlock_obj() on the first locked object?
>>>>
>>> Essentially the same thing. I've been thinking of the best way to 
>>> handle that, but not sure what's the best one.
>>
>> Well what does lockdep store in that object in the first place? Could 
>> we fix that somehow?
>
> Lockdep maintains an array of held locks (lock classes) for each task. 
> Upon freeing, that list is traversed to see if the address matches the 
> stored memory address. This also has the interesting side effect that 
> IICR dma_resv_assert_held() checks if *any* dma_resv is held....
>
> Ideally each object would have its own class instance, but I think 
> some applications would then exhaust the array size.

IIRC Daniel once explained to me that he designed lockdep for ww_mutexes 
like this for some reason, but I don't remember the details any more.

Maybe lockdep wouldn't otherwise be able to deal with the fact that you 
could lock them in any order or something like that.

>
>
> I'll dig a bit deeper into this.
>
>
> Meanwhile for the unlock problem, looking at how the unlocks are used 
> in i915 it's typically locks that are grabbed during eviction and 
> released again once validation of a single object succeeded. The risk 
> of them ending up at the first lock is small, unless they are 
> prelocked as the contended lock. But for these "temporary" objects, 
> the prelocked lock is immediately dropped after locking and are only 
> used to find something suitable to wait for to relax the ww transaction.

Yeah, I don't see this as an use case in reality. It's more of a "what 
if?" thing.

>
> If we were to implement something similar in drm_exec, we'd need an 
> interface to mark an object as "temporary" when locking, and make sure 
> we drop those objects if they end up as "prelocked". Personally I 
> think this solution works well and would be my preferred choice.
>
> Yet another alternative would be to keep a reference even of the 
> unlocked objects...
>
> But these workarounds ofc only push the problem out of drm_exec. Users 
> of raw dma-resv or ww mutexes would still wonder what's going on.

Agree, completely. This is really a bug in lockdep or rather how we 
designed to implement ww_mutexes in lockdep and should therefore be 
fixed there I think.

Christian.

>
> /Thomas
>
>
>
>>
>> Christian.
>>
>>>
>>> /Thomas
>>>
>>>
>>>> Christian.
>>>>
>>>>>
>>>>> v2:
>>>>> - Rewording of commit messages
>>>>> - Add some commit message tags
>>>>> v3:
>>>>> - Remove an already committed patch
>>>>> - Rework the test to not require dmesg inspection (Maxime Ripard)
>>>>> - Condition the test on CONFIG_LOCK_ALLOC
>>>>> - Update code comments and commit messages (Maxime Ripard)
>>>>>
>>>>> Cc: Maxime Ripard <mripard@kernel.org>
>>>>> Cc: Christian König <christian.koenig@amd.com>
>>>>>
>>>>> Thomas Hellström (2):
>>>>>    drm/tests: helpers: Avoid a driver uaf
>>>>>    drm/tests/drm_exec: Add a test for object freeing within
>>>>>      drm_exec_fini()
>>>>>
>>>>>   drivers/gpu/drm/tests/drm_exec_test.c | 82 
>>>>> +++++++++++++++++++++++++++
>>>>>   include/drm/drm_kunit_helpers.h       |  4 +-
>>>>>   2 files changed, 85 insertions(+), 1 deletion(-)
>>>>>
>>>>
>>

next prev parent reply	other threads:[~2023-09-08  8:52 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-07 13:53 [Intel-xe] [PATCH v3 0/2] drm/tests: Fix for UAF and a test for drm_exec lock alloc tracking warning Thomas Hellström
2023-09-07 13:53 ` [Intel-xe] [PATCH v3 1/2] drm/tests: helpers: Avoid a driver uaf Thomas Hellström
2023-09-07 14:50   ` Maxime Ripard
2023-09-11 12:40   ` Francois Dugast
2023-09-11 13:04     ` Thomas Hellström
2023-09-14 11:59   ` [Intel-xe] (subset) " Maxime Ripard
2023-09-07 13:53 ` [Intel-xe] [PATCH v3 2/2] drm/tests/drm_exec: Add a test for object freeing within drm_exec_fini() Thomas Hellström
2023-09-07 14:52   ` Maxime Ripard
2023-09-07 14:37 ` [Intel-xe] [PATCH v3 0/2] drm/tests: Fix for UAF and a test for drm_exec lock alloc tracking warning Christian König
2023-09-07 14:47   ` Thomas Hellström
2023-09-07 14:49     ` Christian König
2023-09-08  7:37       ` Thomas Hellström
2023-09-08  8:52         ` Christian König [this message]
2023-09-08  9:04           ` Thomas Hellström
2023-09-08  9:14             ` Christian König
2023-09-08 11:13               ` Thomas Hellström
2023-09-08 14:31                 ` Thomas Hellström
2023-09-07 23:49 ` [Intel-xe] ✓ CI.Patch_applied: success for " Patchwork
2023-09-07 23:49 ` [Intel-xe] ✗ CI.checkpatch: warning " Patchwork
2023-09-07 23:50 ` [Intel-xe] ✓ CI.KUnit: success " Patchwork
2023-09-07 23:57 ` [Intel-xe] ✓ CI.Build: " Patchwork
2023-09-07 23:57 ` [Intel-xe] ✓ CI.Hooks: " Patchwork
2023-09-07 23:59 ` [Intel-xe] ✓ CI.checksparse: " Patchwork
2023-09-08  0:30 ` [Intel-xe] ✓ CI.BAT: " Patchwork

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ab9f3c50-8098-bbbf-50e2-a1ba63595a47@amd.com \
    --to=christian.koenig@amd.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=intel-xe@lists.freedesktop.org \
    --cc=mripard@kernel.org \
    --cc=thomas.hellstrom@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox