From: "Nilawar, Badal" <badal.nilawar@intel.com>
To: Matthew Auld <matthew.auld@intel.com>, <intel-xe@lists.freedesktop.org>
Cc: Matthew Brost <matthew.brost@intel.com>, <stable@vger.kernel.org>
Subject: Re: [PATCH v2 1/4] drm/xe/ct: prevent UAF in send_recv()
Date: Tue, 1 Oct 2024 18:52:20 +0530 [thread overview]
Message-ID: <d48a4b1e-209d-4e16-b9df-4ab73e5055b8@intel.com> (raw)
In-Reply-To: <20241001084346.98516-5-matthew.auld@intel.com>
On 01-10-2024 14:13, Matthew Auld wrote:
> Ensure we serialize with completion side to prevent UAF with fence going
> out of scope on the stack, since we have no clue if it will fire after
> the timeout before we can erase from the xa. Also we have some dependent
> loads and stores for which we need the correct ordering, and we lack the
> needed barriers. Fix this by grabbing the ct->lock after the wait, which
> is also held by the completion side.
>
> v2 (Badal):
> - Also print done after acquiring the lock and seeing timeout.
>
> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Matthew Brost <matthew.brost@intel.com>
> Cc: Badal Nilawar <badal.nilawar@intel.com>
> Cc: <stable@vger.kernel.org> # v6.8+
> ---
> drivers/gpu/drm/xe/xe_guc_ct.c | 21 ++++++++++++++++++---
> 1 file changed, 18 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c
> index 4b95f75b1546..44263b3cd8c7 100644
> --- a/drivers/gpu/drm/xe/xe_guc_ct.c
> +++ b/drivers/gpu/drm/xe/xe_guc_ct.c
> @@ -903,16 +903,26 @@ static int guc_ct_send_recv(struct xe_guc_ct *ct, const u32 *action, u32 len,
> }
>
> ret = wait_event_timeout(ct->g2h_fence_wq, g2h_fence.done, HZ);
> +
> + /*
> + * Ensure we serialize with completion side to prevent UAF with fence going out of scope on
> + * the stack, since we have no clue if it will fire after the timeout before we can erase
> + * from the xa. Also we have some dependent loads and stores below for which we need the
> + * correct ordering, and we lack the needed barriers.
> + */
> + mutex_lock(&ct->lock);
> if (!ret) {
> - xe_gt_err(gt, "Timed out wait for G2H, fence %u, action %04x",
> - g2h_fence.seqno, action[0]);
> + xe_gt_err(gt, "Timed out wait for G2H, fence %u, action %04x, done %s",
> + g2h_fence.seqno, action[0], str_yes_no(g2h_fence.done));
> xa_erase_irq(&ct->fence_lookup, g2h_fence.seqno);
> + mutex_unlock(&ct->lock);
> return -ETIME;
> }
>
> if (g2h_fence.retry) {
> xe_gt_dbg(gt, "H2G action %#x retrying: reason %#x\n",
> action[0], g2h_fence.reason);
> + mutex_unlock(&ct->lock);
> goto retry;
> }
> if (g2h_fence.fail) {
> @@ -921,7 +931,12 @@ static int guc_ct_send_recv(struct xe_guc_ct *ct, const u32 *action, u32 len,
> ret = -EIO;
> }
>
> - return ret > 0 ? response_buffer ? g2h_fence.response_len : g2h_fence.response_data : ret;
> + if (ret > 0)
> + ret = response_buffer ? g2h_fence.response_len : g2h_fence.response_data;
> +
> + mutex_unlock(&ct->lock);
> +
> + return ret;
> }
Reviewed-by: Badal Nilawar <badal.nilawar@intel.com>
Regards,
Badal
>
> /**
next prev parent reply other threads:[~2024-10-01 13:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-01 8:43 [PATCH v2 1/4] drm/xe/ct: prevent UAF in send_recv() Matthew Auld
2024-10-01 8:43 ` [PATCH v2 2/4] drm/xe/ct: fix xa_store() error checking Matthew Auld
2024-10-01 13:48 ` Nilawar, Badal
2024-10-01 8:43 ` [PATCH v2 3/4] drm/xe/guc_submit: " Matthew Auld
2024-10-01 13:50 ` Nilawar, Badal
2024-10-01 8:43 ` [PATCH v2 4/4] drm/xe/ct: drop irq usage of xa_erase() Matthew Auld
2024-10-01 14:55 ` Nilawar, Badal
2024-10-01 8:51 ` ✓ CI.Patch_applied: success for series starting with [v2,1/4] drm/xe/ct: prevent UAF in send_recv() Patchwork
2024-10-01 8:51 ` ✓ CI.checkpatch: " Patchwork
2024-10-01 8:52 ` ✓ CI.KUnit: " Patchwork
2024-10-01 9:09 ` ✓ CI.Build: " Patchwork
2024-10-01 9:12 ` ✓ CI.Hooks: " Patchwork
2024-10-01 9:14 ` ✓ CI.checksparse: " Patchwork
2024-10-01 9:40 ` ✓ CI.BAT: " Patchwork
2024-10-01 13:22 ` Nilawar, Badal [this message]
2024-10-01 16:43 ` ✗ CI.FULL: failure " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d48a4b1e-209d-4e16-b9df-4ab73e5055b8@intel.com \
--to=badal.nilawar@intel.com \
--cc=intel-xe@lists.freedesktop.org \
--cc=matthew.auld@intel.com \
--cc=matthew.brost@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox