[PATCH 2/2] drm/xe/vm: prevent UAF in rebind_work

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 2/2] drm/xe/vm: prevent UAF in rebind_work_func()
       [not found] <20240423074721.119633-3-matthew.auld@intel.com>
@ 2024-04-23  7:47 ` Matthew Auld
  2024-04-24  3:45   ` Matthew Brost
  0 siblings, 1 reply; 2+ messages in thread
From: Matthew Auld @ 2024-04-23  7:47 UTC (permalink / raw)
  To: intel-xe; +Cc: Matthew Brost, stable

We flush the rebind worker during the vm close phase, however in places
like preempt_fence_work_func() we seem to queue the rebind worker
without first checking if the vm has already been closed.  The concern
here is the vm being closed with the worker flushed, but then being
rearmed later, which looks like potential uaf, since there is no actual
refcounting to track the queued worker. We can't take the vm->lock here
in preempt_rebind_work_func() to first check if the vm is closed since
that will deadlock, so instead flush the worker again when the vm
refcount reaches zero.

v2:
 - Grabbing vm->lock in the preempt worker creates a deadlock, so
   checking the closed state is tricky. Instead flush the worker when
   the refcount reaches zero. It should be impossible to queue the
   preempt worker without already holding vm ref.

Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1676
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1591
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1304
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1249
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: <stable@vger.kernel.org> # v6.8+
---
 drivers/gpu/drm/xe/xe_vm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
index 2ba7c920a8af..71de9848bdc2 100644
--- a/drivers/gpu/drm/xe/xe_vm.c
+++ b/drivers/gpu/drm/xe/xe_vm.c
@@ -1509,6 +1509,9 @@ static void vm_destroy_work_func(struct work_struct *w)
 	/* xe_vm_close_and_put was not called? */
 	xe_assert(xe, !vm->size);
 
+	if (xe_vm_in_preempt_fence_mode(vm))
+		flush_work(&vm->preempt.rebind_work);
+
 	mutex_destroy(&vm->snap_mutex);
 
 	if (!(vm->flags & XE_VM_FLAG_MIGRATION))
-- 
2.44.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 2/2] drm/xe/vm: prevent UAF in rebind_work_func()
  2024-04-23  7:47 ` [PATCH 2/2] drm/xe/vm: prevent UAF in rebind_work_func() Matthew Auld
@ 2024-04-24  3:45   ` Matthew Brost
  0 siblings, 0 replies; 2+ messages in thread
From: Matthew Brost @ 2024-04-24  3:45 UTC (permalink / raw)
  To: Matthew Auld; +Cc: intel-xe, stable

On Tue, Apr 23, 2024 at 08:47:23AM +0100, Matthew Auld wrote:
> We flush the rebind worker during the vm close phase, however in places
> like preempt_fence_work_func() we seem to queue the rebind worker
> without first checking if the vm has already been closed.  The concern
> here is the vm being closed with the worker flushed, but then being
> rearmed later, which looks like potential uaf, since there is no actual
> refcounting to track the queued worker. We can't take the vm->lock here
> in preempt_rebind_work_func() to first check if the vm is closed since
> that will deadlock, so instead flush the worker again when the vm
> refcount reaches zero.
> 
> v2:
>  - Grabbing vm->lock in the preempt worker creates a deadlock, so
>    checking the closed state is tricky. Instead flush the worker when
>    the refcount reaches zero. It should be impossible to queue the
>    preempt worker without already holding vm ref.
> 

Comment in the previous patch applies here as well, with that:

Reviewed-by: Matthew Brost <matthew.brost@intel.com>

> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1676
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1591
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1304
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1249
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Matthew Brost <matthew.brost@intel.com>
> Cc: <stable@vger.kernel.org> # v6.8+
> ---
>  drivers/gpu/drm/xe/xe_vm.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
> index 2ba7c920a8af..71de9848bdc2 100644
> --- a/drivers/gpu/drm/xe/xe_vm.c
> +++ b/drivers/gpu/drm/xe/xe_vm.c
> @@ -1509,6 +1509,9 @@ static void vm_destroy_work_func(struct work_struct *w)
>  	/* xe_vm_close_and_put was not called? */
>  	xe_assert(xe, !vm->size);
>  
> +	if (xe_vm_in_preempt_fence_mode(vm))
> +		flush_work(&vm->preempt.rebind_work);
> +
>  	mutex_destroy(&vm->snap_mutex);
>  
>  	if (!(vm->flags & XE_VM_FLAG_MIGRATION))
> -- 
> 2.44.0
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-04-24  3:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20240423074721.119633-3-matthew.auld@intel.com>
2024-04-23  7:47 ` [PATCH 2/2] drm/xe/vm: prevent UAF in rebind_work_func() Matthew Auld
2024-04-24  3:45   ` Matthew Brost

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox