Hi Dmitry, On Thu, Mar 10, 2022 at 03:33:07AM +0300, Dmitry Osipenko wrote: > I was playing/testing SuperTuxKart using VirtIO-GPU driver and spotted a > UAF bug in drm_atomic_helper_wait_for_vblanks(). > > SuperTuxKart can use DRM directly, i.e. you can run game in VT without > Xorg or Wayland, this is where bugs happens. SuperTuxKart uses a > non-blocking atomic page flips and UAF happens when a new atomic state > is committed while there is a previous page flip still in-fly. > > What happens is that the new and old atomic states refer to the same > CRTC state somehow. Once the older atomic state is destroyed, the CRTC > state is freed and the newer atomic state continues to use the freed > CRTC state. I'm not sure what you mean by "the new and old atomic states refer to the same CRTC state", are those the same pointers? > The bug is easily reproducible (at least by me) by playing SuperTuxKart > for a minute. It presents on latest -next and 5.17-rc7, I haven't > checked older kernel versions. > > I'm not an expert of the non-blocking code paths in DRM, so asking for > suggestions about where the root of the problem could be. Does it occur with other platforms? Can you easily test on something else? Thanks, Maxime
Attachment:
signature.asc
Description: PGP signature
