On 3/11/22 17:22, Maxime Ripard wrote: > Hi Dmitry, > > On Thu, Mar 10, 2022 at 03:33:07AM +0300, Dmitry Osipenko wrote: >> I was playing/testing SuperTuxKart using VirtIO-GPU driver and spotted a >> UAF bug in drm_atomic_helper_wait_for_vblanks(). >> >> SuperTuxKart can use DRM directly, i.e. you can run game in VT without >> Xorg or Wayland, this is where bugs happens. SuperTuxKart uses a >> non-blocking atomic page flips and UAF happens when a new atomic state >> is committed while there is a previous page flip still in-fly. >> >> What happens is that the new and old atomic states refer to the same >> CRTC state somehow. Once the older atomic state is destroyed, the CRTC >> state is freed and the newer atomic state continues to use the freed >> CRTC state. > > I'm not sure what you mean by "the new and old atomic states refer to > the same CRTC state", are those the same pointers? Yes, the pointers are the same. I'd assume that the newer atomic state should duplicate CRTC state, but apparently it doesn't happen. >> The bug is easily reproducible (at least by me) by playing SuperTuxKart >> for a minute. It presents on latest -next and 5.17-rc7, I haven't >> checked older kernel versions. >> >> I'm not an expert of the non-blocking code paths in DRM, so asking for >> suggestions about where the root of the problem could be. > > Does it occur with other platforms? Can you easily test on something else? Shouldn't be easy to replicate this on other platforms, but I'll try.