On Tue, Mar 15, 2022 at 12:53:30AM +0300, Dmitry Osipenko wrote: > On 3/11/22 17:22, Maxime Ripard wrote: > > On Thu, Mar 10, 2022 at 03:33:07AM +0300, Dmitry Osipenko wrote: > >> I was playing/testing SuperTuxKart using VirtIO-GPU driver and spotted a > >> UAF bug in drm_atomic_helper_wait_for_vblanks(). > >> > >> SuperTuxKart can use DRM directly, i.e. you can run game in VT without > >> Xorg or Wayland, this is where bugs happens. SuperTuxKart uses a > >> non-blocking atomic page flips and UAF happens when a new atomic state > >> is committed while there is a previous page flip still in-fly. > >> > >> What happens is that the new and old atomic states refer to the same > >> CRTC state somehow. Once the older atomic state is destroyed, the CRTC > >> state is freed and the newer atomic state continues to use the freed > >> CRTC state. > > > > I'm not sure what you mean by "the new and old atomic states refer to > > the same CRTC state", are those the same pointers? > > Yes, the pointers are the same. I'd assume that the newer atomic state > should duplicate CRTC state, but apparently it doesn't happen. Yeah, I don't think this is right either > >> The bug is easily reproducible (at least by me) by playing SuperTuxKart > >> for a minute. It presents on latest -next and 5.17-rc7, I haven't > >> checked older kernel versions. > >> > >> I'm not an expert of the non-blocking code paths in DRM, so asking for > >> suggestions about where the root of the problem could be. > > > > Does it occur with other platforms? Can you easily test on something else? > > Shouldn't be easy to replicate this on other platforms, but I'll try. By replicating I meant running SuperTuxKart on a platform with a different KMS driver than virtio-gpu. So any ARM SBC with a GPU will do for example. That will allow us to see if it's a bug in virtio-gpu or in the helpers/core. Maxime
Attachment:
signature.asc
Description: PGP signature
