On Tue, Mar 15, 2022 at 12:53:30AM +0300, Dmitry Osipenko wrote: > On 3/11/22 17:22, Maxime Ripard wrote: > > Hi Dmitry, > > > > On Thu, Mar 10, 2022 at 03:33:07AM +0300, Dmitry Osipenko wrote: > >> I was playing/testing SuperTuxKart using VirtIO-GPU driver and spotted a > >> UAF bug in drm_atomic_helper_wait_for_vblanks(). > >> > >> SuperTuxKart can use DRM directly, i.e. you can run game in VT without > >> Xorg or Wayland, this is where bugs happens. SuperTuxKart uses a > >> non-blocking atomic page flips and UAF happens when a new atomic state > >> is committed while there is a previous page flip still in-fly. > >> > >> What happens is that the new and old atomic states refer to the same > >> CRTC state somehow. Once the older atomic state is destroyed, the CRTC > >> state is freed and the newer atomic state continues to use the freed > >> CRTC state. > > > > I'm not sure what you mean by "the new and old atomic states refer to > > the same CRTC state", are those the same pointers? > > Yes, the pointers are the same. I'd assume that the newer atomic state > should duplicate CRTC state, but apparently it doesn't happen. The legacy cursor hack stuff does this, and it pretty fundamentally breaks everything. Might be good to retest with that disabled: https://lore.kernel.org/dri-devel/20201023123925.2374863-1-daniel.vetter@xxxxxxxx/ The problem is a bit that this might cause some regressions, for drivers which don't yet have the fancy new cursor fastpath for plane updates. -Daniel > >> The bug is easily reproducible (at least by me) by playing SuperTuxKart > >> for a minute. It presents on latest -next and 5.17-rc7, I haven't > >> checked older kernel versions. > >> > >> I'm not an expert of the non-blocking code paths in DRM, so asking for > >> suggestions about where the root of the problem could be. > > > > Does it occur with other platforms? Can you easily test on something else? > > Shouldn't be easy to replicate this on other platforms, but I'll try. -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
