On 3/30/22 12:45, Daniel Vetter wrote: > On Tue, Mar 15, 2022 at 12:53:30AM +0300, Dmitry Osipenko wrote: >> On 3/11/22 17:22, Maxime Ripard wrote: >>> Hi Dmitry, >>> >>> On Thu, Mar 10, 2022 at 03:33:07AM +0300, Dmitry Osipenko wrote: >>>> I was playing/testing SuperTuxKart using VirtIO-GPU driver and spotted a >>>> UAF bug in drm_atomic_helper_wait_for_vblanks(). >>>> >>>> SuperTuxKart can use DRM directly, i.e. you can run game in VT without >>>> Xorg or Wayland, this is where bugs happens. SuperTuxKart uses a >>>> non-blocking atomic page flips and UAF happens when a new atomic state >>>> is committed while there is a previous page flip still in-fly. >>>> >>>> What happens is that the new and old atomic states refer to the same >>>> CRTC state somehow. Once the older atomic state is destroyed, the CRTC >>>> state is freed and the newer atomic state continues to use the freed >>>> CRTC state. >>> >>> I'm not sure what you mean by "the new and old atomic states refer to >>> the same CRTC state", are those the same pointers? >> >> Yes, the pointers are the same. I'd assume that the newer atomic state >> should duplicate CRTC state, but apparently it doesn't happen. > > The legacy cursor hack stuff does this, and it pretty fundamentally breaks > everything. Might be good to retest with that disabled: > > https://lore.kernel.org/dri-devel/20201023123925.2374863-1-daniel.vetter@xxxxxxxx/ > > The problem is a bit that this might cause some regressions, for drivers > which don't yet have the fancy new cursor fastpath for plane updates. > -Daniel Thank you, I tested yours patch and unfortunately it doesn't fix my problem. Should be a separate bug. Those async update code paths aren't trivial, will take some time for me to debug it.
