Re: [PATCH] drm/scheduler: Add missing RCU flag to fence slab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 10.07.23 um 23:15 schrieb Luben Tuikov:
On 2023-07-10 16:56, Rob Clark wrote:
From: Rob Clark <robdclark@xxxxxxxxxxxx>

Fixes the KASAN splat:

    ==================================================================
    BUG: KASAN: use-after-free in msm_ioctl_wait_fence+0x31c/0x7b0
    Read of size 4 at addr ffffff808cb7c2f8 by task syz-executor/12236
    CPU: 6 PID: 12236 Comm: syz-executor Tainted: G        W         5.15.119-lockdep-19932-g4a017c53fe63 #1 b15455e5b94c63032dd99eb0190c27e582b357ed
    Hardware name: Google Homestar (rev3) (DT)
    Call trace:
     dump_backtrace+0x0/0x4e8
     show_stack+0x34/0x50
     dump_stack_lvl+0xdc/0x11c
     print_address_description+0x30/0x2d8
     kasan_report+0x178/0x1e4
     kasan_check_range+0x1b0/0x1b8
     __kasan_check_read+0x44/0x54
     msm_ioctl_wait_fence+0x31c/0x7b0
     drm_ioctl_kernel+0x214/0x418
     drm_ioctl+0x524/0xbe8
     __arm64_sys_ioctl+0x154/0x1d0
     invoke_syscall+0x98/0x278
     el0_svc_common+0x214/0x274
     do_el0_svc+0x9c/0x19c
     el0_svc+0x5c/0xc0
     el0t_64_sync_handler+0x78/0x108
     el0t_64_sync+0x1a4/0x1a8
    Allocated by task 12224:
     kasan_save_stack+0x38/0x68
     __kasan_slab_alloc+0x6c/0x88
     kmem_cache_alloc+0x1b8/0x428
     drm_sched_fence_alloc+0x30/0x94
     drm_sched_job_init+0x7c/0x178
     msm_ioctl_gem_submit+0x2b8/0x5ac4
     drm_ioctl_kernel+0x214/0x418
     drm_ioctl+0x524/0xbe8
     __arm64_sys_ioctl+0x154/0x1d0
     invoke_syscall+0x98/0x278
     el0_svc_common+0x214/0x274
     do_el0_svc+0x9c/0x19c
     el0_svc+0x5c/0xc0
     el0t_64_sync_handler+0x78/0x108
     el0t_64_sync+0x1a4/0x1a8
    Freed by task 32:
     kasan_save_stack+0x38/0x68
     kasan_set_track+0x28/0x3c
     kasan_set_free_info+0x28/0x4c
     ____kasan_slab_free+0x110/0x164
     __kasan_slab_free+0x18/0x28
     kmem_cache_free+0x1e0/0x904
     drm_sched_fence_free_rcu+0x80/0x9c
     rcu_do_batch+0x318/0xcf0
     rcu_nocb_cb_kthread+0x1a0/0xc4c
     kthread+0x2e4/0x3a0
     ret_from_fork+0x10/0x20
    Last potentially related work creation:
     kasan_save_stack+0x38/0x68
     kasan_record_aux_stack+0xd4/0x114
     __call_rcu_common+0xd4/0x1478
     call_rcu+0x1c/0x28
     drm_sched_fence_release_scheduled+0x108/0x158
     dma_fence_release+0x178/0x564
     drm_sched_fence_release_finished+0xb4/0x124
     dma_fence_release+0x178/0x564
     __msm_gem_submit_destroy+0x150/0x488
     msm_job_free+0x9c/0xdc
     drm_sched_main+0xec/0x9ac
     kthread+0x2e4/0x3a0
     ret_from_fork+0x10/0x20
    Second to last potentially related work creation:
     kasan_save_stack+0x38/0x68
     kasan_record_aux_stack+0xd4/0x114
     __call_rcu_common+0xd4/0x1478
     call_rcu+0x1c/0x28
     drm_sched_fence_release_scheduled+0x108/0x158
     dma_fence_release+0x178/0x564
     drm_sched_fence_release_finished+0xb4/0x124
     dma_fence_release+0x178/0x564
     drm_sched_entity_fini+0x170/0x238
     drm_sched_entity_destroy+0x34/0x44
     __msm_file_private_destroy+0x60/0x118
     msm_submitqueue_destroy+0xd0/0x110
     __msm_gem_submit_destroy+0x384/0x488
     retire_submits+0x6a8/0xa14
     recover_worker+0x764/0xa50
     kthread_worker_fn+0x3f4/0x9ec
     kthread+0x2e4/0x3a0
     ret_from_fork+0x10/0x20
    The buggy address belongs to the object at ffffff808cb7c280
    The buggy address is located 120 bytes inside of
    The buggy address belongs to the page:
    page:000000008b01d27d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cb7c
    head:000000008b01d27d order:1 compound_mapcount:0
    flags: 0x8000000000010200(slab|head|zone=2)
    raw: 8000000000010200 fffffffe06844d80 0000000300000003 ffffff80860dca00
    raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    Memory state around the buggy address:
     ffffff808cb7c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffffff808cb7c200: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
    >ffffff808cb7c280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                    ^
     ffffff808cb7c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
     ffffff808cb7c380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
    ==================================================================

Suggested-by: Alexander Potapenko <glider@xxxxxxxxxx>
Signed-off-by: Rob Clark <robdclark@xxxxxxxxxxxx>
---
  drivers/gpu/drm/scheduler/sched_fence.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/scheduler/sched_fence.c b/drivers/gpu/drm/scheduler/sched_fence.c
index ef120475e7c6..b624711c6e03 100644
--- a/drivers/gpu/drm/scheduler/sched_fence.c
+++ b/drivers/gpu/drm/scheduler/sched_fence.c
@@ -35,7 +35,7 @@ static int __init drm_sched_fence_slab_init(void)
  {
  	sched_fence_slab = kmem_cache_create(
  		"drm_sched_fence", sizeof(struct drm_sched_fence), 0,
-		SLAB_HWCACHE_ALIGN, NULL);
+		SLAB_HWCACHE_ALIGN | SLAB_TYPESAFE_BY_RCU, NULL);
  	if (!sched_fence_slab)
  		return -ENOMEM;
Reviewed-by: Luben Tuikov <luben.tuikov@xxxxxxx>

But let it simmer for 24 hours so Christian can see it too (CC-ed).

Well that won't work like this, using the the SLAB_TYPESAFE_BY_RCU flag was suggested before and is not allowed for dma_fence objects.

The flag SLAB_TYPESAFE_BY_RCU can only be used if the objects in the slab can't be reused within an RCU time period or if that reuse doesn't matter for the logic. And exactly that is not guaranteed for dma_fence objects.

It should also not be necessary because the scheduler fences are released using call_rcu:

static void drm_sched_fence_release_scheduled(struct dma_fence *f)
{
        struct drm_sched_fence *fence = to_drm_sched_fence(f);

        dma_fence_put(fence->parent);
        call_rcu(&fence->finished.rcu, drm_sched_fence_free_rcu);
}

That looks more like you have a reference count problem in MSM.

Regards,
Christian.



[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux