[PATCH] nouveau/gem: fix user-after-free in nouveau_gem_new

Karol Herbst <kherbst@xxxxxxxxxx> · Tue, 11 May 2021 18:35:53 +0200

If ttm_bo_init fails it will already call ttm_bo_put, so we don't have to
do it through nouveau_bo_ref.

==================================================================
BUG: KFENCE: use-after-free write in ttm_bo_put+0x11/0x40 [ttm]

Use-after-free write at 0x000000004dc4663c (in kfence-#44):
 ttm_bo_put+0x11/0x40 [ttm]
 nouveau_gem_new+0xc1/0xf0 [nouveau]
 nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
 drm_ioctl_kernel+0xb2/0x100 [drm]
 drm_ioctl+0x215/0x390 [drm]
 nouveau_drm_ioctl+0x55/0xa0 [nouveau]
 __x64_sys_ioctl+0x83/0xb0
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae

kfence-#44 [0x00000000c0593b31-0x000000002e74122b, size=792, cache=kmalloc-1k] allocated by task 2657:
 nouveau_bo_alloc+0x63/0x4c0 [nouveau]
 nouveau_gem_new+0x38/0xf0 [nouveau]
 nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
 drm_ioctl_kernel+0xb2/0x100 [drm]
 drm_ioctl+0x215/0x390 [drm]
 nouveau_drm_ioctl+0x55/0xa0 [nouveau]
 __x64_sys_ioctl+0x83/0xb0
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae

freed by task 2657:
 ttm_bo_release+0x1cc/0x300 [ttm]
 ttm_bo_init_reserved+0x2ec/0x300 [ttm]
 ttm_bo_init+0x5e/0xd0 [ttm]
 nouveau_bo_init+0xaf/0xc0 [nouveau]
 nouveau_gem_new+0x7f/0xf0 [nouveau]
 nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
 drm_ioctl_kernel+0xb2/0x100 [drm]
 drm_ioctl+0x215/0x390 [drm]
 nouveau_drm_ioctl+0x55/0xa0 [nouveau]
 __x64_sys_ioctl+0x83/0xb0
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 019cbd4a4feb3 "drm/nouveau: Initialize GEM object before TTM object"
Cc: Thierry Reding <treding@xxxxxxxxxx>
Signed-off-by: Karol Herbst <kherbst@xxxxxxxxxx>
---
 drivers/gpu/drm/nouveau/nouveau_gem.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index c88cbb85f101..1165ff990fb5 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -212,7 +212,6 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
 
 	ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
 	if (ret) {
-		nouveau_bo_ref(NULL, &nvbo);
 		return ret;
 	}
 
-- 
2.31.1

_______________________________________________
Nouveau mailing list
Nouveau@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/nouveau






