On Mon, May 17, 2021 at 09:32:44AM -0400, Jeremy Cline wrote:
> On Mon, May 17, 2021 at 11:19:02AM +0200, Thierry Reding wrote:
> > On Mon, May 17, 2021 at 10:56:29AM +0200, Thierry Reding wrote:
> > > On Tue, May 11, 2021 at 06:35:53PM +0200, Karol Herbst wrote:
> > > > If ttm_bo_init fails it will already call ttm_bo_put, so we don't have to
> > > > do it through nouveau_bo_ref.
> > > >
> > > > ==================================================================
> > > > BUG: KFENCE: use-after-free write in ttm_bo_put+0x11/0x40 [ttm]
> > > >
> > > > Use-after-free write at 0x000000004dc4663c (in kfence-#44):
> > > > ttm_bo_put+0x11/0x40 [ttm]
> > > > nouveau_gem_new+0xc1/0xf0 [nouveau]
> > > > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
> > > > drm_ioctl_kernel+0xb2/0x100 [drm]
> > > > drm_ioctl+0x215/0x390 [drm]
> > > > nouveau_drm_ioctl+0x55/0xa0 [nouveau]
> > > > __x64_sys_ioctl+0x83/0xb0
> > > > do_syscall_64+0x33/0x40
> > > > entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > >
> > > > kfence-#44 [0x00000000c0593b31-0x000000002e74122b, size=792, cache=kmalloc-1k] allocated by task 2657:
> > > > nouveau_bo_alloc+0x63/0x4c0 [nouveau]
> > > > nouveau_gem_new+0x38/0xf0 [nouveau]
> > > > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
> > > > drm_ioctl_kernel+0xb2/0x100 [drm]
> > > > drm_ioctl+0x215/0x390 [drm]
> > > > nouveau_drm_ioctl+0x55/0xa0 [nouveau]
> > > > __x64_sys_ioctl+0x83/0xb0
> > > > do_syscall_64+0x33/0x40
> > > > entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > >
> > > > freed by task 2657:
> > > > ttm_bo_release+0x1cc/0x300 [ttm]
> > > > ttm_bo_init_reserved+0x2ec/0x300 [ttm]
> > > > ttm_bo_init+0x5e/0xd0 [ttm]
> > > > nouveau_bo_init+0xaf/0xc0 [nouveau]
> > > > nouveau_gem_new+0x7f/0xf0 [nouveau]
> > > > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
> > > > drm_ioctl_kernel+0xb2/0x100 [drm]
> > > > drm_ioctl+0x215/0x390 [drm]
> > > > nouveau_drm_ioctl+0x55/0xa0 [nouveau]
> > > > __x64_sys_ioctl+0x83/0xb0
> > > > do_syscall_64+0x33/0x40
> > > > entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > >
> > > > Fixes: 019cbd4a4feb3 "drm/nouveau: Initialize GEM object before TTM object"
> > > > Cc: Thierry Reding <treding@xxxxxxxxxx>
> > > > Signed-off-by: Karol Herbst <kherbst@xxxxxxxxxx>
> > > > ---
> > > > drivers/gpu/drm/nouveau/nouveau_gem.c | 1 -
> > > > 1 file changed, 1 deletion(-)
> > > >
> > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > > index c88cbb85f101..1165ff990fb5 100644
> > > > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > > @@ -212,7 +212,6 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
> > > >
> > > > ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
> > > > if (ret) {
> > > > - nouveau_bo_ref(NULL, &nvbo);
> > > > return ret;
> > > > }
> > >
> > > Looking at the surrounding code, I wonder if I just managed to jumble
> > > the cleanup paths for drm_gem_object_init() and nouveau_bo_init(). If
> > > drm_gem_object_init() fails, I don't think it's necessary (though it
> > > also doesn't look harmful) to call drm_gem_object_release().
> > >
> > > However, if nouveau_bo_init() fails, then I think we'd still need to
> > > call drm_gem_object_release(), to make sure to undo the effects of
> > > drm_gem_object_init().
> > >
> > > So I wonder if we need something like this instead:
> > >
> > > --- >8 ---
> > > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > index c88cbb85f101..9b6055116f30 100644
> > > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> > > @@ -205,14 +205,13 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
> > > * to the caller, instead of a normal nouveau_bo ttm reference. */
> > > ret = drm_gem_object_init(drm->dev, &nvbo->bo.base, size);
> > > if (ret) {
> > > - drm_gem_object_release(&nvbo->bo.base);
> > > kfree(nvbo);
> > > return ret;
> > > }
> > >
> > > ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
> > > if (ret) {
> > > - nouveau_bo_ref(NULL, &nvbo);
> > > + drm_gem_object_release(&nvbo->bo.base);
> > > return ret;
> > > }
> > >
> > > --- >8 ---
> > >
> > > Thierry
> >
> > Adding Jeremy for visibility.
> >
>
> Admittedly I only skimmed the code so I'm not extremely confident in my
> analysis, but isn't that handled by the nouveau_bo_del_ttm() callback
> which should get called after the last reference is dropped with
> nouveau_bo_ref?
Yes, it should. But the point here is that we need to get rid of that
nouveau_bo_ref() call to avoid the use-after-free (which is actually
more like a use-before-init in this case, because at this point the
buffer object hasn't been fully initialized yet), so we won't actually
be dropping the reference.
Thierry
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Nouveau mailing list Nouveau@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/nouveau
