forked from Minki/linux
88326ef05b
Although we do check the completion-status of the request before actually adding a wait on it (either to its submit fence or its completion dma-fence), we currently do not check before adding it to the dependency lists. In fact, without checking for a completed request we may try to use the signaler after it has been retired and its dependency tree freed: [ 60.044057] BUG: KASAN: use-after-free in __list_add_valid+0x1d/0xd0 at addr ffff880348c9e6a0 [ 60.044118] Read of size 8 by task gem_exec_fence/530 [ 60.044164] CPU: 1 PID: 530 Comm: gem_exec_fence Tainted: G E 4.11.0-rc7+ #46 [ 60.044226] Hardware name: ��������������������������������� ���������������������������������/���������������������������������, BIOS RYBDWi35.86A.0246.2 [ 60.044290] Call Trace: [ 60.044337] dump_stack+0x4d/0x6a [ 60.044383] kasan_object_err+0x21/0x70 [ 60.044435] kasan_report+0x225/0x4e0 [ 60.044488] ? __list_add_valid+0x1d/0xd0 [ 60.044534] ? kasan_kmalloc+0xad/0xe0 [ 60.044587] __asan_load8+0x5e/0x70 [ 60.044639] __list_add_valid+0x1d/0xd0 [ 60.044788] __i915_priotree_add_dependency+0x67/0x130 [i915] [ 60.044895] i915_gem_request_await_request+0xa8/0x370 [i915] [ 60.044974] i915_gem_request_await_dma_fence+0x129/0x140 [i915] [ 60.045049] i915_gem_do_execbuffer.isra.37+0xb0a/0x26b0 [i915] [ 60.045077] ? save_stack+0xb1/0xd0 [ 60.045105] ? save_stack_trace+0x1b/0x20 [ 60.045132] ? save_stack+0x46/0xd0 [ 60.045158] ? kasan_kmalloc+0xad/0xe0 [ 60.045184] ? __kmalloc+0xd8/0x670 [ 60.045229] ? drm_ioctl+0x359/0x640 [drm] [ 60.045256] ? SyS_ioctl+0x41/0x70 [ 60.045330] ? i915_vma_move_to_active+0x540/0x540 [i915] [ 60.045360] ? tty_insert_flip_string_flags+0xa1/0xf0 [ 60.045387] ? tty_flip_buffer_push+0x63/0x70 [ 60.045414] ? remove_wait_queue+0xa9/0xc0 [ 60.045441] ? kasan_unpoison_shadow+0x35/0x50 [ 60.045467] ? kasan_kmalloc+0xad/0xe0 [ 60.045494] ? kasan_check_write+0x14/0x20 [ 60.045568] i915_gem_execbuffer2+0xdb/0x2a0 [i915] [ 60.045616] drm_ioctl+0x359/0x640 [drm] [ 60.045705] ? i915_gem_execbuffer+0x5a0/0x5a0 [i915] [ 60.045751] ? drm_version+0x150/0x150 [drm] [ 60.045778] ? compat_start_thread+0x60/0x60 [ 60.045805] ? plist_del+0xda/0x1a0 [ 60.045833] do_vfs_ioctl+0x12e/0x910 [ 60.045860] ? ioctl_preallocate+0x130/0x130 [ 60.045886] ? pci_mmcfg_check_reserved+0xc0/0xc0 [ 60.045913] ? vfs_write+0x196/0x240 [ 60.045939] ? __fget_light+0xa7/0xc0 [ 60.045965] SyS_ioctl+0x41/0x70 [ 60.045991] entry_SYSCALL_64_fastpath+0x17/0x98 [ 60.046017] RIP: 0033:0x7feb2baefc47 [ 60.046042] RSP: 002b:00007fff56d28e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.046075] RAX: ffffffffffffffda RBX: 00007fff56d290a8 RCX: 00007feb2baefc47 [ 60.046102] RDX: 00007fff56d29050 RSI: 00000000c0406469 RDI: 0000000000000003 [ 60.046129] RBP: 00007fff56d29050 R08: 000055ecc4cd27d0 R09: 00007feb2bda8600 [ 60.046154] R10: 0000000000000073 R11: 0000000000000246 R12: 00000000c0406469 [ 60.046177] R13: 0000000000000003 R14: 000000000000000f R15: 0000000000000099 [ 60.046203] Object at ffff880348c9e680, in cache i915_dependency size: 64 [ 60.046225] Allocated: [ 60.046246] PID = 530 [ 60.046269] save_stack_trace+0x1b/0x20 [ 60.046292] save_stack+0x46/0xd0 [ 60.046318] kasan_kmalloc+0xad/0xe0 [ 60.046343] kasan_slab_alloc+0x12/0x20 [ 60.046368] kmem_cache_alloc+0xab/0x650 [ 60.046445] i915_gem_request_await_request+0x88/0x370 [i915] [ 60.046559] i915_gem_request_await_dma_fence+0x129/0x140 [i915] [ 60.046705] i915_gem_do_execbuffer.isra.37+0xb0a/0x26b0 [i915] [ 60.046849] i915_gem_execbuffer2+0xdb/0x2a0 [i915] [ 60.046936] drm_ioctl+0x359/0x640 [drm] [ 60.046987] do_vfs_ioctl+0x12e/0x910 [ 60.047038] SyS_ioctl+0x41/0x70 [ 60.047090] entry_SYSCALL_64_fastpath+0x17/0x98 [ 60.047139] Freed: [ 60.047179] PID = 530 [ 60.047223] save_stack_trace+0x1b/0x20 [ 60.047269] save_stack+0x46/0xd0 [ 60.047317] kasan_slab_free+0x72/0xc0 [ 60.047366] kmem_cache_free+0x39/0x160 [ 60.047512] i915_gem_request_retire+0x83f/0x930 [i915] [ 60.047657] i915_gem_request_alloc+0x166/0x600 [i915] [ 60.047799] i915_gem_do_execbuffer.isra.37+0xad8/0x26b0 [i915] [ 60.047897] i915_gem_execbuffer2+0xdb/0x2a0 [i915] [ 60.047942] drm_ioctl+0x359/0x640 [drm] [ 60.047968] do_vfs_ioctl+0x12e/0x910 [ 60.047993] SyS_ioctl+0x41/0x70 [ 60.048019] entry_SYSCALL_64_fastpath+0x17/0x98 [ 60.048044] Memory state around the buggy address: [ 60.048066] ffff880348c9e580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 60.048105] ffff880348c9e600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 60.048138] >ffff880348c9e680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 60.048170] ^ [ 60.048191] ffff880348c9e700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 60.048225] ffff880348c9e780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc Note to hit the use-after-free requires us to be passed back a request via a fence-array, that is from explicit fencing accumulated into a sync-file fence-array. Fixes: |
||
---|---|---|
.. | ||
amd | ||
arc | ||
arm | ||
armada | ||
ast | ||
atmel-hlcdc | ||
bochs | ||
bridge | ||
cirrus | ||
etnaviv | ||
exynos | ||
fsl-dcu | ||
gma500 | ||
hisilicon | ||
i2c | ||
i810 | ||
i915 | ||
imx | ||
lib | ||
mediatek | ||
meson | ||
mga | ||
mgag200 | ||
msm | ||
mxsfb | ||
nouveau | ||
omapdrm | ||
panel | ||
qxl | ||
r128 | ||
radeon | ||
rcar-du | ||
rockchip | ||
savage | ||
selftests | ||
shmobile | ||
sis | ||
sti | ||
sun4i | ||
tdfx | ||
tegra | ||
tilcdc | ||
tinydrm | ||
ttm | ||
udl | ||
vc4 | ||
vgem | ||
via | ||
virtio | ||
vmwgfx | ||
zte | ||
ati_pcigart.c | ||
drm_agpsupport.c | ||
drm_atomic_helper.c | ||
drm_atomic.c | ||
drm_auth.c | ||
drm_blend.c | ||
drm_bridge.c | ||
drm_bufs.c | ||
drm_cache.c | ||
drm_color_mgmt.c | ||
drm_connector.c | ||
drm_context.c | ||
drm_crtc_helper_internal.h | ||
drm_crtc_helper.c | ||
drm_crtc_internal.h | ||
drm_crtc.c | ||
drm_debugfs_crc.c | ||
drm_debugfs.c | ||
drm_dma.c | ||
drm_dp_aux_dev.c | ||
drm_dp_dual_mode_helper.c | ||
drm_dp_helper.c | ||
drm_dp_mst_topology.c | ||
drm_drv.c | ||
drm_dumb_buffers.c | ||
drm_edid_load.c | ||
drm_edid.c | ||
drm_encoder_slave.c | ||
drm_encoder.c | ||
drm_fb_cma_helper.c | ||
drm_fb_helper.c | ||
drm_file.c | ||
drm_flip_work.c | ||
drm_fourcc.c | ||
drm_framebuffer.c | ||
drm_gem_cma_helper.c | ||
drm_gem.c | ||
drm_global.c | ||
drm_hashtab.c | ||
drm_info.c | ||
drm_internal.h | ||
drm_ioc32.c | ||
drm_ioctl.c | ||
drm_irq.c | ||
drm_kms_helper_common.c | ||
drm_legacy.h | ||
drm_lock.c | ||
drm_memory.c | ||
drm_mipi_dsi.c | ||
drm_mm.c | ||
drm_mode_config.c | ||
drm_mode_object.c | ||
drm_modes.c | ||
drm_modeset_helper.c | ||
drm_modeset_lock.c | ||
drm_of.c | ||
drm_panel.c | ||
drm_pci.c | ||
drm_plane_helper.c | ||
drm_plane.c | ||
drm_prime.c | ||
drm_print.c | ||
drm_probe_helper.c | ||
drm_property.c | ||
drm_rect.c | ||
drm_scatter.c | ||
drm_scdc_helper.c | ||
drm_simple_kms_helper.c | ||
drm_sysfs.c | ||
drm_trace_points.c | ||
drm_trace.h | ||
drm_vm.c | ||
drm_vma_manager.c | ||
Kconfig | ||
Makefile |