LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	罗权 <luoquan@qianxin.com>,
	"Chris Wilson" <chris@chris-wilson.co.uk>,
	"Jon Bloomfield" <jon.bloomfield@intel.com>,
	"Tyler Hicks" <tyhicks@canonical.com>
Subject: [PATCH 4.19 16/84] drm/i915: Fix use-after-free when destroying GEM context
Date: Fri, 17 Jan 2020 00:17:50 +0100	[thread overview]
Message-ID: <20200116231715.550710759@linuxfoundation.org> (raw)
In-Reply-To: <20200116231713.087649517@linuxfoundation.org>

From: Tyler Hicks <tyhicks@canonical.com>

This patch is a simplified fix to address a use-after-free in 4.14.x and
4.19.x stable kernels. The flaw is already fixed upstream, starting in
5.2, by commit 7dc40713618c ("drm/i915: Introduce a mutex for
file_priv->context_idr") as part of a more complex patch series that
isn't appropriate for backporting to stable kernels.

Expand mutex coverage, while destroying the GEM context, to include the
GEM context lookup step. This fixes a use-after-free detected by KASAN:

 ==================================================================
 BUG: KASAN: use-after-free in i915_ppgtt_close+0x2ca/0x2f0
 Write of size 1 at addr ffff8881368a8368 by task i915-poc/3124

 CPU: 0 PID: 3124 Comm: i915-poc Not tainted 4.14.164 #1
 Hardware name: HP HP Elite x2 1012 G1 /80FC, BIOS N85 Ver. 01.20 04/05/2017
 Call Trace:
  dump_stack+0xcd/0x12e
  ? _atomic_dec_and_lock+0x1b2/0x1b2
  ? i915_ppgtt_close+0x2ca/0x2f0
  ? printk+0x8f/0xab
  ? show_regs_print_info+0x53/0x53
  ? i915_ppgtt_close+0x2ca/0x2f0
  print_address_description+0x65/0x270
  ? i915_ppgtt_close+0x2ca/0x2f0
  kasan_report+0x251/0x340
  i915_ppgtt_close+0x2ca/0x2f0
  ? __radix_tree_insert+0x3f0/0x3f0
  ? i915_ppgtt_init_hw+0x7c0/0x7c0
  context_close+0x42e/0x680
  ? i915_gem_context_release+0x230/0x230
  ? kasan_kmalloc+0xa0/0xd0
  ? radix_tree_delete_item+0x1d4/0x250
  ? radix_tree_lookup+0x10/0x10
  ? inet_recvmsg+0x4b0/0x4b0
  ? kasan_slab_free+0x88/0xc0
  i915_gem_context_destroy_ioctl+0x236/0x300
  ? i915_gem_context_create_ioctl+0x360/0x360
  ? drm_dev_printk+0x1d0/0x1d0
  ? memcpy+0x34/0x50
  ? i915_gem_context_create_ioctl+0x360/0x360
  drm_ioctl_kernel+0x1b0/0x2b0
  ? drm_ioctl_permit+0x2a0/0x2a0
  ? avc_ss_reset+0xd0/0xd0
  drm_ioctl+0x6fe/0xa20
  ? i915_gem_context_create_ioctl+0x360/0x360
  ? drm_getstats+0x20/0x20
  ? put_unused_fd+0x260/0x260
  do_vfs_ioctl+0x189/0x12d0
  ? ioctl_preallocate+0x280/0x280
  ? selinux_file_ioctl+0x3a7/0x680
  ? selinux_bprm_set_creds+0xe30/0xe30
  ? security_file_ioctl+0x69/0xa0
  ? selinux_bprm_set_creds+0xe30/0xe30
  SyS_ioctl+0x6f/0x80
  ? __sys_sendmmsg+0x4a0/0x4a0
  ? do_vfs_ioctl+0x12d0/0x12d0
  do_syscall_64+0x214/0x5f0
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x25/0x60
  ? __switch_to_asm+0x31/0x60
  ? syscall_return_slowpath+0x2c0/0x2c0
  ? copy_overflow+0x20/0x20
  ? __switch_to_asm+0x25/0x60
  ? syscall_return_via_sysret+0x2a/0x7a
  ? prepare_exit_to_usermode+0x200/0x200
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x25/0x60
  ? __switch_to_asm+0x25/0x60
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x25/0x60
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x31/0x60
  ? __switch_to_asm+0x25/0x60
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
 RIP: 0033:0x7f7fda5115d7
 RSP: 002b:00007f7eec317ec8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7fda5115d7
 RDX: 000055b306db9188 RSI: 000000004008646e RDI: 0000000000000003
 RBP: 00007f7eec317ef0 R08: 00007f7eec318700 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000286 R12: 00007f7eec317fc0
 R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffd8007ade0

 Allocated by task 2898:
  save_stack+0x32/0xb0
  kasan_kmalloc+0xa0/0xd0
  kmem_cache_alloc_trace+0x5e/0x180
  i915_ppgtt_create+0xab/0x2510
  i915_gem_create_context+0x981/0xf90
  i915_gem_context_create_ioctl+0x1d7/0x360
  drm_ioctl_kernel+0x1b0/0x2b0
  drm_ioctl+0x6fe/0xa20
  do_vfs_ioctl+0x189/0x12d0
  SyS_ioctl+0x6f/0x80
  do_syscall_64+0x214/0x5f0
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

 Freed by task 104:
  save_stack+0x32/0xb0
  kasan_slab_free+0x72/0xc0
  kfree+0x88/0x190
  i915_ppgtt_release+0x24e/0x460
  i915_gem_context_free+0x90/0x480
  contexts_free_worker+0x54/0x80
  process_one_work+0x876/0x14e0
  worker_thread+0x1b8/0xfd0
  kthread+0x2f8/0x3c0
  ret_from_fork+0x35/0x40

 The buggy address belongs to the object at ffff8881368a8000
  which belongs to the cache kmalloc-8192 of size 8192
 The buggy address is located 872 bytes inside of
  8192-byte region [ffff8881368a8000, ffff8881368aa000)
 The buggy address belongs to the page:
 page:ffffea0004da2a00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
 flags: 0x200000000008100(slab|head)
 raw: 0200000000008100 0000000000000000 0000000000000000 0000000100030003
 raw: dead000000000100 dead000000000200 ffff88822a002280 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff8881368a8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881368a8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff8881368a8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                           ^
  ffff8881368a8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881368a8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

Fixes: 1acfc104cdf8 ("drm/i915: Enable rcu-only context lookups")
Reported-by: 罗权 <luoquan@qianxin.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: stable@vger.kernel.org # 4.14.x
Cc: stable@vger.kernel.org # 4.19.x
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_gem_context.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/i915/i915_gem_context.c
+++ b/drivers/gpu/drm/i915/i915_gem_context.c
@@ -770,18 +770,19 @@ int i915_gem_context_destroy_ioctl(struc
 	if (args->ctx_id == DEFAULT_CONTEXT_HANDLE)
 		return -ENOENT;
 
+	ret = i915_mutex_lock_interruptible(dev);
+	if (ret)
+		return ret;
+
 	ctx = i915_gem_context_lookup(file_priv, args->ctx_id);
-	if (!ctx)
+	if (!ctx) {
+		mutex_unlock(&dev->struct_mutex);
 		return -ENOENT;
-
-	ret = mutex_lock_interruptible(&dev->struct_mutex);
-	if (ret)
-		goto out;
+	}
 
 	__destroy_hw_context(ctx, file_priv);
 	mutex_unlock(&dev->struct_mutex);
 
-out:
 	i915_gem_context_put(ctx);
 	return 0;
 }



  parent reply	other threads:[~2020-01-16 23:39 UTC|newest]

Thread overview: 89+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 23:17 [PATCH 4.19 00/84] 4.19.97-stable review Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 01/84] hidraw: Return EPOLLOUT from hidraw_poll Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 02/84] HID: hidraw: Fix returning " Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 03/84] HID: hidraw, uhid: Always report EPOLLOUT Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 04/84] ethtool: reduce stack usage with clang Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 05/84] fs/select: avoid clang stack usage warning Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 06/84] cfg80211/mac80211: make ieee80211_send_layer2_update a public function Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 07/84] mac80211: Do not send Layer 2 Update frame before authorization Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 08/84] f2fs: Move err variable to function scope in f2fs_fill_dentries() Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 09/84] f2fs: check memory boundary by insane namelen Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 10/84] f2fs: check if file namelen exceeds max value Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 11/84] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 12/84] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 13/84] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 14/84] RDMA: Fix goto target to release the allocated memory Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 15/84] dccp: Fix memleak in __feat_register_sp Greg Kroah-Hartman
2020-01-16 23:17 ` Greg Kroah-Hartman [this message]
2020-01-16 23:17 ` [PATCH 4.19 17/84] rtc: mt6397: fix alarm register overwrite Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 18/84] RDMA/bnxt_re: Avoid freeing MR resources if dereg fails Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 19/84] RDMA/bnxt_re: Fix Send Work Entry state check while polling completions Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 20/84] ASoC: soc-core: Set dpcm_playback / dpcm_capture Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 21/84] ASoC: stm32: spdifrx: fix inconsistent lock state Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 22/84] ASoC: stm32: spdifrx: fix race condition in irq handler Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 23/84] mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 24/84] gpio: zynq: Fix for bug in zynq_gpio_restore_context API Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 25/84] iommu: Remove device link to group on failure Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 26/84] gpio: Fix error message on out-of-range GPIO in lookup table Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 27/84] hsr: reset network header when supervision frame is created Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 28/84] s390/qeth: fix false reporting of VNIC CHAR config failure Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 29/84] s390/qeth: Fix vnicc_is_in_use if rx_bcast not set Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 30/84] cifs: Adjust indentation in smb2_open_file Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 31/84] afs: Fix missing cell comparison in afs_test_super() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 32/84] drm/ttm: fix start page for huge page check in ttm_put_pages() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 33/84] drm/ttm: fix incrementing the page pointer for huge pages Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 34/84] btrfs: simplify inode locking for RWF_NOWAIT Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 35/84] RDMA/mlx5: Return proper error value Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 36/84] RDMA/srpt: Report the SCSI residual to the initiator Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 37/84] scsi: enclosure: Fix stale device oops with hot replug Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 38/84] scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 39/84] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 40/84] platform/x86: GPD pocket fan: Use default values when wrong modparams are given Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 41/84] xprtrdma: Fix completion wait during device removal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 42/84] crypto: virtio - implement missing support for output IVs Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 43/84] NFSv2: Fix a typo in encode_sattr() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 44/84] NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 45/84] iio: imu: adis16480: assign bias value only if operation succeeded Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 46/84] mei: fix modalias documentation Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 47/84] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 48/84] pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 49/84] pinctrl: lewisburg: Update pin list according to v1.1v6 Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 50/84] scsi: sd: enable compat ioctls for sed-opal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 51/84] arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 52/84] af_unix: add compat_ioctl support Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 53/84] compat_ioctl: handle SIOCOUTQNSD Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 54/84] PCI: dwc: Fix find_next_bit() usage Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 55/84] PCI/PTM: Remove spurious "d" from granularity message Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 56/84] powerpc/powernv: Disable native PCIe port management Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 57/84] tty: serial: imx: use the sg count from dma_map_sg Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 58/84] tty: serial: pch_uart: correct usage of dma_unmap_sg Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 59/84] media: ov6650: Fix incorrect use of JPEG colorspace Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 60/84] media: ov6650: Fix some format attributes not under control Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 61/84] media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 62/84] media: rcar-vin: Fix incorrect return statement in rvin_try_format() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 63/84] media: v4l: cadence: Fix how unsued lanes are handled in csi2rx_start() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 64/84] media: exynos4-is: Fix recursive locking in isp_video_release() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 65/84] iommu/mediatek: Correct the flush_iotlb_all callback Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 66/84] mtd: spi-nor: fix silent truncation in spi_nor_read() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 67/84] mtd: spi-nor: fix silent truncation in spi_nor_read_raw() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 68/84] spi: atmel: fix handling of cs_change set on non-last xfer Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 69/84] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 70/84] f2fs: fix potential overflow Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 71/84] rtc: msm6242: Fix reading of 10-hour digit Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 72/84] rtc: brcmstb-waketimer: add missed clk_disable_unprepare Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 73/84] gpio: mpc8xxx: Add platform device to gpiochip->parent Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 74/84] scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 75/84] selftests: firmware: Fix it to do root uid check and skip Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 76/84] rseq/selftests: Turn off timeout setting Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 77/84] mips: cacheinfo: report shared CPU map Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 78/84] MIPS: Prevent link failure with kcov instrumentation Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 79/84] drm/arm/mali: make malidp_mw_connector_helper_funcs static Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 80/84] dmaengine: k3dma: Avoid null pointer traversal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 81/84] ioat: ioat_alloc_ring() failure handling Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 82/84] hexagon: parenthesize registers in asm predicates Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 83/84] hexagon: work around compiler crash Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 84/84] ocfs2: call journal flush to mark journal as empty after journal recovery when mount Greg Kroah-Hartman
2020-01-17 13:20 ` [PATCH 4.19 00/84] 4.19.97-stable review Jon Hunter
2020-01-17 14:18 ` Naresh Kamboju
2020-01-17 16:01 ` Guenter Roeck
2020-01-17 16:06 ` shuah

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200116231715.550710759@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=chris@chris-wilson.co.uk \
    --cc=jon.bloomfield@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luoquan@qianxin.com \
    --cc=stable@vger.kernel.org \
    --cc=tyhicks@canonical.com \
    --subject='Re: [PATCH 4.19 16/84] drm/i915: Fix use-after-free when destroying GEM context' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).