drm: use atomic helper function to get crtc_state of crtc

Message ID	1529419531-24044-1-git-send-email-mikita.lipski@amd.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) From: <mikita.lipski@amd.com> To: <boris.brezillon@free-electrons.com>, <daniel.vetter@ffwll.ch>, <dri-devel@lists.freedesktop.org> Subject: [PATCH] drm: use atomic helper function to get crtc_state of crtc Date: Tue, 19 Jun 2018 10:45:31 -0400 Message-ID: <1529419531-24044-1-git-send-email-mikita.lipski@amd.com> MIME-Version: 1.0 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; MWHPR12MB1200; 7:elxM4UBCQ5OrAM72iSe163huG5s3WDHP+34O2xcOg0irW3jzA9rv8qXss16OAiF67V4wS8N7HnIH5JAW/7a0uwAbJ2KvyndBYvmXiamr9RATx4hgzMZScsm67pFgVKe1hdDmm4f5PKxO3ZEpMaMYa55tUuCR+xBtpyjqTmw25qzAqpqvvQ6YfUWvh5CGB0bJ3JQpYsWTMZSlSl84FQNt2cq1WKIC1gc2wqJEpIrdAH4uBoJAvl4/h3zArBvQObmG; 20:wdUqoTOQEShcYzWmX6GmzBPJYiGXH+dqPc/fjd4KBo//Q5mfvgcMDR5T5kYYtnerkEMRQiohsU8K2EkrS3Jl7rWAL1Nf4D0B2M4rUjUPTH8Cf83LMs8OdybFgT9dZboAvkUOYqPrEH1A3k6Id4lNhVQ0WkI99//T39bjOuiKJcSZ9uoxHGHtJ3IORcBiie+3yzRjhxiMukS8dwUaIGl4yR33+w6EEXOBW5VsFNrcYo40O9Ai409F6r0oenwKNpVB Precedence: list Cc: alexander.deucher@amd.com, Mikita Lipski <mikita.lipski@amd.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Message ID

1529419531-24044-1-git-send-email-mikita.lipski@amd.com (mailing list archive)

State

New, archived

Headers

Received-SPF: None (protection.outlook.com: amd.com does not designate
	permitted sender hosts)
From: <mikita.lipski@amd.com>
To: <boris.brezillon@free-electrons.com>, <daniel.vetter@ffwll.ch>,
	<dri-devel@lists.freedesktop.org>
Subject: [PATCH] drm: use atomic helper function to get crtc_state of crtc
Date: Tue, 19 Jun 2018 10:45:31 -0400
Message-ID: <1529419531-24044-1-git-send-email-mikita.lipski@amd.com>
MIME-Version: 1.0
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jun 2018 14:46:00.0175
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8855a625-c8a5-454f-0823-08d5d5f35fcc
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;
	Ip=[165.204.84.17]; 
	Helo=[SATLEXCHOV01.amd.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR12MB1200
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>, 
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>, 
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: alexander.deucher@amd.com, Mikita Lipski <mikita.lipski@amd.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Commit Message

Lipski, Mikita June 19, 2018, 2:45 p.m. UTC

From: Mikita Lipski <mikita.lipski@amd.com>

Use drm_atomic_get_crtc_state to get the crtc state in case
it has been previously freed, that might prevent use-after-free issue.

This patch fixes the bugzilla bug:
Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260

Signed-off-by: Mikita Lipski <mikita.lipski@amd.com>
---
 drivers/gpu/drm/drm_atomic_helper.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Michel Dänzer June 19, 2018, 2:58 p.m. UTC | #1

Hi Mikita,

thanks for sending this out. I have to defer review of the actual change
to others more familiar with this code, but I have some feedback for the
commit log.

On 2018-06-19 04:45 PM, mikita.lipski@amd.com wrote:
> From: Mikita Lipski <mikita.lipski@amd.com>
> 
> Use drm_atomic_get_crtc_state to get the crtc state in case
> it has been previously freed, that might prevent use-after-free issue.
> 
> This patch fixes the bugzilla bug:
> Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260

Bug reports are referenced like this:

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199425

Also, as the issue exists since at least 4.17, this should have

Cc: stable@vger.kernel.org

in order for the fix to be backported to stable branches.

Daniel Vetter June 19, 2018, 3:27 p.m. UTC | #2

On Tue, Jun 19, 2018 at 10:45:31AM -0400, mikita.lipski@amd.com wrote:
> From: Mikita Lipski <mikita.lipski@amd.com>
> 
> Use drm_atomic_get_crtc_state to get the crtc state in case
> it has been previously freed, that might prevent use-after-free issue.
> 
> This patch fixes the bugzilla bug:
> Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
> 
> Signed-off-by: Mikita Lipski <mikita.lipski@amd.com>
> ---
>  drivers/gpu/drm/drm_atomic_helper.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> index e8c2493..e083f85 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1276,9 +1276,11 @@ void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev,
>  	int i;
>  
>  	for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i) {
> -		struct drm_crtc_commit *commit = new_crtc_state->commit;
> +		struct drm_crtc_commit *commit;
>  		int ret;
>  
> +		new_crtc_state = drm_atomic_get_crtc_state(old_state, crtc);
> +		commit = new_crtc_state->commit;

Uh no. wait_for_flip done is supposed to be called from the
->atomic_commit hook, and duplicating state objects (as is done by the
various get_foo_state functions) is only allowed from the ->atomic_check
hook. What that blows up for you, this isn't the fix you're looking for.
Aside: get_foo_state can fail, the __must_check annotation should have
been a hint for that.

For starters it would be useful if you include the full details of what's
going boom in the amdgpu driver for you.
-Daniel
>  		if (!commit)
>  			continue;
>  
> -- 
> 2.7.4
>

Ville Syrjala June 19, 2018, 3:48 p.m. UTC | #3

On Tue, Jun 19, 2018 at 05:27:57PM +0200, Daniel Vetter wrote:
> On Tue, Jun 19, 2018 at 10:45:31AM -0400, mikita.lipski@amd.com wrote:
> > From: Mikita Lipski <mikita.lipski@amd.com>
> > 
> > Use drm_atomic_get_crtc_state to get the crtc state in case
> > it has been previously freed, that might prevent use-after-free issue.
> > 
> > This patch fixes the bugzilla bug:
> > Bug 199425 - BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
> > 
> > Signed-off-by: Mikita Lipski <mikita.lipski@amd.com>
> > ---
> >  drivers/gpu/drm/drm_atomic_helper.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> > index e8c2493..e083f85 100644
> > --- a/drivers/gpu/drm/drm_atomic_helper.c
> > +++ b/drivers/gpu/drm/drm_atomic_helper.c
> > @@ -1276,9 +1276,11 @@ void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev,
> >  	int i;
> >  
> >  	for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i) {
> > -		struct drm_crtc_commit *commit = new_crtc_state->commit;
> > +		struct drm_crtc_commit *commit;
> >  		int ret;
> >  
> > +		new_crtc_state = drm_atomic_get_crtc_state(old_state, crtc);
> > +		commit = new_crtc_state->commit;
> 
> Uh no. wait_for_flip done is supposed to be called from the
> ->atomic_commit hook, and duplicating state objects (as is done by the
> various get_foo_state functions) is only allowed from the ->atomic_check
> hook. What that blows up for you, this isn't the fix you're looking for.
> Aside: get_foo_state can fail, the __must_check annotation should have
> been a hint for that.
> 
> For starters it would be useful if you include the full details of what's
> going boom in the amdgpu driver for you.

From a quick glance at the bug report it looks like a cursor update
getting ahead of a page flip.

Actually I'm not even sure how this manages to work on i915. On i915
we allow the cursor update to go through as soon as hw_done is
completed. That would seem to mean that all the cleanup work
commit_tail does afterwards is at risk of using a freed plane state.
Well, maybe. The way this is all implemented doesn't really agree
with my brain so I can't be 100% sure.

Whacking a big sleep just after drm_atomic_helper_commit_hw_done()
should be able to confirm that I suppose.

diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index e8c2493..e083f85 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1276,9 +1276,11 @@  void drm_atomic_helper_wait_for_flip_done(struct drm_device *dev,
 	int i;
 
 	for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i) {
-		struct drm_crtc_commit *commit = new_crtc_state->commit;
+		struct drm_crtc_commit *commit;
 		int ret;
 
+		new_crtc_state = drm_atomic_get_crtc_state(old_state, crtc);
+		commit = new_crtc_state->commit;
 		if (!commit)
 			continue;

drm: use atomic helper function to get crtc_state of crtc

Commit Message

Comments

Patch