diff mbox series

[v3,1/2] drm/tests: helpers: Avoid a driver uaf

Message ID 20230907135339.7971-2-thomas.hellstrom@linux.intel.com (mailing list archive)
State New, archived
Headers show
Series drm/tests: Fix for UAF and a test for drm_exec lock alloc tracking warning | expand

Commit Message

Thomas Hellstrom Sept. 7, 2023, 1:53 p.m. UTC
when using __drm_kunit_helper_alloc_drm_device() the driver may be
dereferenced by device-managed resources up until the device is
freed, which is typically later than the kunit-managed resource code
frees it. Fix this by simply make the driver device-managed as well.

In short, the sequence leading to the UAF is as follows:

INIT:
Code allocates a struct device as a kunit-managed resource.
Code allocates a drm driver as a kunit-managed resource.
Code allocates a drm device as a device-managed resource.

EXIT:
Kunit resource cleanup frees the drm driver
Kunit resource cleanup puts the struct device, which starts a
      device-managed resource cleanup
device-managed cleanup calls drm_dev_put()
drm_dev_put() dereferences the (now freed) drm driver -> Boom.

Related KASAN message:
[55272.551542] ==================================================================
[55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353

[55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G     U           N 6.5.0-rc7+ #155
[55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021
[55272.551626] Call Trace:
[55272.551629]  <TASK>
[55272.551633]  dump_stack_lvl+0x57/0x90
[55272.551639]  print_report+0xcf/0x630
[55272.551645]  ? _raw_spin_lock_irqsave+0x5f/0x70
[55272.551652]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551694]  kasan_report+0xd7/0x110
[55272.551699]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551742]  drm_dev_put.part.0+0xd4/0xe0 [drm]
[55272.551783]  devres_release_all+0x15d/0x1f0
[55272.551790]  ? __pfx_devres_release_all+0x10/0x10
[55272.551797]  device_unbind_cleanup+0x16/0x1a0
[55272.551802]  device_release_driver_internal+0x3e5/0x540
[55272.551808]  ? kobject_put+0x5d/0x4b0
[55272.551814]  bus_remove_device+0x1f1/0x3f0
[55272.551819]  device_del+0x342/0x910
[55272.551826]  ? __pfx_device_del+0x10/0x10
[55272.551830]  ? lock_release+0x339/0x5e0
[55272.551836]  ? kunit_remove_resource+0x128/0x290 [kunit]
[55272.551845]  ? __pfx_lock_release+0x10/0x10
[55272.551851]  platform_device_del.part.0+0x1f/0x1e0
[55272.551856]  ? _raw_spin_unlock_irqrestore+0x30/0x60
[55272.551863]  kunit_remove_resource+0x195/0x290 [kunit]
[55272.551871]  ? _raw_spin_unlock_irqrestore+0x30/0x60
[55272.551877]  kunit_cleanup+0x78/0x120 [kunit]
[55272.551885]  ? __kthread_parkme+0xc1/0x1f0
[55272.551891]  ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]
[55272.551900]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]
[55272.551909]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
[55272.551919]  kthread+0x2e7/0x3c0
[55272.551924]  ? __pfx_kthread+0x10/0x10
[55272.551929]  ret_from_fork+0x2d/0x70
[55272.551935]  ? __pfx_kthread+0x10/0x10
[55272.551940]  ret_from_fork_asm+0x1b/0x30
[55272.551948]  </TASK>

[55272.551953] Allocated by task 10351:
[55272.551956]  kasan_save_stack+0x1c/0x40
[55272.551962]  kasan_set_track+0x21/0x30
[55272.551966]  __kasan_kmalloc+0x8b/0x90
[55272.551970]  __kmalloc+0x5e/0x160
[55272.551976]  kunit_kmalloc_array+0x1c/0x50 [kunit]
[55272.551984]  drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]
[55272.551991]  kunit_try_run_case+0xdd/0x250 [kunit]
[55272.551999]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
[55272.552008]  kthread+0x2e7/0x3c0
[55272.552012]  ret_from_fork+0x2d/0x70
[55272.552017]  ret_from_fork_asm+0x1b/0x30

[55272.552024] Freed by task 10353:
[55272.552027]  kasan_save_stack+0x1c/0x40
[55272.552032]  kasan_set_track+0x21/0x30
[55272.552036]  kasan_save_free_info+0x27/0x40
[55272.552041]  __kasan_slab_free+0x106/0x180
[55272.552046]  slab_free_freelist_hook+0xb3/0x160
[55272.552051]  __kmem_cache_free+0xb2/0x290
[55272.552056]  kunit_remove_resource+0x195/0x290 [kunit]
[55272.552064]  kunit_cleanup+0x78/0x120 [kunit]
[55272.552072]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
[55272.552080]  kthread+0x2e7/0x3c0
[55272.552085]  ret_from_fork+0x2d/0x70
[55272.552089]  ret_from_fork_asm+0x1b/0x30

[55272.552096] The buggy address belongs to the object at ffff888127502800
                which belongs to the cache kmalloc-512 of size 512
[55272.552105] The buggy address is located 40 bytes inside of
                freed 512-byte region [ffff888127502800, ffff888127502a00)

[55272.552115] The buggy address belongs to the physical page:
[55272.552119] page:00000000af6c70ff refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127500
[55272.552127] head:00000000af6c70ff order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[55272.552133] anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[55272.552141] page_type: 0xffffffff()
[55272.552145] raw: 0017ffffc0010200 ffff888100042c80 0000000000000000 dead000000000001
[55272.552152] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[55272.552157] page dumped because: kasan: bad access detected

[55272.552163] Memory state around the buggy address:
[55272.552167]  ffff888127502700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[55272.552173]  ffff888127502780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[55272.552178] >ffff888127502800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[55272.552184]                                   ^
[55272.552187]  ffff888127502880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[55272.552193]  ffff888127502900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[55272.552198] ==================================================================
[55272.552203] Disabling lock debugging due to kernel taint

v2:
- Update commit message, add Fixes: tag and Cc stable.
v3:
- Further commit message updates (Maxime Ripard).

Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.3+
Fixes: d98780310719 ("drm/tests: helpers: Allow to pass a custom drm_driver")
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
---
 include/drm/drm_kunit_helpers.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Maxime Ripard Sept. 7, 2023, 2:50 p.m. UTC | #1
On Thu, 7 Sep 2023 15:53:38 +0200, Thomas Hellström wrote:
> when using __drm_kunit_helper_alloc_drm_device() the driver may be
> dereferenced by device-managed resources up until the device is
> freed, which is typically later than the kunit-managed resource code
> frees it. Fix this by simply make the driver device-managed as well.
> 
> 
> [ ... ]

Acked-by: Maxime Ripard <mripard@kernel.org>

Thanks!
Maxime
Francois Dugast Sept. 11, 2023, 12:40 p.m. UTC | #2
On Thu, Sep 07, 2023 at 03:53:38PM +0200, Thomas Hellström wrote:
> when using __drm_kunit_helper_alloc_drm_device() the driver may be
> dereferenced by device-managed resources up until the device is
> freed, which is typically later than the kunit-managed resource code
> frees it. Fix this by simply make the driver device-managed as well.
> 
> In short, the sequence leading to the UAF is as follows:
> 
> INIT:
> Code allocates a struct device as a kunit-managed resource.
> Code allocates a drm driver as a kunit-managed resource.
> Code allocates a drm device as a device-managed resource.
> 
> EXIT:
> Kunit resource cleanup frees the drm driver
> Kunit resource cleanup puts the struct device, which starts a
>       device-managed resource cleanup
> device-managed cleanup calls drm_dev_put()
> drm_dev_put() dereferences the (now freed) drm driver -> Boom.
> 
> Related KASAN message:
> [55272.551542] ==================================================================
> [55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]
> [55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353
> 
> [55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G     U           N 6.5.0-rc7+ #155
> [55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021
> [55272.551626] Call Trace:
> [55272.551629]  <TASK>
> [55272.551633]  dump_stack_lvl+0x57/0x90
> [55272.551639]  print_report+0xcf/0x630
> [55272.551645]  ? _raw_spin_lock_irqsave+0x5f/0x70
> [55272.551652]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
> [55272.551694]  kasan_report+0xd7/0x110
> [55272.551699]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
> [55272.551742]  drm_dev_put.part.0+0xd4/0xe0 [drm]
> [55272.551783]  devres_release_all+0x15d/0x1f0
> [55272.551790]  ? __pfx_devres_release_all+0x10/0x10
> [55272.551797]  device_unbind_cleanup+0x16/0x1a0
> [55272.551802]  device_release_driver_internal+0x3e5/0x540
> [55272.551808]  ? kobject_put+0x5d/0x4b0
> [55272.551814]  bus_remove_device+0x1f1/0x3f0
> [55272.551819]  device_del+0x342/0x910
> [55272.551826]  ? __pfx_device_del+0x10/0x10
> [55272.551830]  ? lock_release+0x339/0x5e0
> [55272.551836]  ? kunit_remove_resource+0x128/0x290 [kunit]
> [55272.551845]  ? __pfx_lock_release+0x10/0x10
> [55272.551851]  platform_device_del.part.0+0x1f/0x1e0
> [55272.551856]  ? _raw_spin_unlock_irqrestore+0x30/0x60
> [55272.551863]  kunit_remove_resource+0x195/0x290 [kunit]
> [55272.551871]  ? _raw_spin_unlock_irqrestore+0x30/0x60
> [55272.551877]  kunit_cleanup+0x78/0x120 [kunit]
> [55272.551885]  ? __kthread_parkme+0xc1/0x1f0
> [55272.551891]  ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]
> [55272.551900]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]
> [55272.551909]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
> [55272.551919]  kthread+0x2e7/0x3c0
> [55272.551924]  ? __pfx_kthread+0x10/0x10
> [55272.551929]  ret_from_fork+0x2d/0x70
> [55272.551935]  ? __pfx_kthread+0x10/0x10
> [55272.551940]  ret_from_fork_asm+0x1b/0x30
> [55272.551948]  </TASK>
> 
> [55272.551953] Allocated by task 10351:
> [55272.551956]  kasan_save_stack+0x1c/0x40
> [55272.551962]  kasan_set_track+0x21/0x30
> [55272.551966]  __kasan_kmalloc+0x8b/0x90
> [55272.551970]  __kmalloc+0x5e/0x160
> [55272.551976]  kunit_kmalloc_array+0x1c/0x50 [kunit]
> [55272.551984]  drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]
> [55272.551991]  kunit_try_run_case+0xdd/0x250 [kunit]
> [55272.551999]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
> [55272.552008]  kthread+0x2e7/0x3c0
> [55272.552012]  ret_from_fork+0x2d/0x70
> [55272.552017]  ret_from_fork_asm+0x1b/0x30
> 
> [55272.552024] Freed by task 10353:
> [55272.552027]  kasan_save_stack+0x1c/0x40
> [55272.552032]  kasan_set_track+0x21/0x30
> [55272.552036]  kasan_save_free_info+0x27/0x40
> [55272.552041]  __kasan_slab_free+0x106/0x180
> [55272.552046]  slab_free_freelist_hook+0xb3/0x160
> [55272.552051]  __kmem_cache_free+0xb2/0x290
> [55272.552056]  kunit_remove_resource+0x195/0x290 [kunit]
> [55272.552064]  kunit_cleanup+0x78/0x120 [kunit]
> [55272.552072]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
> [55272.552080]  kthread+0x2e7/0x3c0
> [55272.552085]  ret_from_fork+0x2d/0x70
> [55272.552089]  ret_from_fork_asm+0x1b/0x30
> 
> [55272.552096] The buggy address belongs to the object at ffff888127502800
>                 which belongs to the cache kmalloc-512 of size 512
> [55272.552105] The buggy address is located 40 bytes inside of
>                 freed 512-byte region [ffff888127502800, ffff888127502a00)
> 
> [55272.552115] The buggy address belongs to the physical page:
> [55272.552119] page:00000000af6c70ff refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127500
> [55272.552127] head:00000000af6c70ff order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> [55272.552133] anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
> [55272.552141] page_type: 0xffffffff()
> [55272.552145] raw: 0017ffffc0010200 ffff888100042c80 0000000000000000 dead000000000001
> [55272.552152] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
> [55272.552157] page dumped because: kasan: bad access detected
> 
> [55272.552163] Memory state around the buggy address:
> [55272.552167]  ffff888127502700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [55272.552173]  ffff888127502780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [55272.552178] >ffff888127502800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [55272.552184]                                   ^
> [55272.552187]  ffff888127502880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [55272.552193]  ffff888127502900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [55272.552198] ==================================================================
> [55272.552203] Disabling lock debugging due to kernel taint
> 
> v2:
> - Update commit message, add Fixes: tag and Cc stable.
> v3:
> - Further commit message updates (Maxime Ripard).
> 
> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> Cc: Maxime Ripard <mripard@kernel.org>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: David Airlie <airlied@gmail.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: dri-devel@lists.freedesktop.org
> Cc: <stable@vger.kernel.org> # v6.3+
> Fixes: d98780310719 ("drm/tests: helpers: Allow to pass a custom drm_driver")
> Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>

Reviewed-by: Francois Dugast <francois.dugast@intel.com>

> ---
>  include/drm/drm_kunit_helpers.h | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/include/drm/drm_kunit_helpers.h b/include/drm/drm_kunit_helpers.h
> index 514c8a7a32f0..ba483c87f0e7 100644
> --- a/include/drm/drm_kunit_helpers.h
> +++ b/include/drm/drm_kunit_helpers.h
> @@ -3,6 +3,8 @@
>  #ifndef DRM_KUNIT_HELPERS_H_
>  #define DRM_KUNIT_HELPERS_H_
>  
> +#include <linux/device.h>
> +
>  #include <kunit/test.h>
>  
>  struct drm_device;
> @@ -51,7 +53,7 @@ __drm_kunit_helper_alloc_drm_device(struct kunit *test,
>  {
>  	struct drm_driver *driver;
>  
> -	driver = kunit_kzalloc(test, sizeof(*driver), GFP_KERNEL);
> +	driver = devm_kzalloc(dev, sizeof(*driver), GFP_KERNEL);
>  	KUNIT_ASSERT_NOT_NULL(test, driver);
>  
>  	driver->driver_features = features;
> -- 
> 2.41.0
>
Thomas Hellstrom Sept. 11, 2023, 1:04 p.m. UTC | #3
On 9/11/23 14:40, Francois Dugast wrote:
> On Thu, Sep 07, 2023 at 03:53:38PM +0200, Thomas Hellström wrote:
>> when using __drm_kunit_helper_alloc_drm_device() the driver may be
>> dereferenced by device-managed resources up until the device is
>> freed, which is typically later than the kunit-managed resource code
>> frees it. Fix this by simply make the driver device-managed as well.
>>
>> In short, the sequence leading to the UAF is as follows:
>>
>> INIT:
>> Code allocates a struct device as a kunit-managed resource.
>> Code allocates a drm driver as a kunit-managed resource.
>> Code allocates a drm device as a device-managed resource.
>>
>> EXIT:
>> Kunit resource cleanup frees the drm driver
>> Kunit resource cleanup puts the struct device, which starts a
>>        device-managed resource cleanup
>> device-managed cleanup calls drm_dev_put()
>> drm_dev_put() dereferences the (now freed) drm driver -> Boom.
>>
>> Related KASAN message:
>> [55272.551542] ==================================================================
>> [55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]
>> [55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353
>>
>> [55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G     U           N 6.5.0-rc7+ #155
>> [55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021
>> [55272.551626] Call Trace:
>> [55272.551629]  <TASK>
>> [55272.551633]  dump_stack_lvl+0x57/0x90
>> [55272.551639]  print_report+0xcf/0x630
>> [55272.551645]  ? _raw_spin_lock_irqsave+0x5f/0x70
>> [55272.551652]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
>> [55272.551694]  kasan_report+0xd7/0x110
>> [55272.551699]  ? drm_dev_put.part.0+0xd4/0xe0 [drm]
>> [55272.551742]  drm_dev_put.part.0+0xd4/0xe0 [drm]
>> [55272.551783]  devres_release_all+0x15d/0x1f0
>> [55272.551790]  ? __pfx_devres_release_all+0x10/0x10
>> [55272.551797]  device_unbind_cleanup+0x16/0x1a0
>> [55272.551802]  device_release_driver_internal+0x3e5/0x540
>> [55272.551808]  ? kobject_put+0x5d/0x4b0
>> [55272.551814]  bus_remove_device+0x1f1/0x3f0
>> [55272.551819]  device_del+0x342/0x910
>> [55272.551826]  ? __pfx_device_del+0x10/0x10
>> [55272.551830]  ? lock_release+0x339/0x5e0
>> [55272.551836]  ? kunit_remove_resource+0x128/0x290 [kunit]
>> [55272.551845]  ? __pfx_lock_release+0x10/0x10
>> [55272.551851]  platform_device_del.part.0+0x1f/0x1e0
>> [55272.551856]  ? _raw_spin_unlock_irqrestore+0x30/0x60
>> [55272.551863]  kunit_remove_resource+0x195/0x290 [kunit]
>> [55272.551871]  ? _raw_spin_unlock_irqrestore+0x30/0x60
>> [55272.551877]  kunit_cleanup+0x78/0x120 [kunit]
>> [55272.551885]  ? __kthread_parkme+0xc1/0x1f0
>> [55272.551891]  ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]
>> [55272.551900]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]
>> [55272.551909]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
>> [55272.551919]  kthread+0x2e7/0x3c0
>> [55272.551924]  ? __pfx_kthread+0x10/0x10
>> [55272.551929]  ret_from_fork+0x2d/0x70
>> [55272.551935]  ? __pfx_kthread+0x10/0x10
>> [55272.551940]  ret_from_fork_asm+0x1b/0x30
>> [55272.551948]  </TASK>
>>
>> [55272.551953] Allocated by task 10351:
>> [55272.551956]  kasan_save_stack+0x1c/0x40
>> [55272.551962]  kasan_set_track+0x21/0x30
>> [55272.551966]  __kasan_kmalloc+0x8b/0x90
>> [55272.551970]  __kmalloc+0x5e/0x160
>> [55272.551976]  kunit_kmalloc_array+0x1c/0x50 [kunit]
>> [55272.551984]  drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]
>> [55272.551991]  kunit_try_run_case+0xdd/0x250 [kunit]
>> [55272.551999]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
>> [55272.552008]  kthread+0x2e7/0x3c0
>> [55272.552012]  ret_from_fork+0x2d/0x70
>> [55272.552017]  ret_from_fork_asm+0x1b/0x30
>>
>> [55272.552024] Freed by task 10353:
>> [55272.552027]  kasan_save_stack+0x1c/0x40
>> [55272.552032]  kasan_set_track+0x21/0x30
>> [55272.552036]  kasan_save_free_info+0x27/0x40
>> [55272.552041]  __kasan_slab_free+0x106/0x180
>> [55272.552046]  slab_free_freelist_hook+0xb3/0x160
>> [55272.552051]  __kmem_cache_free+0xb2/0x290
>> [55272.552056]  kunit_remove_resource+0x195/0x290 [kunit]
>> [55272.552064]  kunit_cleanup+0x78/0x120 [kunit]
>> [55272.552072]  kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]
>> [55272.552080]  kthread+0x2e7/0x3c0
>> [55272.552085]  ret_from_fork+0x2d/0x70
>> [55272.552089]  ret_from_fork_asm+0x1b/0x30
>>
>> [55272.552096] The buggy address belongs to the object at ffff888127502800
>>                  which belongs to the cache kmalloc-512 of size 512
>> [55272.552105] The buggy address is located 40 bytes inside of
>>                  freed 512-byte region [ffff888127502800, ffff888127502a00)
>>
>> [55272.552115] The buggy address belongs to the physical page:
>> [55272.552119] page:00000000af6c70ff refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127500
>> [55272.552127] head:00000000af6c70ff order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
>> [55272.552133] anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
>> [55272.552141] page_type: 0xffffffff()
>> [55272.552145] raw: 0017ffffc0010200 ffff888100042c80 0000000000000000 dead000000000001
>> [55272.552152] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
>> [55272.552157] page dumped because: kasan: bad access detected
>>
>> [55272.552163] Memory state around the buggy address:
>> [55272.552167]  ffff888127502700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [55272.552173]  ffff888127502780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> [55272.552178] >ffff888127502800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [55272.552184]                                   ^
>> [55272.552187]  ffff888127502880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [55272.552193]  ffff888127502900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [55272.552198] ==================================================================
>> [55272.552203] Disabling lock debugging due to kernel taint
>>
>> v2:
>> - Update commit message, add Fixes: tag and Cc stable.
>> v3:
>> - Further commit message updates (Maxime Ripard).
>>
>> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
>> Cc: Maxime Ripard <mripard@kernel.org>
>> Cc: Thomas Zimmermann <tzimmermann@suse.de>
>> Cc: David Airlie <airlied@gmail.com>
>> Cc: Daniel Vetter <daniel@ffwll.ch>
>> Cc: dri-devel@lists.freedesktop.org
>> Cc: <stable@vger.kernel.org> # v6.3+
>> Fixes: d98780310719 ("drm/tests: helpers: Allow to pass a custom drm_driver")
>> Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> Reviewed-by: Francois Dugast <francois.dugast@intel.com>

Thanks for the R-B, Francois.

/Thomas
Maxime Ripard Sept. 14, 2023, 11:59 a.m. UTC | #4
On Thu, 07 Sep 2023 15:53:38 +0200, Thomas Hellström wrote:
> when using __drm_kunit_helper_alloc_drm_device() the driver may be
> dereferenced by device-managed resources up until the device is
> freed, which is typically later than the kunit-managed resource code
> frees it. Fix this by simply make the driver device-managed as well.
> 
> In short, the sequence leading to the UAF is as follows:
> 
> [...]

Applied to drm/drm-misc (drm-misc-fixes).

Thanks!
Maxime
diff mbox series

Patch

diff --git a/include/drm/drm_kunit_helpers.h b/include/drm/drm_kunit_helpers.h
index 514c8a7a32f0..ba483c87f0e7 100644
--- a/include/drm/drm_kunit_helpers.h
+++ b/include/drm/drm_kunit_helpers.h
@@ -3,6 +3,8 @@ 
 #ifndef DRM_KUNIT_HELPERS_H_
 #define DRM_KUNIT_HELPERS_H_
 
+#include <linux/device.h>
+
 #include <kunit/test.h>
 
 struct drm_device;
@@ -51,7 +53,7 @@  __drm_kunit_helper_alloc_drm_device(struct kunit *test,
 {
 	struct drm_driver *driver;
 
-	driver = kunit_kzalloc(test, sizeof(*driver), GFP_KERNEL);
+	driver = devm_kzalloc(dev, sizeof(*driver), GFP_KERNEL);
 	KUNIT_ASSERT_NOT_NULL(test, driver);
 
 	driver->driver_features = features;