From patchwork Mon Nov 7 16:54:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Auld X-Patchwork-Id: 13034897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8EF09C433FE for ; Mon, 7 Nov 2022 16:54:50 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 6535C10E457; Mon, 7 Nov 2022 16:54:49 +0000 (UTC) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by gabe.freedesktop.org (Postfix) with ESMTPS id 0F26410E43E for ; Mon, 7 Nov 2022 16:54:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1667840087; x=1699376087; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=81eA7FwHzBE47tAnEc6557m6D/8Rdi/OPbzBV+WCCsI=; b=ckWzghTlbvcCqOjCSqtx1SdGTgib6ra/a5IjMpPmS+XTRKy43sSawyTM Al+IhjFzUbUr09yhpoeDeZ5zj77ByYqSNxpXTaKhsqaSSn0e29dA4H5YY 55BVgsdhT8WmSeq4hJhwti/HWHq4uDGsq01UX1V2jqbj+VerHgRxR723j fotRMx0SwFXGN//9QUo8aWytrnby7P3rolimOJAQkhI9EJ3CeUyKVX3iu GEND3VzQJiPJItYQouFFwWBsIvcD0YTSQzyJSBYlhTTg8+oIgQL4eNpzI 4YmBaJ9NjSgg+y/RR8jaJBGr/UWIa6LwDMkyZHWlg1GLjSs/7uAvrdU6g w==; X-IronPort-AV: E=McAfee;i="6500,9779,10524"; a="297957277" X-IronPort-AV: E=Sophos;i="5.96,145,1665471600"; d="scan'208";a="297957277" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2022 08:54:33 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10524"; a="778559335" X-IronPort-AV: E=Sophos;i="5.96,145,1665471600"; d="scan'208";a="778559335" Received: from pmesquit-mobl.ger.corp.intel.com (HELO mwauld-desk1.intel.com) ([10.252.15.49]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2022 08:54:32 -0800 From: Matthew Auld To: intel-gfx@lists.freedesktop.org Date: Mon, 7 Nov 2022 16:54:13 +0000 Message-Id: <20221107165414.56970-1-matthew.auld@intel.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Subject: [Intel-gfx] [PATCH 1/2] drm/i915/ttm: fix uaf with lmem_userfault_list handling X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nirmoy Das , Andrzej Hajda , Rodrigo Vivi Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" In the fault handler, make sure we check if the BO maps lmem after we schedule the migration, since the current resource might change from lmem to smem, if the pages are in the non-cpu visible portion of lmem. This then leads to adding the object to the lmem_userfault_list even though the current resource is no longer lmem. If we then destroy the object, the list might still contain a link to the now free object, since we only remove it if the object is still in lmem. Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7469 Fixes: ad74457a6b5a ("drm/i915/dgfx: Release mmap on rpm suspend") Signed-off-by: Matthew Auld Cc: Anshuman Gupta Cc: Rodrigo Vivi Cc: Andrzej Hajda Cc: Nirmoy Das Reviewed-by: Andrzej Hajda --- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c index 25129af70f70..9421dc4dc98f 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c @@ -1048,9 +1048,6 @@ static vm_fault_t vm_fault_ttm(struct vm_fault *vmf) return VM_FAULT_SIGBUS; } - if (i915_ttm_cpu_maps_iomem(bo->resource)) - wakeref = intel_runtime_pm_get(&to_i915(obj->base.dev)->runtime_pm); - if (!i915_ttm_resource_mappable(bo->resource)) { int err = -ENODEV; int i; @@ -1078,6 +1075,9 @@ static vm_fault_t vm_fault_ttm(struct vm_fault *vmf) } } + if (i915_ttm_cpu_maps_iomem(bo->resource)) + wakeref = intel_runtime_pm_get(&to_i915(obj->base.dev)->runtime_pm); + if (drm_dev_enter(dev, &idx)) { ret = ttm_bo_vm_fault_reserved(vmf, vmf->vma->vm_page_prot, TTM_BO_VM_NUM_PREFAULT); From patchwork Mon Nov 7 16:54:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Auld X-Patchwork-Id: 13034898 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7D663C4332F for ; Mon, 7 Nov 2022 16:54:57 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id A6DDE10E43E; Mon, 7 Nov 2022 16:54:56 +0000 (UTC) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by gabe.freedesktop.org (Postfix) with ESMTPS id 37B0810E43E for ; Mon, 7 Nov 2022 16:54:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1667840089; x=1699376089; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=g6mQDaj+OnxLQp8cNHKC73uPqcVmPmqfnCifJhqkR9g=; b=akVeQYBDpEcbxQBHNrFlTbOTwX9s7iRSbTlh5d4crthKpEOlRkGdYOTk bdv3XQ89x/un9TN+cdpg28r0R/S4UJWn/Z2z5CYlnQtMSYITARboi/mb9 Xo/Jn78l0ygscM2DctdLlWa92Gs8yVSRQXcvffCZePbYJyFiuC9+pMWOw 38N7jneBriAD3FioOa2Yr4HcZUYamR8pPXPW+RxQBPrxKiEYCwt1LiisG oT0Ap/RfnMwt9X2FTWyxS+gfMeR6K/K5G94fqNq6xN5jP7sUibRJ4nvEO Xjs+92nKIkbgBcoknDzdtrQh/8+Nkyzaf+0ap0McYN+jAlP2UjMOqOriI w==; X-IronPort-AV: E=McAfee;i="6500,9779,10524"; a="297957305" X-IronPort-AV: E=Sophos;i="5.96,145,1665471600"; d="scan'208";a="297957305" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2022 08:54:35 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10524"; a="778559355" X-IronPort-AV: E=Sophos;i="5.96,145,1665471600"; d="scan'208";a="778559355" Received: from pmesquit-mobl.ger.corp.intel.com (HELO mwauld-desk1.intel.com) ([10.252.15.49]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2022 08:54:33 -0800 From: Matthew Auld To: intel-gfx@lists.freedesktop.org Date: Mon, 7 Nov 2022 16:54:14 +0000 Message-Id: <20221107165414.56970-2-matthew.auld@intel.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221107165414.56970-1-matthew.auld@intel.com> References: <20221107165414.56970-1-matthew.auld@intel.com> MIME-Version: 1.0 Subject: [Intel-gfx] [PATCH 2/2] drm/i915/ttm: add some sanity checks for lmem_userfault_list X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nirmoy Das , Andrzej Hajda , Rodrigo Vivi Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" Rather than getting some hard to debug uaf, add some warns to hopefully catch issues with userfault_count being non-zero when destroying the object. Also if we somehow add an object to lmem_userfault_list that somehow doesn't map lmem. References: https://gitlab.freedesktop.org/drm/intel/-/issues/7469 Signed-off-by: Matthew Auld Cc: Anshuman Gupta Cc: Rodrigo Vivi Cc: Andrzej Hajda Cc: Nirmoy Das Reviewed-by: Andrzej Hajda --- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c index 9421dc4dc98f..2c8b2d5ae903 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c @@ -1098,6 +1098,8 @@ static vm_fault_t vm_fault_ttm(struct vm_fault *vmf) spin_lock(&to_i915(obj->base.dev)->runtime_pm.lmem_userfault_lock); list_add(&obj->userfault_link, &to_i915(obj->base.dev)->runtime_pm.lmem_userfault_list); spin_unlock(&to_i915(obj->base.dev)->runtime_pm.lmem_userfault_lock); + + GEM_WARN_ON(!i915_ttm_cpu_maps_iomem(bo->resource)); } if (wakeref & CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND) @@ -1180,6 +1182,8 @@ static void i915_ttm_unmap_virtual(struct drm_i915_gem_object *obj) } } + GEM_WARN_ON(obj->userfault_count); + ttm_bo_unmap_virtual(i915_gem_to_ttm(obj)); if (wakeref)