Jeremy Cline
2021-May-13 15:25 UTC
[Nouveau] [PATCH] nouveau/gem: fix user-after-free in nouveau_gem_new
On Tue, May 11, 2021 at 06:35:53PM +0200, Karol Herbst wrote:> If ttm_bo_init fails it will already call ttm_bo_put, so we don't have to > do it through nouveau_bo_ref. > > =================================================================> BUG: KFENCE: use-after-free write in ttm_bo_put+0x11/0x40 [ttm] > > Use-after-free write at 0x000000004dc4663c (in kfence-#44): > ttm_bo_put+0x11/0x40 [ttm] > nouveau_gem_new+0xc1/0xf0 [nouveau] > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau] > drm_ioctl_kernel+0xb2/0x100 [drm] > drm_ioctl+0x215/0x390 [drm] > nouveau_drm_ioctl+0x55/0xa0 [nouveau] > __x64_sys_ioctl+0x83/0xb0 > do_syscall_64+0x33/0x40 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > kfence-#44 [0x00000000c0593b31-0x000000002e74122b, size=792, cache=kmalloc-1k] allocated by task 2657: > nouveau_bo_alloc+0x63/0x4c0 [nouveau] > nouveau_gem_new+0x38/0xf0 [nouveau] > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau] > drm_ioctl_kernel+0xb2/0x100 [drm] > drm_ioctl+0x215/0x390 [drm] > nouveau_drm_ioctl+0x55/0xa0 [nouveau] > __x64_sys_ioctl+0x83/0xb0 > do_syscall_64+0x33/0x40 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > freed by task 2657: > ttm_bo_release+0x1cc/0x300 [ttm] > ttm_bo_init_reserved+0x2ec/0x300 [ttm] > ttm_bo_init+0x5e/0xd0 [ttm] > nouveau_bo_init+0xaf/0xc0 [nouveau] > nouveau_gem_new+0x7f/0xf0 [nouveau] > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau] > drm_ioctl_kernel+0xb2/0x100 [drm] > drm_ioctl+0x215/0x390 [drm] > nouveau_drm_ioctl+0x55/0xa0 [nouveau] > __x64_sys_ioctl+0x83/0xb0 > do_syscall_64+0x33/0x40 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > Fixes: 019cbd4a4feb3 "drm/nouveau: Initialize GEM object before TTM object" > Cc: Thierry Reding <treding at nvidia.com> > Signed-off-by: Karol Herbst <kherbst at redhat.com> > --- > drivers/gpu/drm/nouveau/nouveau_gem.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c > index c88cbb85f101..1165ff990fb5 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c > @@ -212,7 +212,6 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain, > > ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL); > if (ret) { > - nouveau_bo_ref(NULL, &nvbo); > return ret; > } >I submitted a patch for this in the beginning of December, it got reviewed and it's languished ever since[0]. It's frustrating that these issues have to get fixed multiple times by multiple developers because bug fixes (with reviews!) aren't being accepted. [0] https://lists.freedesktop.org/archives/nouveau/2020-December/037571.html Anyway, for whatever it's worth: Reviewed-by: Jeremy Cline <jcline at redhat.com>
Karol Herbst
2021-May-13 17:37 UTC
[Nouveau] [PATCH] nouveau/gem: fix user-after-free in nouveau_gem_new
On Thu, May 13, 2021 at 5:25 PM Jeremy Cline <jcline at redhat.com> wrote:> > On Tue, May 11, 2021 at 06:35:53PM +0200, Karol Herbst wrote: > > If ttm_bo_init fails it will already call ttm_bo_put, so we don't have to > > do it through nouveau_bo_ref. > > > > =================================================================> > BUG: KFENCE: use-after-free write in ttm_bo_put+0x11/0x40 [ttm] > > > > Use-after-free write at 0x000000004dc4663c (in kfence-#44): > > ttm_bo_put+0x11/0x40 [ttm] > > nouveau_gem_new+0xc1/0xf0 [nouveau] > > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau] > > drm_ioctl_kernel+0xb2/0x100 [drm] > > drm_ioctl+0x215/0x390 [drm] > > nouveau_drm_ioctl+0x55/0xa0 [nouveau] > > __x64_sys_ioctl+0x83/0xb0 > > do_syscall_64+0x33/0x40 > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > kfence-#44 [0x00000000c0593b31-0x000000002e74122b, size=792, cache=kmalloc-1k] allocated by task 2657: > > nouveau_bo_alloc+0x63/0x4c0 [nouveau] > > nouveau_gem_new+0x38/0xf0 [nouveau] > > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau] > > drm_ioctl_kernel+0xb2/0x100 [drm] > > drm_ioctl+0x215/0x390 [drm] > > nouveau_drm_ioctl+0x55/0xa0 [nouveau] > > __x64_sys_ioctl+0x83/0xb0 > > do_syscall_64+0x33/0x40 > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > freed by task 2657: > > ttm_bo_release+0x1cc/0x300 [ttm] > > ttm_bo_init_reserved+0x2ec/0x300 [ttm] > > ttm_bo_init+0x5e/0xd0 [ttm] > > nouveau_bo_init+0xaf/0xc0 [nouveau] > > nouveau_gem_new+0x7f/0xf0 [nouveau] > > nouveau_gem_ioctl_new+0x53/0xf0 [nouveau] > > drm_ioctl_kernel+0xb2/0x100 [drm] > > drm_ioctl+0x215/0x390 [drm] > > nouveau_drm_ioctl+0x55/0xa0 [nouveau] > > __x64_sys_ioctl+0x83/0xb0 > > do_syscall_64+0x33/0x40 > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > Fixes: 019cbd4a4feb3 "drm/nouveau: Initialize GEM object before TTM object" > > Cc: Thierry Reding <treding at nvidia.com> > > Signed-off-by: Karol Herbst <kherbst at redhat.com> > > --- > > drivers/gpu/drm/nouveau/nouveau_gem.c | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c > > index c88cbb85f101..1165ff990fb5 100644 > > --- a/drivers/gpu/drm/nouveau/nouveau_gem.c > > +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c > > @@ -212,7 +212,6 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain, > > > > ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL); > > if (ret) { > > - nouveau_bo_ref(NULL, &nvbo); > > return ret; > > } > > > > I submitted a patch for this in the beginning of December, it got > reviewed and it's languished ever since[0]. It's frustrating that these > issues have to get fixed multiple times by multiple developers because > bug fixes (with reviews!) aren't being accepted. > > [0] https://lists.freedesktop.org/archives/nouveau/2020-December/037571.html > > Anyway, for whatever it's worth: > > Reviewed-by: Jeremy Cline <jcline at redhat.com> >oh indeed... as the patches are equivalent I'd say we should merge yours and add my Reviewed-by: Karol Herbst <kherbst at redhat.com> let's see if we can get it in this time *sigh*