Lyude Paul
2021-Mar-26 22:00 UTC
[Nouveau] [PATCH v2 0/3] drm/nouveau: fix a use-after-free in postclose()
This patch series is: Reviewed-by: Lyude Paul <lyude at redhat.com> Btw - in the future if you need to send a respin of multiple patches, you need to send it as it's own separate series instead of replying to the previous one (one-off respins can just be posted as replies though), otherwise patchwork won't pick it up On Wed, 2020-11-25 at 15:26 -0500, Jeremy Cline wrote:> This series fixes a number of use-after-frees in nouveau's postclose() > handler. It was discovered by pointing IGT's core_hotunplug tests at a > nouveau device, but the steps to reproduce it are simple: > > 1. Open the device file > 2. Unbind the driver or remove the device > 3. Close the file opened in step 1. > > During the device removal, the nouveau_drm structure is de-allocated, > but is dereferenced in the postclose() handler. > > One obvious solution is to ensure all the operations in the postclose() > handler are valid by extending the lifetime of the nouveau_drm > structure. This is possible with the new devm_drm_dev_alloc() interface, > but the change is somewhat invasive so I thought it best to submit that > work separately. > > Instead, we make use of the drm_dev_unplug() API, clean up all clients > in the device removal call, and check to make sure the device has not > been unplugged in the postclose() handler. While this does not enable > hot-unplug support for nouveau, it's enough to avoid crashing the kernel > and leads to all the core_hotunplug tests to pass. > > This series reroll addresses a missing mutex_destroy() call and a typo > in a commit message. > > Jeremy Cline (3): > ? drm/nouveau: use drm_dev_unplug() during device removal > ? drm/nouveau: Add a dedicated mutex for the clients list > ? drm/nouveau: clean up all clients on device removal > > ?drivers/gpu/drm/nouveau/nouveau_drm.c | 42 +++++++++++++++++++++++---- > ?drivers/gpu/drm/nouveau/nouveau_drv.h |? 5 ++++ > ?2 files changed, 42 insertions(+), 5 deletions(-) >-- Sincerely, Lyude Paul (she/her) Software Engineer at Red Hat Note: I deal with a lot of emails and have a lot of bugs on my plate. If you've asked me a question, are waiting for a review/merge on a patch, etc. and I haven't responded in a while, please feel free to send me another email to check on my status. I don't bite!
Salvatore Bonaccorso
2021-Aug-16 07:03 UTC
[Nouveau] [PATCH v2 0/3] drm/nouveau: fix a use-after-free in postclose()
Hi, On Fri, Mar 26, 2021 at 06:00:51PM -0400, Lyude Paul wrote:> This patch series is: > > Reviewed-by: Lyude Paul <lyude at redhat.com> > > Btw - in the future if you need to send a respin of multiple patches, you need > to send it as it's own separate series instead of replying to the previous one > (one-off respins can just be posted as replies though), otherwise patchwork > won't pick it upDid this patch series somehow fall through the cracks or got lost? Regards, Salvatore
Lyude Paul
2021-Aug-17 20:32 UTC
[Nouveau] [PATCH v2 0/3] drm/nouveau: fix a use-after-free in postclose()
It may have been, we're in the process of trying to change around how we currently accept nouveau patches to stop this from happening in the future. Ben, whenever you get a moment can you take a look at this? On Mon, 2021-08-16 at 09:03 +0200, Salvatore Bonaccorso wrote:> Hi, > > On Fri, Mar 26, 2021 at 06:00:51PM -0400, Lyude Paul wrote: > > This patch series is: > > > > Reviewed-by: Lyude Paul <lyude at redhat.com> > > > > Btw - in the future if you need to send a respin of multiple patches, you > > need > > to send it as it's own separate series instead of replying to the previous > > one > > (one-off respins can just be posted as replies though), otherwise > > patchwork > > won't pick it up > > Did this patch series somehow fall through the cracks or got lost? > > Regards, > Salvatore >-- Cheers, Lyude Paul (she/her) Software Engineer at Red Hat