[Intel-xe] [PATCH 1/3] drm/kunit: Avoid a driver uaf
Maxime Ripard
mripard at kernel.org
Wed Sep 6 10:08:42 UTC 2023
On Tue, Sep 05, 2023 at 02:43:00PM +0200, Thomas Hellström wrote:
> Hi maxime,
>
> On 9/5/23 14:06, Maxime Ripard wrote:
> > On Tue, Sep 05, 2023 at 10:58:30AM +0200, Thomas Hellström wrote:
> > > when using __drm_kunit_helper_alloc_drm_device() the driver may be
> > > dereferenced by device-managed resources up until the device is
> > > freed, which is typically later than the kunit-managed resource code
> > > frees it.
> > I'd like to have a bit more context on how a driver can end up in that
> > situation?
>
> I interpret the attached traces as follows.
>
> INIT:
>
> Code allocates a struct device as a kunit-managed resource.
> Code allocates a drm driver as a kunit-managed resource.
> Code allocates a drm device as a device-managed resource.
>
> EXIT:
>
> Kunit resource cleanup frees the drm driver
> Kunit resource cleanup frees the struct device, which starts a
> device-managed resource cleanup
> device-managed cleanup calls drm_dev_put()
> drm_dev_put() dereferences the (now freed) drm driver -> Boom.
>
> It should be sufficient to enable KASAN and run the drm_exec_test kunit test
> to trigger this.
Ack. Can you put this into your commit log?
Thanks!
Maxime
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20230906/c68c20e3/attachment.sig>
More information about the dri-devel
mailing list