[PATCH v2 3/7] drm/amdgpu: Fix the use-after-free issue in wait IOCTL

Christian König ckoenig.leichtzumerken at gmail.com
Fri Dec 13 10:13:58 UTC 2024 

Am 12.12.24 um 15:25 schrieb Arunpravin Paneer Selvam:
> The xarray pointer which has the userqueue xarray structure
> reference should be cleared when the userqueue gets
> destroyed. Otherwise, we may access the freed xa memory and
> see the below warnings.
>
> warning 1:
> BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x7a/0xe0
> [  +0.000044] Call Trace:
> [  +0.000017]  <TASK>
> [  +0.000016]  dump_stack_lvl+0x6c/0x90
> [  +0.000025]  print_report+0xc4/0x5e0
> [  +0.000025]  ? srso_return_thunk+0x5/0x5f
> [  +0.000024]  ? kasan_complete_mode_report_info+0x60/0x1d0
> [  +0.000030]  ? _raw_spin_lock+0x7a/0xe0
> [  +0.000023]  kasan_report+0xdf/0x120
> [  +0.000023]  ? _raw_spin_lock+0x7a/0xe0
> [  +0.000025]  kasan_check_range+0xf7/0x1b0
> [  +0.000025]  __kasan_check_write+0x14/0x20
> [  +0.000024]  _raw_spin_lock+0x7a/0xe0
> [  +0.000023]  ? __pfx__raw_spin_lock+0x10/0x10
> [  +0.000024]  ? amdgpu_userq_wait_ioctl+0xac0/0x1f30 [amdgpu]
> [  +0.000442]  amdgpu_userq_wait_ioctl+0x18fc/0x1f30 [amdgpu]
> [  +0.000428]  ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
> [  +0.000424]  ? __pfx_idr_alloc_u32+0x10/0x10
> [  +0.000027]  ? srso_return_thunk+0x5/0x5f
> [  +0.000024]  ? __kasan_check_write+0x14/0x20
> [  +0.000025]  ? srso_return_thunk+0x5/0x5f
> [  +0.000024]  ? idr_alloc+0x72/0xc0
> [  +0.000023]  ? srso_return_thunk+0x5/0x5f
> [  +0.000023]  ? fput+0x1c/0x2f0
> [  +0.000025]  drm_ioctl_kernel+0x178/0x2f0 [drm]
> [  +0.000065]  ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
> [  +0.000425]  ? __pfx_drm_ioctl_kernel+0x10/0x10 [drm]
> [  +0.000064]  ? srso_return_thunk+0x5/0x5f
> [  +0.000023]  ? __kasan_check_write+0x14/0x20
> [  +0.000025]  drm_ioctl+0x513/0xd20 [drm]
> [  +0.000058]  ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
> [  +0.000428]  ? __pfx_drm_ioctl+0x10/0x10 [drm]
> [  +0.000061]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> [  +0.000027]  ? __count_memcg_events+0x11f/0x3a0
> [  +0.000027]  ? srso_return_thunk+0x5/0x5f
> [  +0.001040]  ? srso_return_thunk+0x5/0x5f
> [  +0.000969]  ? _raw_spin_unlock_irqrestore+0x27/0x50
> [  +0.000966]  amdgpu_drm_ioctl+0xcd/0x1d0 [amdgpu]
> [  +0.001352]  __x64_sys_ioctl+0x135/0x1b0
> [  +0.000966]  x64_sys_call+0x1205/0x20d0
> [  +0.000968]  do_syscall_64+0x4d/0x120
> [  +0.000960]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [  +0.000962] RIP: 0033:0x7f42af11a94f
>
> warning 2:
> WARNING: at lib/xarray.c:1849 __xa_alloc+0x13a/0x150
> [  366.491409] RIP: 0010:__xa_alloc+0x13a/0x150
> [  366.491434] Call Trace:
> [  366.491437]  <TASK>
> [  366.491440]  ? show_regs+0x6d/0x80
> [  366.491445]  ? __warn+0x91/0x140
> [  366.491450]  ? __xa_alloc+0x13a/0x150
> [  366.491453]  ? report_bug+0x1c9/0x1e0
> [  366.491459]  ? handle_bug+0x63/0xa0
> [  366.491463]  ? exc_invalid_op+0x1d/0x80
> [  366.491467]  ? asm_exc_invalid_op+0x1f/0x30
> [  366.491476]  ? __xa_alloc+0x13a/0x150
> [  366.491484]  amdgpu_userq_wait_ioctl+0xe0e/0xfe0 [amdgpu]
> [  366.491743]  ? idr_alloc_u32+0x97/0xd0
> [  366.491749]  ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
> [  366.491912]  drm_ioctl_kernel+0xae/0x100 [drm]
> [  366.491942]  drm_ioctl+0x2a1/0x500 [drm]
> [  366.491961]  ? __pfx_amdgpu_userq_wait_ioctl+0x10/0x10 [amdgpu]
> [  366.492127]  ? srso_return_thunk+0x5/0x5f
> [  366.492132]  ? srso_return_thunk+0x5/0x5f
> [  366.492135]  ? _raw_spin_unlock_irqrestore+0x2b/0x50
> [  366.492139]  amdgpu_drm_ioctl+0x4f/0x90 [amdgpu]
> [  366.492288]  __x64_sys_ioctl+0x99/0xd0
> [  366.492295]  x64_sys_call+0x1209/0x20d0
> [  366.492299]  do_syscall_64+0x51/0x120
> [  366.492303]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [  366.492418] RIP: 0033:0x7f86f3b1a94f
>
> Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam at amd.com>

Acked-by: Christian König <christian.koenig at amd.com>

> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c
> index cba51bdf2e2c..311d536a7079 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userqueue.c
> @@ -73,6 +73,7 @@ amdgpu_userqueue_cleanup(struct amdgpu_userq_mgr *uq_mgr,
>   	}
>   
>   	uq_funcs->mqd_destroy(uq_mgr, queue);
> +	queue->fence_drv->fence_drv_xa_ptr = NULL;
>   	amdgpu_userq_fence_driver_free(queue);
>   	idr_remove(&uq_mgr->userq_idr, queue_id);
>   	kfree(queue);

More information about the amd-gfx mailing list