<div><div dir="ltr">Hi Vitaly,<br><br>No worries, thank you for working on the patches!<br><br>I have also confirmed that with the inflight patch, issue No.1 (use-after-free) seems to be resolved.<br>However, I have reproduced issue No.3 (slab-use-after-free) even with the patch for issue No.1 applied - if it's the first program tested after reboot.<br>(i.e., if any other bugs are tested before the slab-use-after-free, it does not reproduce).<br><br>Could you check if the bug reproduces in this condition for you too?<br>I will check and see why this is happening and update you if I have something new.<br><br>Thank you!<br><br>Best,<br>Joonkyo</div></div><div><div dir="ltr"><br><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 8, 2024 at 12:45 PM vitaly prosyak <<a href="mailto:vprosyak@amd.com" target="_blank">vprosyak@amd.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p>Hi Joonkyo,<br>
Sorry for the delay. <br>
Yes, sure, I reproduced issue 2 (null-ptr-deref in amdgpu) and I
will provide the fix soon.<br>
However, issue No. 3 is no longer reproducible if the recent patch
inflight is applied which fixes issue No 1.</p>
<p>Do you see the same behavior?<br>
</p>
<p>Thanks in advance, Vitaly<br>
</p>
<div>On 2024-03-07 20:18, Joonkyo Jung
wrote:<br>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Hello, </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">thank
you for patching the first bug we have sent!</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br>
</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Just
a quick touch base with you, to ask if there has been any
update on our other two bugs.</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">They
were each sent with emails titled </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">"Reporting
a slab-use-after-free in amdgpu" (this one)</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">"Reporting
a null-ptr-deref in amdgpu". </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br>
</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Thank
you! </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br>
</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Best, </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Joonkyo</div>
</div>
<br>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">2024년 2월 16일 (금) 오후 6:22,
Joonkyo Jung <<a href="mailto:joonkyoj@yonsei.ac.kr" target="_blank">joonkyoj@yonsei.ac.kr</a>>님이
작성:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hello,<br>
<br>
We would like to report a slab-use-after-free bug in the
AMDGPU DRM driver in the linux kernel v6.8-rc4 that we
found with our customized Syzkaller.<br>
The bug can be triggered by sending two ioctls to the
AMDGPU DRM driver in succession.<br>
<br>
In amdgpu_bo_move, struct ttm_resource *old_mem =
bo->resource is assigned.<br>
As you can see on the alloc & free stack calls, on the
same function amdgpu_bo_move,<br>
amdgpu_move_blit in the end frees bo->resource at
ttm_bo_move_accel_cleanup with ttm_bo_wait_free_node(bo,
man->use_tt).<br>
But amdgpu_bo_move continues after that, reaching
trace_amdgpu_bo_move(abo, new_mem->mem_type,
old_mem->mem_type) at the end, causing the
use-after-free bug.<br>
<br>
Steps to reproduce are as below.<br>
union drm_amdgpu_gem_create *arg1;<br>
<br>
arg1 = malloc(sizeof(union drm_amdgpu_gem_create));<br>
arg1->in.bo_size = 0x8;<br>
arg1->in.alignment = 0x0;<br>
arg1->in.domains = 0x4;<br>
arg1->in.domain_flags = 0x9;<br>
ioctl(fd, 0xc0206440, arg1);<br>
<br>
arg1->in.bo_size = 0x7fffffff;<br>
arg1->in.alignment = 0x0;<br>
arg1->in.domains = 0x4;<br>
arg1->in.domain_flags = 0x9;<br>
ioctl(fd, 0xc0206440, arg1);<br>
<br>
The KASAN report is as follows:<br>
==================================================================<br>
BUG: KASAN: slab-use-after-free in
amdgpu_bo_move+0x1479/0x1550<br>
Read of size 4 at addr ffff88800f5bee80 by task
syz-executor/219<br>
Call Trace:<br>
<TASK><br>
amdgpu_bo_move+0x1479/0x1550<br>
ttm_bo_handle_move_mem+0x4d0/0x700<br>
ttm_mem_evict_first+0x945/0x1230<br>
ttm_bo_mem_space+0x6c7/0x940<br>
ttm_bo_validate+0x286/0x650<br>
ttm_bo_init_reserved+0x34c/0x490<br>
amdgpu_bo_create+0x94b/0x1610<br>
amdgpu_bo_create_user+0xa3/0x130<br>
amdgpu_gem_create_ioctl+0x4bc/0xc10<br>
drm_ioctl_kernel+0x300/0x410<br>
drm_ioctl+0x648/0xb30<br>
amdgpu_drm_ioctl+0xc8/0x160<br>
</TASK><br>
<br>
Allocated by task 219:<br>
kmalloc_trace+0x211/0x390<br>
amdgpu_vram_mgr_new+0x1d6/0xbe0<br>
ttm_resource_alloc+0xfd/0x1e0<br>
ttm_bo_mem_space+0x255/0x940<br>
ttm_bo_validate+0x286/0x650<br>
ttm_bo_init_reserved+0x34c/0x490<br>
amdgpu_bo_create+0x94b/0x1610<br>
amdgpu_bo_create_user+0xa3/0x130<br>
amdgpu_gem_create_ioctl+0x4bc/0xc10<br>
drm_ioctl_kernel+0x300/0x410<br>
drm_ioctl+0x648/0xb30<br>
amdgpu_drm_ioctl+0xc8/0x160<br>
<br>
Freed by task 219:<br>
kfree+0x111/0x2d0<br>
ttm_resource_free+0x17e/0x1e0<br>
ttm_bo_move_accel_cleanup+0x77e/0x9b0<br>
amdgpu_move_blit+0x3db/0x670<br>
amdgpu_bo_move+0xfa2/0x1550<br>
ttm_bo_handle_move_mem+0x4d0/0x700<br>
ttm_mem_evict_first+0x945/0x1230<br>
ttm_bo_mem_space+0x6c7/0x940<br>
ttm_bo_validate+0x286/0x650<br>
ttm_bo_init_reserved+0x34c/0x490<br>
amdgpu_bo_create+0x94b/0x1610<br>
amdgpu_bo_create_user+0xa3/0x130<br>
amdgpu_gem_create_ioctl+0x4bc/0xc10<br>
drm_ioctl_kernel+0x300/0x410<br>
drm_ioctl+0x648/0xb30<br>
amdgpu_drm_ioctl+0xc8/0x160<br>
<br>
The buggy address belongs to the object at
ffff88800f5bee70<br>
which belongs to the cache kmalloc-96 of size 96<br>
The buggy address is located 16 bytes inside of<br>
freed 96-byte region [ffff88800f5bee70, ffff88800f5beed0)<br>
<br>
Should you need any more information, please do not
hesitate to contact us.<br>
<br>
Best regards,<br>
Joonkyo Jung<br>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote></div></div>
</div>