<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
Hi guys,<br>
<br>
yeah that is a well known issue but actually completely harmless.<br>
<br>
What happens is that a trace function accesses a stale pointer to
print some additional value into the trace log.<br>
<br>
That memory might have been reused and the information is now
outdated, but the worst thing that can happen is that the value in
the logs is nonsense.<br>
<br>
I have a patch in the queue to fix this, should be upstream and
backported in the next few weeks.<br>
<br>
Regards,<br>
Christian.<br>
<br>
<div class="moz-cite-prefix">Am 29.04.24 um 04:15 schrieb Joonkyo
Jung:<br>
</div>
<blockquote type="cite" cite="mid:CAKc8oVXPpfOfCnF+72c2Sr1joimMqXENxsFtKiRi==mb-Fg0HA@mail.gmail.com">
<div dir="ltr">Hi,<br>
<br>
Thank you for patching two of the bugs we have reported!<br>
I was just wondering if there's any news on the one other bug we
have reported:<br>
BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x1479/0x1550.<br>
<br>
I see that there is a gitlab issue(<a href="https://gitlab.freedesktop.org/drm/amd/-/issues/3171" moz-do-not-send="true" class="moz-txt-link-freetext">https://gitlab.freedesktop.org/drm/amd/-/issues/3171</a>)
created for this bug,<br>
and there also is a patch(<a href="https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html</a>)
that Christian made for this.<br>
Though, it seems that the issue is not resolved yet, and the
patch is not yet pushed to mainstream branches.<br>
So I was wondering, do you have any plans for pushing this
patch? If so, would it be possible for us to get a Reported-by
tag on the patch?<br>
<br>
Best,<br>
Joonkyo<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Mar 8, 2024 at 4:32 PM
Joonkyo Jung <<a href="mailto:joonkyoj@yonsei.ac.kr" moz-do-not-send="true" class="moz-txt-link-freetext">joonkyoj@yonsei.ac.kr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div dir="ltr">Hi Vitaly,<br>
<br>
No worries, thank you for working on the patches!<br>
<br>
I have also confirmed that with the inflight patch, issue
No.1 (use-after-free) seems to be resolved.<br>
However, I have reproduced issue No.3
(slab-use-after-free) even with the patch for issue No.1
applied - if it's the first program tested after reboot.<br>
(i.e., if any other bugs are tested before the
slab-use-after-free, it does not reproduce).<br>
<br>
Could you check if the bug reproduces in this condition
for you too?<br>
I will check and see why this is happening and update you
if I have something new.<br>
<br>
Thank you!<br>
<br>
Best,<br>
Joonkyo</div>
</div>
<div>
<div dir="ltr"><br>
<br>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Mar 8, 2024 at
12:45 PM vitaly prosyak <<a href="mailto:vprosyak@amd.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">vprosyak@amd.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Joonkyo,<br>
Sorry for the delay. <br>
Yes, sure, I reproduced issue 2 (null-ptr-deref in
amdgpu) and I will provide the fix soon.<br>
However, issue No. 3 is no longer reproducible if
the recent patch inflight is applied which fixes
issue No 1.</p>
<p>Do you see the same behavior?<br>
</p>
<p>Thanks in advance, Vitaly<br>
</p>
<div>On 2024-03-07 20:18, Joonkyo Jung wrote:<br>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Hello, </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">thank
you for patching the first bug we have sent!</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br>
</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Just
a quick touch base with you, to ask if there
has been any update on our other two bugs.</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">They
were each sent with emails titled </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">"Reporting
a slab-use-after-free in amdgpu" (this one)</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">"Reporting
a null-ptr-deref in amdgpu". </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br>
</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Thank
you! </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)"><br>
</div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Best, </div>
<div dir="auto" style="font-family:-apple-system,helveticaneue;font-size:15px;font-style:normal;font-weight:400;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;background-color:rgba(0,0,0,0);border-color:rgb(0,0,0);color:rgb(0,0,0)">Joonkyo</div>
</div>
<br>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">2024년 2월 16일
(금) 오후 6:22, Joonkyo Jung <<a href="mailto:joonkyoj@yonsei.ac.kr" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">joonkyoj@yonsei.ac.kr</a>>님이
작성:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hello,<br>
<br>
We would like to report a
slab-use-after-free bug in the AMDGPU DRM
driver in the linux kernel v6.8-rc4 that
we found with our customized Syzkaller.<br>
The bug can be triggered by sending two
ioctls to the AMDGPU DRM driver in
succession.<br>
<br>
In amdgpu_bo_move, struct ttm_resource
*old_mem = bo->resource is assigned.<br>
As you can see on the alloc & free
stack calls, on the same function
amdgpu_bo_move,<br>
amdgpu_move_blit in the end frees
bo->resource at
ttm_bo_move_accel_cleanup with
ttm_bo_wait_free_node(bo, man->use_tt).<br>
But amdgpu_bo_move continues after that,
reaching trace_amdgpu_bo_move(abo,
new_mem->mem_type,
old_mem->mem_type) at the end, causing
the use-after-free bug.<br>
<br>
Steps to reproduce are as below.<br>
union drm_amdgpu_gem_create *arg1;<br>
<br>
arg1 = malloc(sizeof(union
drm_amdgpu_gem_create));<br>
arg1->in.bo_size = 0x8;<br>
arg1->in.alignment = 0x0;<br>
arg1->in.domains = 0x4;<br>
arg1->in.domain_flags = 0x9;<br>
ioctl(fd, 0xc0206440, arg1);<br>
<br>
arg1->in.bo_size = 0x7fffffff;<br>
arg1->in.alignment = 0x0;<br>
arg1->in.domains = 0x4;<br>
arg1->in.domain_flags = 0x9;<br>
ioctl(fd, 0xc0206440, arg1);<br>
<br>
The KASAN report is as follows:<br>
==================================================================<br>
BUG: KASAN: slab-use-after-free in
amdgpu_bo_move+0x1479/0x1550<br>
Read of size 4 at addr ffff88800f5bee80 by
task syz-executor/219<br>
Call Trace:<br>
<TASK><br>
amdgpu_bo_move+0x1479/0x1550<br>
ttm_bo_handle_move_mem+0x4d0/0x700<br>
ttm_mem_evict_first+0x945/0x1230<br>
ttm_bo_mem_space+0x6c7/0x940<br>
ttm_bo_validate+0x286/0x650<br>
ttm_bo_init_reserved+0x34c/0x490<br>
amdgpu_bo_create+0x94b/0x1610<br>
amdgpu_bo_create_user+0xa3/0x130<br>
amdgpu_gem_create_ioctl+0x4bc/0xc10<br>
drm_ioctl_kernel+0x300/0x410<br>
drm_ioctl+0x648/0xb30<br>
amdgpu_drm_ioctl+0xc8/0x160<br>
</TASK><br>
<br>
Allocated by task 219:<br>
kmalloc_trace+0x211/0x390<br>
amdgpu_vram_mgr_new+0x1d6/0xbe0<br>
ttm_resource_alloc+0xfd/0x1e0<br>
ttm_bo_mem_space+0x255/0x940<br>
ttm_bo_validate+0x286/0x650<br>
ttm_bo_init_reserved+0x34c/0x490<br>
amdgpu_bo_create+0x94b/0x1610<br>
amdgpu_bo_create_user+0xa3/0x130<br>
amdgpu_gem_create_ioctl+0x4bc/0xc10<br>
drm_ioctl_kernel+0x300/0x410<br>
drm_ioctl+0x648/0xb30<br>
amdgpu_drm_ioctl+0xc8/0x160<br>
<br>
Freed by task 219:<br>
kfree+0x111/0x2d0<br>
ttm_resource_free+0x17e/0x1e0<br>
ttm_bo_move_accel_cleanup+0x77e/0x9b0<br>
amdgpu_move_blit+0x3db/0x670<br>
amdgpu_bo_move+0xfa2/0x1550<br>
ttm_bo_handle_move_mem+0x4d0/0x700<br>
ttm_mem_evict_first+0x945/0x1230<br>
ttm_bo_mem_space+0x6c7/0x940<br>
ttm_bo_validate+0x286/0x650<br>
ttm_bo_init_reserved+0x34c/0x490<br>
amdgpu_bo_create+0x94b/0x1610<br>
amdgpu_bo_create_user+0xa3/0x130<br>
amdgpu_gem_create_ioctl+0x4bc/0xc10<br>
drm_ioctl_kernel+0x300/0x410<br>
drm_ioctl+0x648/0xb30<br>
amdgpu_drm_ioctl+0xc8/0x160<br>
<br>
The buggy address belongs to the object at
ffff88800f5bee70<br>
which belongs to the cache kmalloc-96 of
size 96<br>
The buggy address is located 16 bytes
inside of<br>
freed 96-byte region [ffff88800f5bee70,
ffff88800f5beed0)<br>
<br>
Should you need any more information,
please do not hesitate to contact us.<br>
<br>
Best regards,<br>
Joonkyo Jung<br>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>