BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_vblanks()

[Dmitry Osipenko]

On 3/30/22 12:45, Daniel Vetter wrote:
> On Tue, Mar 15, 2022 at 12:53:30AM +0300, Dmitry Osipenko wrote:
>> On 3/11/22 17:22, Maxime Ripard wrote:
>>> Hi Dmitry,
>>>
>>> On Thu, Mar 10, 2022 at 03:33:07AM +0300, Dmitry Osipenko wrote:
>>>> I was playing/testing SuperTuxKart using VirtIO-GPU driver and spotted a
>>>> UAF bug in drm_atomic_helper_wait_for_vblanks().
>>>>
>>>> SuperTuxKart can use DRM directly, i.e. you can run game in VT without
>>>> Xorg or Wayland, this is where bugs happens. SuperTuxKart uses a
>>>> non-blocking atomic page flips and UAF happens when a new atomic state
>>>> is committed while there is a previous page flip still in-fly.
>>>>
>>>> What happens is that the new and old atomic states refer to the same
>>>> CRTC state somehow. Once the older atomic state is destroyed, the CRTC
>>>> state is freed and the newer atomic state continues to use the freed
>>>> CRTC state.
>>>
>>> I'm not sure what you mean by "the new and old atomic states refer to
>>> the same CRTC state", are those the same pointers?
>>
>> Yes, the pointers are the same. I'd assume that the newer atomic state
>> should duplicate CRTC state, but apparently it doesn't happen.
> 
> The legacy cursor hack stuff does this, and it pretty fundamentally breaks
> everything. Might be good to retest with that disabled:
> 
> https://lore.kernel.org/dri-devel/20201023123925.2374863-1-daniel.vetter@ffwll.ch/
> 
> The problem is a bit that this might cause some regressions, for drivers
> which don't yet have the fancy new cursor fastpath for plane updates.
> -Daniel

Thank you, I tested yours patch and unfortunately it doesn't fix my
problem. Should be a separate bug.

Those async update code paths aren't trivial, will take some time for me
to debug it.