[PATCH] drm/scheduler: Add missing RCU flag to fence slab

Luben Tuikov luben.tuikov at amd.com
Mon Jul 10 21:15:40 UTC 2023 

On 2023-07-10 16:56, Rob Clark wrote:
> From: Rob Clark <robdclark at chromium.org>
> 
> Fixes the KASAN splat:
> 
>    ==================================================================
>    BUG: KASAN: use-after-free in msm_ioctl_wait_fence+0x31c/0x7b0
>    Read of size 4 at addr ffffff808cb7c2f8 by task syz-executor/12236
>    CPU: 6 PID: 12236 Comm: syz-executor Tainted: G        W         5.15.119-lockdep-19932-g4a017c53fe63 #1 b15455e5b94c63032dd99eb0190c27e582b357ed
>    Hardware name: Google Homestar (rev3) (DT)
>    Call trace:
>     dump_backtrace+0x0/0x4e8
>     show_stack+0x34/0x50
>     dump_stack_lvl+0xdc/0x11c
>     print_address_description+0x30/0x2d8
>     kasan_report+0x178/0x1e4
>     kasan_check_range+0x1b0/0x1b8
>     __kasan_check_read+0x44/0x54
>     msm_ioctl_wait_fence+0x31c/0x7b0
>     drm_ioctl_kernel+0x214/0x418
>     drm_ioctl+0x524/0xbe8
>     __arm64_sys_ioctl+0x154/0x1d0
>     invoke_syscall+0x98/0x278
>     el0_svc_common+0x214/0x274
>     do_el0_svc+0x9c/0x19c
>     el0_svc+0x5c/0xc0
>     el0t_64_sync_handler+0x78/0x108
>     el0t_64_sync+0x1a4/0x1a8
>    Allocated by task 12224:
>     kasan_save_stack+0x38/0x68
>     __kasan_slab_alloc+0x6c/0x88
>     kmem_cache_alloc+0x1b8/0x428
>     drm_sched_fence_alloc+0x30/0x94
>     drm_sched_job_init+0x7c/0x178
>     msm_ioctl_gem_submit+0x2b8/0x5ac4
>     drm_ioctl_kernel+0x214/0x418
>     drm_ioctl+0x524/0xbe8
>     __arm64_sys_ioctl+0x154/0x1d0
>     invoke_syscall+0x98/0x278
>     el0_svc_common+0x214/0x274
>     do_el0_svc+0x9c/0x19c
>     el0_svc+0x5c/0xc0
>     el0t_64_sync_handler+0x78/0x108
>     el0t_64_sync+0x1a4/0x1a8
>    Freed by task 32:
>     kasan_save_stack+0x38/0x68
>     kasan_set_track+0x28/0x3c
>     kasan_set_free_info+0x28/0x4c
>     ____kasan_slab_free+0x110/0x164
>     __kasan_slab_free+0x18/0x28
>     kmem_cache_free+0x1e0/0x904
>     drm_sched_fence_free_rcu+0x80/0x9c
>     rcu_do_batch+0x318/0xcf0
>     rcu_nocb_cb_kthread+0x1a0/0xc4c
>     kthread+0x2e4/0x3a0
>     ret_from_fork+0x10/0x20
>    Last potentially related work creation:
>     kasan_save_stack+0x38/0x68
>     kasan_record_aux_stack+0xd4/0x114
>     __call_rcu_common+0xd4/0x1478
>     call_rcu+0x1c/0x28
>     drm_sched_fence_release_scheduled+0x108/0x158
>     dma_fence_release+0x178/0x564
>     drm_sched_fence_release_finished+0xb4/0x124
>     dma_fence_release+0x178/0x564
>     __msm_gem_submit_destroy+0x150/0x488
>     msm_job_free+0x9c/0xdc
>     drm_sched_main+0xec/0x9ac
>     kthread+0x2e4/0x3a0
>     ret_from_fork+0x10/0x20
>    Second to last potentially related work creation:
>     kasan_save_stack+0x38/0x68
>     kasan_record_aux_stack+0xd4/0x114
>     __call_rcu_common+0xd4/0x1478
>     call_rcu+0x1c/0x28
>     drm_sched_fence_release_scheduled+0x108/0x158
>     dma_fence_release+0x178/0x564
>     drm_sched_fence_release_finished+0xb4/0x124
>     dma_fence_release+0x178/0x564
>     drm_sched_entity_fini+0x170/0x238
>     drm_sched_entity_destroy+0x34/0x44
>     __msm_file_private_destroy+0x60/0x118
>     msm_submitqueue_destroy+0xd0/0x110
>     __msm_gem_submit_destroy+0x384/0x488
>     retire_submits+0x6a8/0xa14
>     recover_worker+0x764/0xa50
>     kthread_worker_fn+0x3f4/0x9ec
>     kthread+0x2e4/0x3a0
>     ret_from_fork+0x10/0x20
>    The buggy address belongs to the object at ffffff808cb7c280
>    The buggy address is located 120 bytes inside of
>    The buggy address belongs to the page:
>    page:000000008b01d27d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cb7c
>    head:000000008b01d27d order:1 compound_mapcount:0
>    flags: 0x8000000000010200(slab|head|zone=2)
>    raw: 8000000000010200 fffffffe06844d80 0000000300000003 ffffff80860dca00
>    raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000
>    page dumped because: kasan: bad access detected
>    Memory state around the buggy address:
>     ffffff808cb7c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>     ffffff808cb7c200: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>    >ffffff808cb7c280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                                                                    ^
>     ffffff808cb7c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
>     ffffff808cb7c380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
>    ==================================================================
> 
> Suggested-by: Alexander Potapenko <glider at google.com>
> Signed-off-by: Rob Clark <robdclark at chromium.org>
> ---
>  drivers/gpu/drm/scheduler/sched_fence.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/scheduler/sched_fence.c b/drivers/gpu/drm/scheduler/sched_fence.c
> index ef120475e7c6..b624711c6e03 100644
> --- a/drivers/gpu/drm/scheduler/sched_fence.c
> +++ b/drivers/gpu/drm/scheduler/sched_fence.c
> @@ -35,7 +35,7 @@ static int __init drm_sched_fence_slab_init(void)
>  {
>  	sched_fence_slab = kmem_cache_create(
>  		"drm_sched_fence", sizeof(struct drm_sched_fence), 0,
> -		SLAB_HWCACHE_ALIGN, NULL);
> +		SLAB_HWCACHE_ALIGN | SLAB_TYPESAFE_BY_RCU, NULL);
>  	if (!sched_fence_slab)
>  		return -ENOMEM;
>  

Reviewed-by: Luben Tuikov <luben.tuikov at amd.com>

But let it simmer for 24 hours so Christian can see it too (CC-ed).
-- 
Regards,
Luben

More information about the dri-devel mailing list