[PATCH] drm/sched: Fix UAF in drm_sched_fence_get_timeline_name()

Mon May 12 07:32:49 UTC 2025

Hi,

On Fri, 2025-05-09 at 14:29 -0700, Rob Clark wrote:
> From: Rob Clark <robdclark at chromium.org>
> 
> The fence can outlive the sched, so it is not safe to dereference the
> sched in drm_sched_fence_get_timeline_name()

Thx for the fix. Looks correct to me. Some nits

> 
> Signed-off-by: Rob Clark <robdclark at chromium.org>

This is clearly a bug. So please provide a Fixes: tag and +Cc the
stable kernel.

> ---
>  drivers/gpu/drm/scheduler/sched_fence.c |  3 ++-
>  include/drm/gpu_scheduler.h             | 11 +++++++++++
>  2 files changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/scheduler/sched_fence.c
> b/drivers/gpu/drm/scheduler/sched_fence.c
> index e971528504a5..4e529c3ba6d4 100644
> --- a/drivers/gpu/drm/scheduler/sched_fence.c
> +++ b/drivers/gpu/drm/scheduler/sched_fence.c
> @@ -92,7 +92,7 @@ static const char
> *drm_sched_fence_get_driver_name(struct dma_fence *fence)
>  static const char *drm_sched_fence_get_timeline_name(struct
> dma_fence *f)
>  {
>  	struct drm_sched_fence *fence = to_drm_sched_fence(f);
> -	return (const char *)fence->sched->name;
> +	return fence->name;

Adding an empty line while we're here already would be neat.

>  }
>  
>  static void drm_sched_fence_free_rcu(struct rcu_head *rcu)
> @@ -226,6 +226,7 @@ void drm_sched_fence_init(struct drm_sched_fence
> *fence,
>  	unsigned seq;
>  
>  	fence->sched = entity->rq->sched;
> +	fence->name  = fence->sched->name;
>  	seq = atomic_inc_return(&entity->fence_seq);
>  	dma_fence_init(&fence->scheduled,
> &drm_sched_fence_ops_scheduled,
>  		       &fence->lock, entity->fence_context, seq);
> diff --git a/include/drm/gpu_scheduler.h
> b/include/drm/gpu_scheduler.h
> index 0ae108f6fcaf..d830ffe083f1 100644
> --- a/include/drm/gpu_scheduler.h
> +++ b/include/drm/gpu_scheduler.h
> @@ -295,6 +295,9 @@ struct drm_sched_fence {
>          /**
>           * @sched: the scheduler instance to which the job having
> this struct
>           * belongs to.
> +         *
> +         * Some care must be taken as to where the sched is derefed,
> as the
> +         * fence can outlive the sched.
>           */

Just briefly hinting at the lifetime is enough here. Every developer
understands what that implicates.

"Might have a lifetime shorter than the owning &struct drm_sched_fence"

Thx
P.

>  	struct drm_gpu_scheduler	*sched;
>          /**
> @@ -305,6 +308,14 @@ struct drm_sched_fence {
>           * @owner: job owner for debugging
>           */
>  	void				*owner;
> +
> +	/**
> +	 * @name: the timeline name
> +	 *
> +	 * This comes from the @sched, but since the fence can
> outlive the
> +	 * sched, we need to keep our own copy.
> +	 */
> +	const char			*name;
>  };
>  
>  struct drm_sched_fence *to_drm_sched_fence(struct dma_fence *f);