[igt-dev] [PATCH i-g-t] i915/gem_mmap_gtt: Race mmap offset generation against closure

Chris Wilson chris at chris-wilson.co.uk
Mon Aug 26 15:29:56 UTC 2019 

Quoting Chris Wilson (2019-08-26 16:20:00)
> Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
> Cc: Abdiel Janulgue <abdiel.janulgue at linux.intel.com>

That honestly worked better than I was anticipating,

[   36.413656] [IGT] gem_mmap_gtt: executing
[   36.425906] [IGT] gem_mmap_gtt: starting subtest close-race
[   36.448179] ------------[ cut here ]------------
[   36.448414] refcount_t: increment on 0; use-after-free.
[   36.448548] WARNING: CPU: 3 PID: 802 at lib/refcount.c:156 refcount_inc_checked+0x2b/0x30
[   36.448667] Modules linked in: i915 intel_gtt iosf_mbi prime_numbers drm_kms_helper drm drm_panel_orientation_quirks
[   36.448820] CPU: 3 PID: 802 Comm: gem_mmap_gtt Not tainted 5.3.0-rc6+ #187
[   36.448927] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012
[   36.449076] RIP: 0010:refcount_inc_checked+0x2b/0x30
[   36.449170] Code: 48 89 e5 e8 e7 fe ff ff 84 c0 74 02 5d c3 80 3d 93 de fc 00 00 75 f5 48 c7 c7 80 88 f2 81 c6 05 83 de fc 00 01 e8 b6 8e b4 ff <0f> 0b 5d c3 90 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 57 49
[   36.449373] RSP: 0018:ffff88820333fc00 EFLAGS: 00010282
[   36.449467] RAX: 0000000000000000 RBX: ffff8882036169e8 RCX: 0000000000000000
[   36.449531] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffed1040667f76
[   36.449605] RBP: ffff88820333fc00 R08: 0000000000000001 R09: ffffed1042b5bec5
[   36.449661] R10: ffffed1042b5bec4 R11: ffff888215adf627 R12: ffff8881ff8b32a8
[   36.449713] R13: ffff888203616a38 R14: ffff888203616a30 R15: 0000000000000000
[   36.449766] FS:  00007f5d234efd40(0000) GS:ffff888215ac0000(0000) knlGS:0000000000000000
[   36.449827] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.449878] CR2: 00007f5d24366020 CR3: 00000001ff758001 CR4: 00000000001606e0
[   36.449929] Call Trace:
[   36.450115]  i915_gem_mmap+0x346/0x3a0 [i915]
[   36.450295]  ? i915_gem_vm_close+0x90/0x90 [i915]
[   36.450350]  ? memset+0x32/0x40
[   36.450389]  mmap_region+0x646/0xa20
[   36.450430]  ? __x64_sys_brk+0x390/0x390
[   36.450474]  ? arch_get_unmapped_area+0x370/0x370
[   36.450518]  do_mmap+0x3e4/0x6d0
[   36.450556]  vm_mmap_pgoff+0xf9/0x150
[   36.450599]  ? vma_is_stack_for_current+0x60/0x60
[   36.450643]  ksys_mmap_pgoff+0x94/0xc0
[   36.450683]  __x64_sys_mmap+0x88/0xa0
[   36.450723]  do_syscall_64+0x72/0xe0
[   36.450765]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.450811] RIP: 0033:0x7f5d23c74133
[   36.450854] Code: 54 41 89 d4 55 48 89 fd 53 4c 89 cb 48 85 ff 74 56 49 89 d9 45 89 f8 45 89 f2 44 89 e2 4c 89 ee 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7d 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f
[   36.450952] RSP: 002b:00007fffb808da68 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[   36.451011] RAX: ffffffffffffffda RBX: 0000000100006000 RCX: 00007f5d23c74133
[   36.451069] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[   36.451121] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000100006000
[   36.451194] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000001
[   36.451304] R13: 0000000000001000 R14: 0000000000000001 R15: 0000000000000003
[   36.451414] irq event stamp: 5158
[   36.451493] hardirqs last  enabled at (5157): [<ffffffff8112d575>] console_unlock+0x545/0x6f0
[   36.451627] hardirqs last disabled at (5158): [<ffffffff810026ca>] trace_hardirqs_off_thunk+0x1a/0x20
[   36.451756] softirqs last  enabled at (4752): [<ffffffff81c00441>] __do_softirq+0x441/0x575
[   36.451879] softirqs last disabled at (4747): [<ffffffff8109b80e>] irq_exit+0x14e/0x160
[   36.452000] WARNING: CPU: 3 PID: 802 at lib/refcount.c:156 refcount_inc_checked+0x2b/0x30
[   36.452125] ---[ end trace 1a7be3cf5c013580 ]---
[   36.452340] ==================================================================
[   36.452849] BUG: KASAN: use-after-free in i915_gem_vm_close+0x35/0x90 [i915]
[   36.452960] Read of size 8 at addr ffff8881ff8b3390 by task gem_mmap_gtt/802
[   36.453064]
[   36.453129] CPU: 3 PID: 802 Comm: gem_mmap_gtt Tainted: G        W         5.3.0-rc6+ #187
[   36.453248] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012
[   36.453395] Call Trace:
[   36.453469]  dump_stack+0x86/0xca
[   36.453552]  print_address_description+0x6e/0x324
[   36.453913]  ? i915_gem_vm_close+0x35/0x90 [i915]
[   36.454006]  __kasan_report.cold+0x1b/0x37
[   36.454332]  ? i915_gem_vm_close+0x35/0x90 [i915]
[   36.454423]  kasan_report+0xc/0xe
[   36.454500]  __asan_load8+0x54/0x90
[   36.454821]  i915_gem_vm_close+0x35/0x90 [i915]
[   36.454907]  remove_vma+0x5e/0x90
[   36.454983]  __do_munmap+0x315/0x670
[   36.455062]  __vm_munmap+0xa9/0xf0
[   36.455139]  ? __do_munmap+0x670/0x670
[   36.455218]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.455307]  ? lockdep_hardirqs_on+0x185/0x260
[   36.455393]  __x64_sys_munmap+0x31/0x40
[   36.455475]  do_syscall_64+0x72/0xe0
[   36.455554]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.455645] RIP: 0033:0x7f5d23c741d7
[   36.455730] Code: 10 e9 67 ff ff ff 0f 1f 44 00 00 48 8b 15 b1 6c 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff e9 6b ff ff ff b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 6c 0c 00 f7 d8 64 89 01 48
[   36.455965] RSP: 002b:00007fffb808da98 EFLAGS: 00000213 ORIG_RAX: 000000000000000b
[   36.456081] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5d23c741d7
[   36.456188] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 00007f5d24365000
[   36.456298] RBP: 00007f5d24366000 R08: 0000000000000003 R09: 0000000100006000
[   36.456407] R10: 0000000000000001 R11: 0000000000000213 R12: 0000000000000003
[   36.456514] R13: 0000000000000002 R14: 0000000000000008 R15: 0000000000000000
[   36.456623]
[   36.456682] Allocated by task 802:
[   36.456762]  save_stack+0x23/0x90
[   36.456838]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   36.456926]  kasan_kmalloc+0x9/0x10
[   36.457004]  kmem_cache_alloc_trace+0x11c/0x2f0
[   36.457358]  __assign_gem_object_mmap_data+0x103/0x250 [i915]
[   36.457717]  i915_gem_mmap_gtt_ioctl+0x5c/0x100 [i915]
[   36.457864]  drm_ioctl_kernel+0x126/0x170 [drm]
[   36.458013]  drm_ioctl+0x331/0x550 [drm]
[   36.458098]  do_vfs_ioctl+0x767/0xa30
[   36.458176]  ksys_ioctl+0x3c/0x80
[   36.458252]  __x64_sys_ioctl+0x3e/0x50
[   36.458261] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   36.458304]  do_syscall_64+0x72/0xe0
[   36.458364] #PF: supervisor read access in kernel mode
[   36.458410]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.458458] #PF: error_code(0x0000) - not-present page
[   36.458508]
[   36.458567] PGD 0 P4D 0
[   36.458618] Freed by task 803:
[   36.458667] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
[   36.458716]  save_stack+0x23/0x90

More information about the igt-dev mailing list