[PATCH] tests/amdgpu: add gem create fuzzing test
Zhang, Jesse(Jie)
Jesse.Zhang at amd.com
Sun Apr 7 02:55:46 UTC 2024
[AMD Official Use Only - General]
Hi Kamil
-----Original Message-----
From: Kamil Konieczny <kamil.konieczny at linux.intel.com>
Sent: Wednesday, March 27, 2024 10:15 PM
To: igt-dev at lists.freedesktop.org
Cc: Prosyak, Vitaly <Vitaly.Prosyak at amd.com>; Deucher, Alexander <Alexander.Deucher at amd.com>; Koenig, Christian <Christian.Koenig at amd.com>; Joonkyo Jung <joonkyoj at yonsei.ac.kr>; Zhang, Jesse(Jie) <Jesse.Zhang at amd.com>; Tvrtko Ursulin <tursulin at igalia.com>
Subject: Re: [PATCH] tests/amdgpu: add gem create fuzzing test
Hi Vitaly,
On 2024-03-27 at 00:00:55 -0400, vitaly.prosyak at amd.com wrote:
> From: Vitaly Prosyak <vitaly.prosyak at amd.com>
>
> The bug in amdgpu was found using customized Syzkaller and with Kazan enabled.
> Report a slab-use-after-free bug in the AMDGPU DRM driver.
> Ftrace enablement is mandatory precondition to reproduce the error once after boot.
> The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
>
> The following scenario is a different reproduction of same issue:
> BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710
> [amdgpu] https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646.
-------------------------------------------------------------------^
Please no dots at end of https links, so:
https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646
>
> Fix Christian König ckoenig.leichtzumerken at gmail.com
> https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html.
Same here, remove dot at end of link.
>
> The issue is visible only when Kazan enables and dumps to the kernel log:
> BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x974/0xd90.
> We accessed the freed memory during the ftrace enablement in a
> amdgpu_bo_move_notify.
>
> The test amd_gem_create_fuzzing does amdgpu_bo_reserve 2 times.
>
imho add here:
Reported-by: Christian König <ckoenig.leichtzumerken at gmail.com>
Reported-by: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
> Signed-off-by: Vitaly Prosyak <vitaly.prosyak at amd.com>
> Cc: Alex Deucher <alexander.deucher at amd.com>
> Cc: Christian Koenig <christian.koenig at amd.com>
> Cc: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
> Cc: Kamil Konieczny <kamil.konieczny at linux.intel.com>
> Cc: Jesse Zhang <Jesse.Zhang at amd.com>
> Cc: Tvrtko Ursulin <tursulin at igalia.com>
> ---
> tests/amdgpu/amd_fuzzing.c | 69
> ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 69 insertions(+)
>
> diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c
> index 69c9e8dad..dccac8cc1 100644
> --- a/tests/amdgpu/amd_fuzzing.c
> +++ b/tests/amdgpu/amd_fuzzing.c
> @@ -95,6 +95,67 @@ void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
> }
> }
>
> +static int
> +amdgpu_ftrace_enablement(const char *function, bool enable) {
> + char cmd[128];
> + int ret;
> +
> + snprintf(cmd, sizeof(cmd),
> + "echo %s > /sys/kernel/debug/tracing/events/amdgpu/%s/enable",
> + enable == true ? "1":"0", function);
> + ret = igt_system(cmd);
> +
> + return ret;
> +}
> +
> +/* The bug was found using customized Syzkaller and with Kazan enabled.
> + * Report a slab-use-after-free bug in the AMDGPU DRM driver.
> + * Ftrace enablement is mandatory precondition to reproduce the error once after boot.
> + * The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
> + *
> + * BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710
> +[amdgpu]
> + * https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646
> + *
> + * Fix Christian König ckoenig.leichtzumerken at gmail.com
> + *
> +https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html
> + *
> + * The issue is visible only when Kazan enables and dumps to the kernel log:
> + * BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x974/0xd90
> + * We accessed the freed memory during the ftrace enablement in a
> + * amdgpu_bo_move_notify.
> + * The test amd_gem_create_fuzzing does amdgpu_bo_reserve */ static
> +void amd_gem_create_fuzzing(int fd) {
> + static const char function_amdgpu_bo_move[] = "amdgpu_bo_move";
> + union drm_amdgpu_gem_create arg;
> + int ret;
> +
> + ret = amdgpu_ftrace_enablement(function_amdgpu_bo_move, true);
> + igt_assert_eq(ret, 0);
> + arg.in.bo_size = 0x8;
> + arg.in.alignment = 0x0;
> + arg.in.domains = 0x4;
> + arg.in.domain_flags = 0x9;
> + ret = drmIoctl(fd, 0xc0206440
> + /* DRM_AMDGPU_GEM_CREATE amdgpu_gem_create_ioctl */, &arg);
> + igt_info("drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret %d\n", ret);
> +
> + arg.in.bo_size = 0x7fffffff;
> + arg.in.alignment = 0x0;
> + arg.in.domains = 0x4;
> + arg.in.domain_flags = 0x9;
> + ret = drmIoctl(fd, 0xc0206440
> + /* DRM_AMDGPU_GEM_CREATE amdgpu_gem_create_ioctl */, &arg);
> + igt_info("drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret %d\n", ret);
> +
> + ret = amdgpu_ftrace_enablement(function_amdgpu_bo_move, false);
> + igt_assert_eq(ret, 0);
> +
> +}
> +
> igt_main
> {
> int fd = -1;
> @@ -114,6 +175,14 @@ igt_main
> igt_subtest("cs-wait-fuzzing")
---------------- ^
> amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
------- ^
>
> + igt_describe("Check cs wait fuzzing");
> + igt_subtest("cs-wait-fuzzing")
---------------- ^
You have that exact subtest above? is it copy-paste?
> + amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
------- ^
Same as above.
> +
> + igt_describe("Check gem create fuzzing");
> + igt_subtest("gem-create-fuzzing")
> + amd_gem_create_fuzzing(fd);
> +
Just curious, will it work with --r ?
sudo tests/amd_fuzzing --r cs-wait-fuzzing and sudo tests/amd_fuzzing --r gem-create-fuzzing
Yes, they can work with --r. example:
IGT-Version: 1.28-gcab77f029 (x86_64) (Linux: 6.7.0+ x86_64)
Using IGT_SRANDOM=1712458363 for randomisation
Opened device: /dev/dri/card0
Starting subtest: gem-create-fuzzing
drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret 0
drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret 0
Subtest gem-create-fuzzing: SUCCESS (0.031s)
Regards,
Jesse
Regards,
Kamil
> igt_fixture {
> drm_close_driver(fd);
> }
> --
> 2.25.1
>
More information about the igt-dev
mailing list