[PATCH i-g-t V2] tests/amdgpu: add gem create fuzzing test
Zhang, Jesse(Jie)
Jesse.Zhang at amd.com
Mon Apr 8 03:53:33 UTC 2024
[AMD Official Use Only - General]
The change looks good to me.
Reviewed-by: Jesse Zhang <Jesse.Zhang at amd.com>
-----Original Message-----
From: Vitaly Prosyak <vitaly.prosyak at amd.com>
Sent: Sunday, April 7, 2024 11:22 AM
To: igt-dev at lists.freedesktop.org
Cc: Prosyak, Vitaly <Vitaly.Prosyak at amd.com>; Deucher, Alexander <Alexander.Deucher at amd.com>; Koenig, Christian <Christian.Koenig at amd.com>; Christian König <ckoenig.leichtzumerken at gmail.com>; Joonkyo Jung <joonkyoj at yonsei.ac.kr>; Kamil Konieczny <kamil.konieczny at linux.intel.com>; Zhang, Jesse(Jie) <Jesse.Zhang at amd.com>; Tvrtko Ursulin <tursulin at igalia.com>
Subject: [PATCH i-g-t V2] tests/amdgpu: add gem create fuzzing test
The bug in amdgpu was found using customized Syzkaller and with Kazan enabled.
Report a slab-use-after-free bug in the AMDGPU DRM driver.
Ftrace enablement is mandatory precondition to reproduce the error once after boot.
The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
The following scenario is a different reproduction of same issue:
BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710 [amdgpu] https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646
Fix Christian König ckoenig.leichtzumerken at gmail.com https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html
The issue is visible only when Kazan enables and dumps to the kernel log:
BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x974/0xd90.
We accessed the freed memory during the ftrace enablement in a amdgpu_bo_move_notify.
The test amd_gem_create_fuzzing does amdgpu_bo_reserve 2 times.
v2: Fix the code style (Kamil)
Signed-off-by: Vitaly Prosyak <vitaly.prosyak at amd.com>
Reported-by: Christian König <ckoenig.leichtzumerken at gmail.com>
Reported-by: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
Cc: Alex Deucher <alexander.deucher at amd.com>
Cc: Christian Koenig <christian.koenig at amd.com>
Cc: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
Cc: Kamil Konieczny <kamil.konieczny at linux.intel.com>
Cc: Jesse Zhang <Jesse.Zhang at amd.com>
Cc: Tvrtko Ursulin <tursulin at igalia.com>
---
tests/amdgpu/amd_fuzzing.c | 65 ++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c index 69c9e8dad..b47b26cf0 100644
--- a/tests/amdgpu/amd_fuzzing.c
+++ b/tests/amdgpu/amd_fuzzing.c
@@ -95,6 +95,67 @@ void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
}
}
+static int
+amdgpu_ftrace_enablement(const char *function, bool enable) {
+ char cmd[128];
+ int ret;
+
+ snprintf(cmd, sizeof(cmd),
+ "echo %s > /sys/kernel/debug/tracing/events/amdgpu/%s/enable",
+ enable == true ? "1":"0", function);
+ ret = igt_system(cmd);
+
+ return ret;
+}
+
+/* The bug was found using customized Syzkaller and with Kazan enabled.
+ * Report a slab-use-after-free bug in the AMDGPU DRM driver.
+ * Ftrace enablement is mandatory precondition to reproduce the error once after boot.
+ * The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
+ *
+ * BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710
+[amdgpu]
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646
+ *
+ * Fix Christian König ckoenig.leichtzumerken at gmail.com
+ *
+https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html
+ *
+ * The issue is visible only when Kazan enables and dumps to the kernel log:
+ * BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x974/0xd90
+ * We accessed the freed memory during the ftrace enablement in a
+ * amdgpu_bo_move_notify.
+ * The test amd_gem_create_fuzzing does amdgpu_bo_reserve */ static
+void amd_gem_create_fuzzing(int fd) {
+ static const char function_amdgpu_bo_move[] = "amdgpu_bo_move";
+ union drm_amdgpu_gem_create arg;
+ int ret;
+
+ ret = amdgpu_ftrace_enablement(function_amdgpu_bo_move, true);
+ igt_assert_eq(ret, 0);
+ arg.in.bo_size = 0x8;
+ arg.in.alignment = 0x0;
+ arg.in.domains = 0x4;
+ arg.in.domain_flags = 0x9;
+ ret = drmIoctl(fd, 0xc0206440
+ /* DRM_AMDGPU_GEM_CREATE amdgpu_gem_create_ioctl */, &arg);
+ igt_info("drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret %d\n", ret);
+
+ arg.in.bo_size = 0x7fffffff;
+ arg.in.alignment = 0x0;
+ arg.in.domains = 0x4;
+ arg.in.domain_flags = 0x9;
+ ret = drmIoctl(fd, 0xc0206440
+ /* DRM_AMDGPU_GEM_CREATE amdgpu_gem_create_ioctl */, &arg);
+ igt_info("drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret %d\n", ret);
+
+ ret = amdgpu_ftrace_enablement(function_amdgpu_bo_move, false);
+ igt_assert_eq(ret, 0);
+
+}
+
igt_main
{
int fd = -1;
@@ -114,6 +175,10 @@ igt_main
igt_subtest("cs-wait-fuzzing")
amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
+ igt_describe("Check gem create fuzzing");
+ igt_subtest("gem-create-fuzzing")
+ amd_gem_create_fuzzing(fd);
+
igt_fixture {
drm_close_driver(fd);
}
--
2.25.1
More information about the igt-dev
mailing list