[PATCH] tests/amdgpu: add fuzzing tests
Kamil Konieczny
kamil.konieczny at linux.intel.com
Mon Mar 18 11:51:45 UTC 2024
Hi Vitaly,
On 2024-03-15 at 22:36:31 -0400, vitaly.prosyak at amd.com wrote:
> From: Vitaly Prosyak <vitaly.prosyak at amd.com>
>
> Joonkyo Jung was using customized Syzkaller with KAZAN
> enabled to find the bugs in amdgpu and the drm scheduler.
> Those new tests would help to keep the job state machine
> of the drm scheduler and amdgpu in the correct state to
> ensure that the wrong call sequence or invalid parameters
> do not cause a kernel crash.
>
> The sub-test 'user ptr fuzzing' sends
> DRM_IOCTL_AMDGPU_GEM_USERPTR the invalid address and
> 2 GB allocation size.
> The sub-test 'cs fuzzing' sends DRM_IOCTL_AMDGPU_WAIT_CS
> for several IP types without previously submitted jobs.
>
> Cc: Alex Deucher <alexander.deucher at amd.com>
> Cc: Christian Koenig <christian.koenig at amd.com>
> Cc: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
> Cc: Jesse Zhang <Jesse.Zhang at amd.com>
> Signed-off-by: Vitaly Prosyak <vitaly.prosyak at amd.com>
> ---
> tests/amdgpu/amd_fuzzing.c | 99 ++++++++++++++++++++++++++++++++++++++
> tests/amdgpu/meson.build | 1 +
> 2 files changed, 100 insertions(+)
> create mode 100644 tests/amdgpu/amd_fuzzing.c
>
> diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c
> new file mode 100644
> index 000000000..11a85f46c
> --- /dev/null
> +++ b/tests/amdgpu/amd_fuzzing.c
> @@ -0,0 +1,99 @@
> +// SPDX-License-Identifier: MIT
> +/*
> + * Copyright 2024 Advanced Micro Devices, Inc.
> + */
> +
> +#include "lib/amdgpu/amd_memory.h"
> +#include "lib/amdgpu/amd_gfx.h"
--------------------------- ^
Keep it sorted alphabetically.
> +
> +/*
> + * The bug was found using customized Syzkaller and with Kazan enabled.
> + * It can be triggered by sending a single amdgpu_gem_userptr_ioctl
> + * to the AMDGPU DRM driver on any ASICs with an invalid address and size.
> + * The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
> + * The following test ensures that the found bug is no longer reproducible.
> + */
> +static
> +void amd_gem_userptr_fuzzing(int fd)
> +{
> + /*
> + * use-after-free bug in the AMDGPU DRM driver
> + * fix in amdgpu commit 6dbd33a9c8747dbf1d149484509ad667cbdb3059
> + * The error dump is available in dmesg only when KAZAN is enabled
> + */
> +
> + struct drm_amdgpu_gem_userptr user_ptr;
> + int r;
> +
> + user_ptr.addr = 0xffffffffffff0000;
> + user_ptr.size = 0x80000000; /*2 Gb*/
> + user_ptr.flags = 0x7;
> + r = drmIoctl(fd, DRM_IOCTL_AMDGPU_GEM_USERPTR, &user_ptr);
> + igt_info("%s DRM_IOCTL_AMDGPU_GEM_USERPTR ret %d", __func__, r);
> + igt_assert_neq(r, 0);
> +}
> +
> +/*
> + * The bug was found using customized Syzkaller and with Kazan enabled.
> + * The bug can be triggered by sending an amdgpu_cs_wait_ioctl for ip types:
> + * AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE
> + * to the AMDGPU DRM driver on any ASICs with valid context.
> + * The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
> + *
> + */
> +static
> +void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
> +{
> + /*
> + * null-ptr-deref and the fix in the DRM scheduler
> + * The test helps keep the job state machine of the drm scheduler and
> + * amdgpu in the correct state to ensure that the wrong call sequence does
> + * not cause a crash.
> + */
> +
> + union drm_amdgpu_ctx ctx;
> + union drm_amdgpu_wait_cs cs_wait;
> + int r, i;
> +
> + memset(&ctx, 0, sizeof(union drm_amdgpu_ctx));
> + ctx.in.op = AMDGPU_CTX_OP_ALLOC_CTX;
> + r = drmIoctl(fd, DRM_IOCTL_AMDGPU_CTX, &ctx);
> + igt_info("%s DRM_IOCTL_AMDGPU_CTX ret %d", __func__, r);
> +
> + for (i = 0; i < size; i++) {
> + memset(&cs_wait, 0, sizeof(union drm_amdgpu_wait_cs));
> + cs_wait.in.handle = 0x0;
> + cs_wait.in.timeout = 0x2000000000000;
> + cs_wait.in.ip_type = types[i];
> + cs_wait.in.ip_instance = 0x0;
> + cs_wait.in.ring = 0x0;
> + cs_wait.in.ctx_id = ctx.out.alloc.ctx_id;
> + r = drmIoctl(fd, DRM_IOCTL_AMDGPU_WAIT_CS, &cs_wait);
> + igt_info("$s AMDGPU_WAIT_CS ret %d", __func__, r);
> + igt_assert_eq(r, 0);
> + }
> +}
> +
> +igt_main
> +{
> + int fd = -1;
> + const enum amd_ip_block_type arr_types[] = {
> + AMD_IP_VCE, AMD_IP_VCN_ENC, AMD_IP_VCN_JPEG, AMD_IP_VPE };
> +
> + igt_fixture {
> + fd = drm_open_driver(DRIVER_AMDGPU);
> + igt_require(fd != -1);
> + }
> +
> + igt_describe("Check user ptr fuzzing with huge size and not valid address");
> + igt_subtest("userptr-fuzzing")
> + amd_gem_userptr_fuzzing(fd);
> +
> + igt_describe("Check cs wait fuzzing");
> + igt_subtest("cs-wait-fuzzing")
> + amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
> +
> + igt_fixture {
> + drm_close_driver(fd);
> + }
> +}
> diff --git a/tests/amdgpu/meson.build b/tests/amdgpu/meson.build
> index a58d18ad3..ce3ba5520 100644
> --- a/tests/amdgpu/meson.build
> +++ b/tests/amdgpu/meson.build
> @@ -12,6 +12,7 @@ if libdrm_amdgpu.found()
> 'amd_cs_nop',
> 'amd_deadlock',
> 'amd_dp_dsc',
> + 'amd_fuzzing',
-------------------^^
Try to keep it sorted alphabetically.
Regards,
Kamil
> 'amd_freesync_video_mode',
> 'amd_hotplug',
> 'amd_gang_cs' ,
> --
> 2.25.1
>
More information about the igt-dev
mailing list