[PATCH] tests/amdgpu: add gem create fuzzing test
vitaly.prosyak at amd.com
vitaly.prosyak at amd.com
Wed Mar 27 04:27:03 UTC 2024
From: Vitaly Prosyak <vitaly.prosyak at amd.com>
The bug in amdgpu was found using customized Syzkaller and with Kazan enabled.
Report a slab-use-after-free bug in the AMDGPU DRM driver.
Ftrace enablement is mandatory precondition to reproduce the error once after boot.
The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
The following scenario is a different reproduction of same issue:
BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710 [amdgpu]
https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646.
Fix Christian König ckoenig.leichtzumerken at gmail.com
https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html.
The issue is visible only when Kazan enables and dumps to the kernel log:
BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x974/0xd90.
We accessed the freed memory during the ftrace enablement in a
amdgpu_bo_move_notify.
The test amd_gem_create_fuzzing does amdgpu_bo_reserve 2 times.
Signed-off-by: Vitaly Prosyak <vitaly.prosyak at amd.com>
Cc: Alex Deucher <alexander.deucher at amd.com>
Cc: Christian Koenig <christian.koenig at amd.com>
Cc: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
Cc: Kamil Konieczny <kamil.konieczny at linux.intel.com>
Cc: Jesse Zhang <Jesse.Zhang at amd.com>
Cc: Tvrtko Ursulin <tursulin at igalia.com>
---
tests/amdgpu/amd_fuzzing.c | 69 ++++++++++++++++++++++++++++++++++++++
1 file changed, 69 insertions(+)
diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c
index 69c9e8dad..dccac8cc1 100644
--- a/tests/amdgpu/amd_fuzzing.c
+++ b/tests/amdgpu/amd_fuzzing.c
@@ -95,6 +95,67 @@ void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
}
}
+static int
+amdgpu_ftrace_enablement(const char *function, bool enable)
+{
+ char cmd[128];
+ int ret;
+
+ snprintf(cmd, sizeof(cmd),
+ "echo %s > /sys/kernel/debug/tracing/events/amdgpu/%s/enable",
+ enable == true ? "1":"0", function);
+ ret = igt_system(cmd);
+
+ return ret;
+}
+
+/* The bug was found using customized Syzkaller and with Kazan enabled.
+ * Report a slab-use-after-free bug in the AMDGPU DRM driver.
+ * Ftrace enablement is mandatory precondition to reproduce the error once after boot.
+ * The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
+ *
+ * BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710 [amdgpu]
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646
+ *
+ * Fix Christian König ckoenig.leichtzumerken at gmail.com
+ * https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html
+ *
+ * The issue is visible only when Kazan enables and dumps to the kernel log:
+ * BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x974/0xd90
+ * We accessed the freed memory during the ftrace enablement in a
+ * amdgpu_bo_move_notify.
+ * The test amd_gem_create_fuzzing does amdgpu_bo_reserve
+ */
+static void
+amd_gem_create_fuzzing(int fd)
+{
+ static const char function_amdgpu_bo_move[] = "amdgpu_bo_move";
+ union drm_amdgpu_gem_create arg;
+ int ret;
+
+ ret = amdgpu_ftrace_enablement(function_amdgpu_bo_move, true);
+ igt_assert_eq(ret, 0);
+ arg.in.bo_size = 0x8;
+ arg.in.alignment = 0x0;
+ arg.in.domains = 0x4;
+ arg.in.domain_flags = 0x9;
+ ret = drmIoctl(fd, 0xc0206440
+ /* DRM_AMDGPU_GEM_CREATE amdgpu_gem_create_ioctl */, &arg);
+ igt_info("drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret %d\n", ret);
+
+ arg.in.bo_size = 0x7fffffff;
+ arg.in.alignment = 0x0;
+ arg.in.domains = 0x4;
+ arg.in.domain_flags = 0x9;
+ ret = drmIoctl(fd, 0xc0206440
+ /* DRM_AMDGPU_GEM_CREATE amdgpu_gem_create_ioctl */, &arg);
+ igt_info("drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret %d\n", ret);
+
+ ret = amdgpu_ftrace_enablement(function_amdgpu_bo_move, false);
+ igt_assert_eq(ret, 0);
+
+}
+
igt_main
{
int fd = -1;
@@ -114,6 +175,14 @@ igt_main
igt_subtest("cs-wait-fuzzing")
amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
+ igt_describe("Check cs wait fuzzing");
+ igt_subtest("cs-wait-fuzzing")
+ amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
+
+ igt_describe("Check gem create fuzzing");
+ igt_subtest("gem-create-fuzzing")
+ amd_gem_create_fuzzing(fd);
+
igt_fixture {
drm_close_driver(fd);
}
--
2.25.1
More information about the igt-dev
mailing list