[PATCH] tests/amdgpu: add gem create fuzzing test

vitaly prosyak vprosyak at amd.com
Thu Mar 28 13:04:22 UTC 2024 

Hi Kamil,


Thanks for your email!

On 2024-03-28 09:01, Kamil Konieczny wrote:
> Hi Vitaly,
>
> On 2024-03-27 at 00:27:03 -0400, vitaly.prosyak at amd.com wrote:
>> From: Vitaly Prosyak <vitaly.prosyak at amd.com>
>>
> You didn't address my comments, I have also more nits, first is
> your code fails in GitLab check:
Sorry for delay, i will do
>
> meson test -C build
>
>> The bug in amdgpu was found using customized Syzkaller and with Kazan enabled.
>> Report a slab-use-after-free bug in the AMDGPU DRM driver.
>> Ftrace enablement is mandatory precondition to reproduce the error once after boot.
>> The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
> - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Instead of this write it as Reported-by: before your Signed-off-by:
>
>> The following scenario is a different reproduction of same issue:
>> BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710 [amdgpu]
>> https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646.
> imho (note final dot removed) it is better:
> https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646
>
>> Fix Christian König ckoenig.leichtzumerken at gmail.com
>> https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html.
> Same here (final dot).
>
>> The issue is visible only when Kazan enables and dumps to the kernel log:
>> BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x974/0xd90.
> Add newline here.
>
> Regards,
> Kamil
>
>> We accessed the freed memory during the ftrace enablement in a
>> amdgpu_bo_move_notify.
>>
>> The test amd_gem_create_fuzzing does amdgpu_bo_reserve 2 times.
>>
>> Signed-off-by: Vitaly Prosyak <vitaly.prosyak at amd.com>
>> Cc: Alex Deucher <alexander.deucher at amd.com>
>> Cc: Christian Koenig <christian.koenig at amd.com>
>> Cc: Joonkyo Jung <joonkyoj at yonsei.ac.kr>
>> Cc: Kamil Konieczny <kamil.konieczny at linux.intel.com>
>> Cc: Jesse Zhang <Jesse.Zhang at amd.com>
>> Cc: Tvrtko Ursulin <tursulin at igalia.com>
>> ---
>>  tests/amdgpu/amd_fuzzing.c | 69 ++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 69 insertions(+)
>>
>> diff --git a/tests/amdgpu/amd_fuzzing.c b/tests/amdgpu/amd_fuzzing.c
>> index 69c9e8dad..dccac8cc1 100644
>> --- a/tests/amdgpu/amd_fuzzing.c
>> +++ b/tests/amdgpu/amd_fuzzing.c
>> @@ -95,6 +95,67 @@ void amd_cs_wait_fuzzing(int fd, const enum amd_ip_block_type types[], int size)
>>  	}
>>  }
>>  
>> +static int
>> +amdgpu_ftrace_enablement(const char *function, bool enable)
>> +{
>> +	char cmd[128];
>> +	int ret;
>> +
>> +	snprintf(cmd, sizeof(cmd),
>> +			"echo %s > /sys/kernel/debug/tracing/events/amdgpu/%s/enable",
>> +			enable == true ? "1":"0", function);
>> +	ret = igt_system(cmd);
>> +
>> +	return ret;
>> +}
>> +
>> +/* The bug was found using customized Syzkaller and with Kazan enabled.
>> + * Report a slab-use-after-free bug in the AMDGPU DRM driver.
>> + * Ftrace enablement is mandatory precondition to reproduce the error once after boot.
>> + * The bug was reported by Joonkyo Jung <joonkyoj at yonsei.ac.kr>.
>> + *
>> + * BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710 [amdgpu]
>> + * https://gitlab.freedesktop.org/drm/amd/-/issues/3171#note_2287646
>> + *
>> + * Fix Christian König ckoenig.leichtzumerken at gmail.com
>> + * https://lists.freedesktop.org/archives/amd-gfx/2024-March/105680.html
>> + *
>> + * The issue is visible only when Kazan enables and dumps to the kernel log:
>> + * BUG: KASAN: slab-use-after-free in amdgpu_bo_move+0x974/0xd90
>> + * We accessed the freed memory during the ftrace enablement in a
>> + * amdgpu_bo_move_notify.
>> + * The test amd_gem_create_fuzzing does amdgpu_bo_reserve
>> + */
>> +static void
>> +amd_gem_create_fuzzing(int fd)
>> +{
>> +	static const char function_amdgpu_bo_move[] = "amdgpu_bo_move";
>> +	union drm_amdgpu_gem_create arg;
>> +	int ret;
>> +
>> +	ret = amdgpu_ftrace_enablement(function_amdgpu_bo_move, true);
>> +	igt_assert_eq(ret, 0);
>> +	arg.in.bo_size = 0x8;
>> +	arg.in.alignment = 0x0;
>> +	arg.in.domains = 0x4;
>> +	arg.in.domain_flags = 0x9;
>> +	ret = drmIoctl(fd, 0xc0206440
>> +			/* DRM_AMDGPU_GEM_CREATE amdgpu_gem_create_ioctl */, &arg);
>> +	igt_info("drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret %d\n", ret);
>> +
>> +	arg.in.bo_size = 0x7fffffff;
>> +	arg.in.alignment = 0x0;
>> +	arg.in.domains = 0x4;
>> +	arg.in.domain_flags = 0x9;
>> +	ret = drmIoctl(fd, 0xc0206440
>> +			/* DRM_AMDGPU_GEM_CREATE amdgpu_gem_create_ioctl */, &arg);
>> +	igt_info("drmCommandWriteRead DRM_AMDGPU_GEM_CREATE ret %d\n", ret);
>> +
>> +	ret = amdgpu_ftrace_enablement(function_amdgpu_bo_move, false);
>> +	igt_assert_eq(ret, 0);
>> +
>> +}
>> +
>>  igt_main
>>  {
>>  	int fd = -1;
>> @@ -114,6 +175,14 @@ igt_main
>>  	igt_subtest("cs-wait-fuzzing")
>>  		amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
>>  
>> +	igt_describe("Check cs wait fuzzing");
>> +	igt_subtest("cs-wait-fuzzing")
>> +		amd_cs_wait_fuzzing(fd, arr_types, ARRAY_SIZE(arr_types));
>> +
>> +	igt_describe("Check gem create fuzzing");
>> +	igt_subtest("gem-create-fuzzing")
>> +		amd_gem_create_fuzzing(fd);
>> +
>>  	igt_fixture {
>>  		drm_close_driver(fd);
>>  	}
>> -- 
>> 2.25.1


Thanks, Vitaly

>>

More information about the igt-dev mailing list