[Nouveau] [PATCH] nouveau/gem: fix user-after-free in nouveau_gem_new

Mon May 17 08:56:26 UTC 2021

On Tue, May 11, 2021 at 06:35:53PM +0200, Karol Herbst wrote:
> If ttm_bo_init fails it will already call ttm_bo_put, so we don't have to
> do it through nouveau_bo_ref.
> 
> ==================================================================
> BUG: KFENCE: use-after-free write in ttm_bo_put+0x11/0x40 [ttm]
> 
> Use-after-free write at 0x000000004dc4663c (in kfence-#44):
>  ttm_bo_put+0x11/0x40 [ttm]
>  nouveau_gem_new+0xc1/0xf0 [nouveau]
>  nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
>  drm_ioctl_kernel+0xb2/0x100 [drm]
>  drm_ioctl+0x215/0x390 [drm]
>  nouveau_drm_ioctl+0x55/0xa0 [nouveau]
>  __x64_sys_ioctl+0x83/0xb0
>  do_syscall_64+0x33/0x40
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> kfence-#44 [0x00000000c0593b31-0x000000002e74122b, size=792, cache=kmalloc-1k] allocated by task 2657:
>  nouveau_bo_alloc+0x63/0x4c0 [nouveau]
>  nouveau_gem_new+0x38/0xf0 [nouveau]
>  nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
>  drm_ioctl_kernel+0xb2/0x100 [drm]
>  drm_ioctl+0x215/0x390 [drm]
>  nouveau_drm_ioctl+0x55/0xa0 [nouveau]
>  __x64_sys_ioctl+0x83/0xb0
>  do_syscall_64+0x33/0x40
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> freed by task 2657:
>  ttm_bo_release+0x1cc/0x300 [ttm]
>  ttm_bo_init_reserved+0x2ec/0x300 [ttm]
>  ttm_bo_init+0x5e/0xd0 [ttm]
>  nouveau_bo_init+0xaf/0xc0 [nouveau]
>  nouveau_gem_new+0x7f/0xf0 [nouveau]
>  nouveau_gem_ioctl_new+0x53/0xf0 [nouveau]
>  drm_ioctl_kernel+0xb2/0x100 [drm]
>  drm_ioctl+0x215/0x390 [drm]
>  nouveau_drm_ioctl+0x55/0xa0 [nouveau]
>  __x64_sys_ioctl+0x83/0xb0
>  do_syscall_64+0x33/0x40
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Fixes: 019cbd4a4feb3 "drm/nouveau: Initialize GEM object before TTM object"
> Cc: Thierry Reding <treding at nvidia.com>
> Signed-off-by: Karol Herbst <kherbst at redhat.com>
> ---
>  drivers/gpu/drm/nouveau/nouveau_gem.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
> index c88cbb85f101..1165ff990fb5 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
> @@ -212,7 +212,6 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
>  
>  	ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
>  	if (ret) {
> -		nouveau_bo_ref(NULL, &nvbo);
>  		return ret;
>  	}

Looking at the surrounding code, I wonder if I just managed to jumble
the cleanup paths for drm_gem_object_init() and nouveau_bo_init(). If
drm_gem_object_init() fails, I don't think it's necessary (though it
also doesn't look harmful) to call drm_gem_object_release().

However, if nouveau_bo_init() fails, then I think we'd still need to
call drm_gem_object_release(), to make sure to undo the effects of
drm_gem_object_init().

So I wonder if we need something like this instead:

--- >8 ---

diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index c88cbb85f101..9b6055116f30 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -205,14 +205,13 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain,
 	 * to the caller, instead of a normal nouveau_bo ttm reference. */
 	ret = drm_gem_object_init(drm->dev, &nvbo->bo.base, size);
 	if (ret) {
-		drm_gem_object_release(&nvbo->bo.base);
 		kfree(nvbo);
 		return ret;
 	}
 
 	ret = nouveau_bo_init(nvbo, size, align, domain, NULL, NULL);
 	if (ret) {
-		nouveau_bo_ref(NULL, &nvbo);
+		drm_gem_object_release(&nvbo->bo.base);
 		return ret;
 	}
 
--- >8 ---

Thierry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20210517/52999e2d/attachment.sig>
