From patchwork Wed Apr 5 16:37:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Asahi Lina X-Patchwork-Id: 79809 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp453527vqo; Wed, 5 Apr 2023 09:56:52 -0700 (PDT) X-Google-Smtp-Source: AKy350aZCJlT6k/bdnad2IKAZMVkr8rwTgsl1JGTLyoCjc7oa9vVnfeU2RjGYJ0744HAoFx5NtGT X-Received: by 2002:a17:906:c254:b0:946:c60b:470b with SMTP id bl20-20020a170906c25400b00946c60b470bmr3846010ejb.63.1680713812209; Wed, 05 Apr 2023 09:56:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680713812; cv=none; d=google.com; s=arc-20160816; b=IawqwFQS1WxRQm759Znk/mBig0Tai4SG6sKNPptLELqz5OZR1iW2F8bTBhj7wl/97i 9EJKATRnMPpu3RINrtAs1d/v3U2N+N915rOKlXuwfu8O9wEF0TUev/Wp3zp5s9Gzky/v Uc+kIOBsnhgVN4t724CY2F9Uvy5N2s4tkRhPUKHG04XEwEJPeDgj4ykIP8958CkvKbH4 3aNkIPatkbMpqJMEMYS/M3M6j3SMomQvuL9e9GVt2+Laeh90COyts2A8GsGSY5Dm92Ld Zh2c0/JKyOnHrHdXhNlW0ptAIjKVsOKaHDU5ElvIpIu3lRIAiV2zxVciHfF483rwyDg6 z4Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:message-id:content-transfer-encoding :mime-version:subject:date:from:dkim-signature; bh=8SsqTG5d9idQKWf2PR1RQOhktTNzkJJANoSSQHKFeZM=; b=vU2k63UczvDn8Yc0y8Cb0HzMSqxLMeY4BLBIM+KwmqhItGx4/1iLgQOcasnZi6pHZh E3fPw3R3Z+1hUk/mkbIYudQAO8sDHfcKvvOlfRQ8oQLn4Kp33jGFQkYRbmpwMRT//KwS 9FD5E+5oYNUNnm+f+pK4MSQbt3UO1fYVmx0vlJ6AtVvNaRH8vyTVmn+xJKDqsdtwJxbd W/4LROAExiKKy9KU4PvD8F+syFg2pobU9dcM3V0aK88LAt5RB2CISrGJtSPhrbDj3YVC wm/c7+gIq9a0lAv/DuHLE7iScTrUE1boe9D3k6aPVdiwv9xzffy8qBh+bGwpAMZRQrht DsIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@asahilina.net header.s=default header.b=K9G7MJzL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=asahilina.net Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id de44-20020a1709069bec00b009281f44dc1fsi1461963ejc.270.2023.04.05.09.56.27; Wed, 05 Apr 2023 09:56:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@asahilina.net header.s=default header.b=K9G7MJzL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=asahilina.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232935AbjDEQhy (ORCPT + 99 others); Wed, 5 Apr 2023 12:37:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43396 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231644AbjDEQhw (ORCPT ); Wed, 5 Apr 2023 12:37:52 -0400 Received: from mail.marcansoft.com (marcansoft.com [212.63.210.85]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 321874C05 for ; Wed, 5 Apr 2023 09:37:51 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: linasend@asahilina.net) by mail.marcansoft.com (Postfix) with ESMTPSA id DF52541F7F; Wed, 5 Apr 2023 16:37:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=asahilina.net; s=default; t=1680712669; bh=sTrFnCJhBZN7oYDaKAxjFUzN6p2aBL4GuRgTde2utLA=; h=From:Date:Subject:To:Cc; b=K9G7MJzLSnQvQdH338vkTkWCLk/wuK+dbCnW6BiykK1txyyK5y49heffh9Jy/ORMy ItfAF2UNyA/hadH73iE5JxMzzV63FPIeo+cOvW0TQFYhbMbtdsfeeYHwiwaBx6LoH2 0MU4CDaO6Wz0wV6EH6bKRrjacw5By/XWK1MuBVS6sXocUdWSzpUi2peUiPC7ly5qd6 uLcKyxO0+aeAKCaGzlvoTFkn/dfHLMpCfKPrWQ7YfhsO9OeEANVIQsREQg1pqY/TOR zN8QDe7quVjG7m7CoBTJ7ofkkW9WBlkZLSCOKpK8MD0KXPP37aM9hBDCaXn5uhgzXZ kZuTTeTPISmGA== From: Asahi Lina Date: Thu, 06 Apr 2023 01:37:39 +0900 Subject: [PATCH] drm/scheduler: Fix UAF race in drm_sched_entity_push_job() MIME-Version: 1.0 Message-Id: <20230406-scheduler-uaf-2-v1-1-972531cf0a81@asahilina.net> X-B4-Tracking: v=1; b=H4sIANKjLWQC/x2N0QrCMAxFf2Xk2UjX1SH+iviQtakNSJWEDWHs3 219POdyuDsYq7DBbdhBeROTd20wngaIheqTUVJj8M5PLrgZLRZO64sVV8roMYSYr5k4+XCBVi1 kjItSjaV323yeUOOI3ff9o5zl+3+8P47jB294TdCBAAAA To: Luben Tuikov , David Airlie , Daniel Vetter Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, asahi@lists.linux.dev, Asahi Lina X-Mailer: b4 0.12.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1680712667; l=1875; i=lina@asahilina.net; s=20230221; h=from:subject:message-id; bh=sTrFnCJhBZN7oYDaKAxjFUzN6p2aBL4GuRgTde2utLA=; b=5gNq7s+ZmeJPRhxbAegKKsazjg3FHd+yC9o0mB8mFPifI+IwCjdiBXH8s5F46HIaJ5/Abi83s w0mJnLrKf5YBO3ujbqgVFlDaQlZ9eA0oCS9LBP5n5tFbCpZij99Sgfl X-Developer-Key: i=lina@asahilina.net; a=ed25519; pk=Qn8jZuOtR1m5GaiDfTrAoQ4NE1XoYVZ/wmt5YtXWFC4= X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1762356166585820026?= X-GMAIL-MSGID: =?utf-8?q?1762356166585820026?= After a job is pushed into the queue, it is owned by the scheduler core and may be freed at any time, so we can't write nor read the submit timestamp after that point. Fixes oopses observed with the drm/asahi driver, found with kASAN. Signed-off-by: Asahi Lina Reviewed-by: Luben Tuikov --- drivers/gpu/drm/scheduler/sched_entity.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- base-commit: fe15c26ee26efa11741a7b632e9f23b01aca4cc6 change-id: 20230406-scheduler-uaf-2-44cf8faed245 Thank you, ~~ Lina diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index 15d04a0ec623..e0a8890a62e2 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -507,12 +507,19 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) { struct drm_sched_entity *entity = sched_job->entity; bool first; + ktime_t submit_ts; trace_drm_sched_job(sched_job, entity); atomic_inc(entity->rq->sched->score); WRITE_ONCE(entity->last_user, current->group_leader); + + /* + * After the sched_job is pushed into the entity queue, it may be + * completed and freed up at any time. We can no longer access it. + * Make sure to set the submit_ts first, to avoid a race. + */ + sched_job->submit_ts = submit_ts = ktime_get(); first = spsc_queue_push(&entity->job_queue, &sched_job->queue_node); - sched_job->submit_ts = ktime_get(); /* first job wakes up scheduler */ if (first) { @@ -529,7 +536,7 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) spin_unlock(&entity->rq_lock); if (drm_sched_policy == DRM_SCHED_POLICY_FIFO) - drm_sched_rq_update_fifo(entity, sched_job->submit_ts); + drm_sched_rq_update_fifo(entity, submit_ts); drm_sched_wakeup(entity->rq->sched); }