diff mbox series

[v2] drm/ttm: fix one use-after-free

Message ID 20230705100732.432835-1-Lang.Yu@amd.com (mailing list archive)
State New, archived
Headers show
Series [v2] drm/ttm: fix one use-after-free | expand

Commit Message

Lang Yu July 5, 2023, 10:07 a.m. UTC
bo->kref is increased once(kref_init()) in ttm_bo_release,
but decreased twice(ttm_bo_put()) respectively in
ttm_bo_delayed_delete and ttm_bo_cleanup_refs,
which is unbalanced.

Just clean up bo resource in one place for a delayed deleted bo.

Fixes: 9bff18d13473 ("drm/ttm: use per BO cleanup workers")

[   67.399887] refcount_t: underflow; use-after-free.
[   67.399901] WARNING: CPU: 0 PID: 3172 at lib/refcount.c:28 refcount_warn_saturate+0xc2/0x110
[   67.400124] RIP: 0010:refcount_warn_saturate+0xc2/0x110
[   67.400173] Call Trace:
[   67.400176]  <TASK>
[   67.400181]  ttm_mem_evict_first+0x4fe/0x5b0 [ttm]
[   67.400216]  ttm_bo_mem_space+0x1e3/0x240 [ttm]
[   67.400239]  ttm_bo_validate+0xc7/0x190 [ttm]
[   67.400253]  ? ww_mutex_trylock+0x1b1/0x390
[   67.400266]  ttm_bo_init_reserved+0x183/0x1c0 [ttm]
[   67.400280]  ? __rwlock_init+0x3d/0x70
[   67.400292]  amdgpu_bo_create+0x1cd/0x4f0 [amdgpu]
[   67.400607]  ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu]
[   67.400980]  amdgpu_bo_create_user+0x38/0x70 [amdgpu]
[   67.401291]  amdgpu_gem_object_create+0x77/0xb0 [amdgpu]
[   67.401641]  ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu]
[   67.401958]  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x228/0xa30 [amdgpu]
[   67.402433]  kfd_ioctl_alloc_memory_of_gpu+0x14e/0x390 [amdgpu]
[   67.402824]  ? lock_release+0x13f/0x290
[   67.402838]  kfd_ioctl+0x1e0/0x640 [amdgpu]
[   67.403205]  ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu]
[   67.403579]  ? tomoyo_file_ioctl+0x19/0x20
[   67.403590]  __x64_sys_ioctl+0x95/0xd0
[   67.403601]  do_syscall_64+0x3b/0x90
[   67.403609]  entry_SYSCALL_64_after_hwframe+0x72/0xdc

Signed-off-by: Lang Yu <Lang.Yu@amd.com>
---
 drivers/gpu/drm/ttm/ttm_bo.c | 89 ++++--------------------------------
 1 file changed, 10 insertions(+), 79 deletions(-)

Comments

Matthew Auld July 5, 2023, 10:37 a.m. UTC | #1
On Wed, 5 Jul 2023 at 11:08, Lang Yu <Lang.Yu@amd.com> wrote:
>
> bo->kref is increased once(kref_init()) in ttm_bo_release,
> but decreased twice(ttm_bo_put()) respectively in
> ttm_bo_delayed_delete and ttm_bo_cleanup_refs,
> which is unbalanced.
>
> Just clean up bo resource in one place for a delayed deleted bo.
>
> Fixes: 9bff18d13473 ("drm/ttm: use per BO cleanup workers")
>
> [   67.399887] refcount_t: underflow; use-after-free.
> [   67.399901] WARNING: CPU: 0 PID: 3172 at lib/refcount.c:28 refcount_warn_saturate+0xc2/0x110
> [   67.400124] RIP: 0010:refcount_warn_saturate+0xc2/0x110
> [   67.400173] Call Trace:
> [   67.400176]  <TASK>
> [   67.400181]  ttm_mem_evict_first+0x4fe/0x5b0 [ttm]
> [   67.400216]  ttm_bo_mem_space+0x1e3/0x240 [ttm]
> [   67.400239]  ttm_bo_validate+0xc7/0x190 [ttm]
> [   67.400253]  ? ww_mutex_trylock+0x1b1/0x390
> [   67.400266]  ttm_bo_init_reserved+0x183/0x1c0 [ttm]
> [   67.400280]  ? __rwlock_init+0x3d/0x70
> [   67.400292]  amdgpu_bo_create+0x1cd/0x4f0 [amdgpu]
> [   67.400607]  ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu]
> [   67.400980]  amdgpu_bo_create_user+0x38/0x70 [amdgpu]
> [   67.401291]  amdgpu_gem_object_create+0x77/0xb0 [amdgpu]
> [   67.401641]  ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu]
> [   67.401958]  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x228/0xa30 [amdgpu]
> [   67.402433]  kfd_ioctl_alloc_memory_of_gpu+0x14e/0x390 [amdgpu]
> [   67.402824]  ? lock_release+0x13f/0x290
> [   67.402838]  kfd_ioctl+0x1e0/0x640 [amdgpu]
> [   67.403205]  ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu]
> [   67.403579]  ? tomoyo_file_ioctl+0x19/0x20
> [   67.403590]  __x64_sys_ioctl+0x95/0xd0
> [   67.403601]  do_syscall_64+0x3b/0x90
> [   67.403609]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
>
> Signed-off-by: Lang Yu <Lang.Yu@amd.com>
> ---
>  drivers/gpu/drm/ttm/ttm_bo.c | 89 ++++--------------------------------
>  1 file changed, 10 insertions(+), 79 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
> index 326a3d13a829..1e073dfb1332 100644
> --- a/drivers/gpu/drm/ttm/ttm_bo.c
> +++ b/drivers/gpu/drm/ttm/ttm_bo.c
> @@ -224,82 +224,6 @@ static void ttm_bo_flush_all_fences(struct ttm_buffer_object *bo)
>         dma_resv_iter_end(&cursor);
>  }
>
> -/**
> - * ttm_bo_cleanup_refs
> - * If bo idle, remove from lru lists, and unref.
> - * If not idle, block if possible.
> - *
> - * Must be called with lru_lock and reservation held, this function
> - * will drop the lru lock and optionally the reservation lock before returning.
> - *
> - * @bo:                    The buffer object to clean-up
> - * @interruptible:         Any sleeps should occur interruptibly.
> - * @no_wait_gpu:           Never wait for gpu. Return -EBUSY instead.
> - * @unlock_resv:           Unlock the reservation lock as well.
> - */
> -
> -static int ttm_bo_cleanup_refs(struct ttm_buffer_object *bo,
> -                              bool interruptible, bool no_wait_gpu,
> -                              bool unlock_resv)
> -{
> -       struct dma_resv *resv = &bo->base._resv;
> -       int ret;
> -
> -       if (dma_resv_test_signaled(resv, DMA_RESV_USAGE_BOOKKEEP))
> -               ret = 0;
> -       else
> -               ret = -EBUSY;
> -
> -       if (ret && !no_wait_gpu) {
> -               long lret;
> -
> -               if (unlock_resv)
> -                       dma_resv_unlock(bo->base.resv);
> -               spin_unlock(&bo->bdev->lru_lock);
> -
> -               lret = dma_resv_wait_timeout(resv, DMA_RESV_USAGE_BOOKKEEP,
> -                                            interruptible,
> -                                            30 * HZ);
> -
> -               if (lret < 0)
> -                       return lret;
> -               else if (lret == 0)
> -                       return -EBUSY;
> -
> -               spin_lock(&bo->bdev->lru_lock);
> -               if (unlock_resv && !dma_resv_trylock(bo->base.resv)) {
> -                       /*
> -                        * We raced, and lost, someone else holds the reservation now,
> -                        * and is probably busy in ttm_bo_cleanup_memtype_use.
> -                        *
> -                        * Even if it's not the case, because we finished waiting any
> -                        * delayed destruction would succeed, so just return success
> -                        * here.
> -                        */
> -                       spin_unlock(&bo->bdev->lru_lock);
> -                       return 0;
> -               }
> -               ret = 0;
> -       }
> -
> -       if (ret) {
> -               if (unlock_resv)
> -                       dma_resv_unlock(bo->base.resv);
> -               spin_unlock(&bo->bdev->lru_lock);
> -               return ret;
> -       }
> -
> -       spin_unlock(&bo->bdev->lru_lock);
> -       ttm_bo_cleanup_memtype_use(bo);
> -
> -       if (unlock_resv)
> -               dma_resv_unlock(bo->base.resv);
> -
> -       ttm_bo_put(bo);

The put() here is indeed broken and leads to some nasty uaf I think,
but we fixed that a while back in: c00133a9e87e ("drm/ttm: drop extra
ttm_bo_put in ttm_bo_cleanup_refs"). It looks like you are using an
old tree? Perhaps the issue you are seeing was also fixed with that?

> -
> -       return 0;
> -}
> -
>  /*
>   * Block for the dma_resv object to become idle, lock the buffer and clean up
>   * the resource and tt object.
> @@ -622,8 +546,10 @@ int ttm_mem_evict_first(struct ttm_device *bdev,
>         }
>
>         if (bo->deleted) {
> -               ret = ttm_bo_cleanup_refs(bo, ctx->interruptible,
> -                                         ctx->no_wait_gpu, locked);
> +               if (locked)
> +                       dma_resv_unlock(bo->base.resv);
> +               spin_unlock(&bdev->lru_lock);
> +               ret = ttm_bo_wait_ctx(bo, ctx);
>                 ttm_bo_put(bo);
>                 return ret;
>         }
> @@ -1146,7 +1072,12 @@ int ttm_bo_swapout(struct ttm_buffer_object *bo, struct ttm_operation_ctx *ctx,
>         }
>
>         if (bo->deleted) {
> -               ret = ttm_bo_cleanup_refs(bo, false, false, locked);
> +               struct ttm_operation_ctx ctx = { false, false };
> +
> +               if (locked)
> +                       dma_resv_unlock(bo->base.resv);
> +               spin_unlock(&bo->bdev->lru_lock);
> +               ret = ttm_bo_wait_ctx(bo, &ctx);
>                 ttm_bo_put(bo);
>                 return ret == -EBUSY ? -ENOSPC : ret;
>         }
> --
> 2.25.1
>
Lang Yu July 5, 2023, 11:20 a.m. UTC | #2
On 07/05/ , Matthew Auld wrote:
> On Wed, 5 Jul 2023 at 11:08, Lang Yu <Lang.Yu@amd.com> wrote:
> >
> > bo->kref is increased once(kref_init()) in ttm_bo_release,
> > but decreased twice(ttm_bo_put()) respectively in
> > ttm_bo_delayed_delete and ttm_bo_cleanup_refs,
> > which is unbalanced.
> >
> > Just clean up bo resource in one place for a delayed deleted bo.
> >
> > Fixes: 9bff18d13473 ("drm/ttm: use per BO cleanup workers")
> >
> > [   67.399887] refcount_t: underflow; use-after-free.
> > [   67.399901] WARNING: CPU: 0 PID: 3172 at lib/refcount.c:28 refcount_warn_saturate+0xc2/0x110
> > [   67.400124] RIP: 0010:refcount_warn_saturate+0xc2/0x110
> > [   67.400173] Call Trace:
> > [   67.400176]  <TASK>
> > [   67.400181]  ttm_mem_evict_first+0x4fe/0x5b0 [ttm]
> > [   67.400216]  ttm_bo_mem_space+0x1e3/0x240 [ttm]
> > [   67.400239]  ttm_bo_validate+0xc7/0x190 [ttm]
> > [   67.400253]  ? ww_mutex_trylock+0x1b1/0x390
> > [   67.400266]  ttm_bo_init_reserved+0x183/0x1c0 [ttm]
> > [   67.400280]  ? __rwlock_init+0x3d/0x70
> > [   67.400292]  amdgpu_bo_create+0x1cd/0x4f0 [amdgpu]
> > [   67.400607]  ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu]
> > [   67.400980]  amdgpu_bo_create_user+0x38/0x70 [amdgpu]
> > [   67.401291]  amdgpu_gem_object_create+0x77/0xb0 [amdgpu]
> > [   67.401641]  ? __pfx_amdgpu_bo_user_destroy+0x10/0x10 [amdgpu]
> > [   67.401958]  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x228/0xa30 [amdgpu]
> > [   67.402433]  kfd_ioctl_alloc_memory_of_gpu+0x14e/0x390 [amdgpu]
> > [   67.402824]  ? lock_release+0x13f/0x290
> > [   67.402838]  kfd_ioctl+0x1e0/0x640 [amdgpu]
> > [   67.403205]  ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu]
> > [   67.403579]  ? tomoyo_file_ioctl+0x19/0x20
> > [   67.403590]  __x64_sys_ioctl+0x95/0xd0
> > [   67.403601]  do_syscall_64+0x3b/0x90
> > [   67.403609]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
> >
> > Signed-off-by: Lang Yu <Lang.Yu@amd.com>
> > ---
> >  drivers/gpu/drm/ttm/ttm_bo.c | 89 ++++--------------------------------
> >  1 file changed, 10 insertions(+), 79 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
> > index 326a3d13a829..1e073dfb1332 100644
> > --- a/drivers/gpu/drm/ttm/ttm_bo.c
> > +++ b/drivers/gpu/drm/ttm/ttm_bo.c
> > @@ -224,82 +224,6 @@ static void ttm_bo_flush_all_fences(struct ttm_buffer_object *bo)
> >         dma_resv_iter_end(&cursor);
> >  }
> >
> > -/**
> > - * ttm_bo_cleanup_refs
> > - * If bo idle, remove from lru lists, and unref.
> > - * If not idle, block if possible.
> > - *
> > - * Must be called with lru_lock and reservation held, this function
> > - * will drop the lru lock and optionally the reservation lock before returning.
> > - *
> > - * @bo:                    The buffer object to clean-up
> > - * @interruptible:         Any sleeps should occur interruptibly.
> > - * @no_wait_gpu:           Never wait for gpu. Return -EBUSY instead.
> > - * @unlock_resv:           Unlock the reservation lock as well.
> > - */
> > -
> > -static int ttm_bo_cleanup_refs(struct ttm_buffer_object *bo,
> > -                              bool interruptible, bool no_wait_gpu,
> > -                              bool unlock_resv)
> > -{
> > -       struct dma_resv *resv = &bo->base._resv;
> > -       int ret;
> > -
> > -       if (dma_resv_test_signaled(resv, DMA_RESV_USAGE_BOOKKEEP))
> > -               ret = 0;
> > -       else
> > -               ret = -EBUSY;
> > -
> > -       if (ret && !no_wait_gpu) {
> > -               long lret;
> > -
> > -               if (unlock_resv)
> > -                       dma_resv_unlock(bo->base.resv);
> > -               spin_unlock(&bo->bdev->lru_lock);
> > -
> > -               lret = dma_resv_wait_timeout(resv, DMA_RESV_USAGE_BOOKKEEP,
> > -                                            interruptible,
> > -                                            30 * HZ);
> > -
> > -               if (lret < 0)
> > -                       return lret;
> > -               else if (lret == 0)
> > -                       return -EBUSY;
> > -
> > -               spin_lock(&bo->bdev->lru_lock);
> > -               if (unlock_resv && !dma_resv_trylock(bo->base.resv)) {
> > -                       /*
> > -                        * We raced, and lost, someone else holds the reservation now,
> > -                        * and is probably busy in ttm_bo_cleanup_memtype_use.
> > -                        *
> > -                        * Even if it's not the case, because we finished waiting any
> > -                        * delayed destruction would succeed, so just return success
> > -                        * here.
> > -                        */
> > -                       spin_unlock(&bo->bdev->lru_lock);
> > -                       return 0;
> > -               }
> > -               ret = 0;
> > -       }
> > -
> > -       if (ret) {
> > -               if (unlock_resv)
> > -                       dma_resv_unlock(bo->base.resv);
> > -               spin_unlock(&bo->bdev->lru_lock);
> > -               return ret;
> > -       }
> > -
> > -       spin_unlock(&bo->bdev->lru_lock);
> > -       ttm_bo_cleanup_memtype_use(bo);
> > -
> > -       if (unlock_resv)
> > -               dma_resv_unlock(bo->base.resv);
> > -
> > -       ttm_bo_put(bo);
> 
> The put() here is indeed broken and leads to some nasty uaf I think,
> but we fixed that a while back in: c00133a9e87e ("drm/ttm: drop extra
> ttm_bo_put in ttm_bo_cleanup_refs"). It looks like you are using an
> old tree? Perhaps the issue you are seeing was also fixed with that?

Thanks. I can see this commit in my tree but it was overrode by other
patches. It fixed this issue.

Regards,
Lang

> > -
> > -       return 0;
> > -}
> > -
> >  /*
> >   * Block for the dma_resv object to become idle, lock the buffer and clean up
> >   * the resource and tt object.
> > @@ -622,8 +546,10 @@ int ttm_mem_evict_first(struct ttm_device *bdev,
> >         }
> >
> >         if (bo->deleted) {
> > -               ret = ttm_bo_cleanup_refs(bo, ctx->interruptible,
> > -                                         ctx->no_wait_gpu, locked);
> > +               if (locked)
> > +                       dma_resv_unlock(bo->base.resv);
> > +               spin_unlock(&bdev->lru_lock);
> > +               ret = ttm_bo_wait_ctx(bo, ctx);
> >                 ttm_bo_put(bo);
> >                 return ret;
> >         }
> > @@ -1146,7 +1072,12 @@ int ttm_bo_swapout(struct ttm_buffer_object *bo, struct ttm_operation_ctx *ctx,
> >         }
> >
> >         if (bo->deleted) {
> > -               ret = ttm_bo_cleanup_refs(bo, false, false, locked);
> > +               struct ttm_operation_ctx ctx = { false, false };
> > +
> > +               if (locked)
> > +                       dma_resv_unlock(bo->base.resv);
> > +               spin_unlock(&bo->bdev->lru_lock);
> > +               ret = ttm_bo_wait_ctx(bo, &ctx);
> >                 ttm_bo_put(bo);
> >                 return ret == -EBUSY ? -ENOSPC : ret;
> >         }
> > --
> > 2.25.1
> >
diff mbox series

Patch

diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
index 326a3d13a829..1e073dfb1332 100644
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -224,82 +224,6 @@  static void ttm_bo_flush_all_fences(struct ttm_buffer_object *bo)
 	dma_resv_iter_end(&cursor);
 }
 
-/**
- * ttm_bo_cleanup_refs
- * If bo idle, remove from lru lists, and unref.
- * If not idle, block if possible.
- *
- * Must be called with lru_lock and reservation held, this function
- * will drop the lru lock and optionally the reservation lock before returning.
- *
- * @bo:                    The buffer object to clean-up
- * @interruptible:         Any sleeps should occur interruptibly.
- * @no_wait_gpu:           Never wait for gpu. Return -EBUSY instead.
- * @unlock_resv:           Unlock the reservation lock as well.
- */
-
-static int ttm_bo_cleanup_refs(struct ttm_buffer_object *bo,
-			       bool interruptible, bool no_wait_gpu,
-			       bool unlock_resv)
-{
-	struct dma_resv *resv = &bo->base._resv;
-	int ret;
-
-	if (dma_resv_test_signaled(resv, DMA_RESV_USAGE_BOOKKEEP))
-		ret = 0;
-	else
-		ret = -EBUSY;
-
-	if (ret && !no_wait_gpu) {
-		long lret;
-
-		if (unlock_resv)
-			dma_resv_unlock(bo->base.resv);
-		spin_unlock(&bo->bdev->lru_lock);
-
-		lret = dma_resv_wait_timeout(resv, DMA_RESV_USAGE_BOOKKEEP,
-					     interruptible,
-					     30 * HZ);
-
-		if (lret < 0)
-			return lret;
-		else if (lret == 0)
-			return -EBUSY;
-
-		spin_lock(&bo->bdev->lru_lock);
-		if (unlock_resv && !dma_resv_trylock(bo->base.resv)) {
-			/*
-			 * We raced, and lost, someone else holds the reservation now,
-			 * and is probably busy in ttm_bo_cleanup_memtype_use.
-			 *
-			 * Even if it's not the case, because we finished waiting any
-			 * delayed destruction would succeed, so just return success
-			 * here.
-			 */
-			spin_unlock(&bo->bdev->lru_lock);
-			return 0;
-		}
-		ret = 0;
-	}
-
-	if (ret) {
-		if (unlock_resv)
-			dma_resv_unlock(bo->base.resv);
-		spin_unlock(&bo->bdev->lru_lock);
-		return ret;
-	}
-
-	spin_unlock(&bo->bdev->lru_lock);
-	ttm_bo_cleanup_memtype_use(bo);
-
-	if (unlock_resv)
-		dma_resv_unlock(bo->base.resv);
-
-	ttm_bo_put(bo);
-
-	return 0;
-}
-
 /*
  * Block for the dma_resv object to become idle, lock the buffer and clean up
  * the resource and tt object.
@@ -622,8 +546,10 @@  int ttm_mem_evict_first(struct ttm_device *bdev,
 	}
 
 	if (bo->deleted) {
-		ret = ttm_bo_cleanup_refs(bo, ctx->interruptible,
-					  ctx->no_wait_gpu, locked);
+		if (locked)
+			dma_resv_unlock(bo->base.resv);
+		spin_unlock(&bdev->lru_lock);
+		ret = ttm_bo_wait_ctx(bo, ctx);
 		ttm_bo_put(bo);
 		return ret;
 	}
@@ -1146,7 +1072,12 @@  int ttm_bo_swapout(struct ttm_buffer_object *bo, struct ttm_operation_ctx *ctx,
 	}
 
 	if (bo->deleted) {
-		ret = ttm_bo_cleanup_refs(bo, false, false, locked);
+		struct ttm_operation_ctx ctx = { false, false };
+
+		if (locked)
+			dma_resv_unlock(bo->base.resv);
+		spin_unlock(&bo->bdev->lru_lock);
+		ret = ttm_bo_wait_ctx(bo, &ctx);
 		ttm_bo_put(bo);
 		return ret == -EBUSY ? -ENOSPC : ret;
 	}