From patchwork Sat Nov 11 06:16:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Randy Dunlap X-Patchwork-Id: 10055265 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B5F8D6029B for ; Mon, 13 Nov 2017 08:53:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A658928BDA for ; Mon, 13 Nov 2017 08:53:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9B373292CC; Mon, 13 Nov 2017 08:53:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 114BE28BDA for ; Mon, 13 Nov 2017 08:53:18 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 39DD36E4BF; Mon, 13 Nov 2017 08:52:37 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) by gabe.freedesktop.org (Postfix) with ESMTPS id 379486E0A7 for ; Sat, 11 Nov 2017 06:16:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Date:Message-ID:Subject:From:Cc:To:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bs/oSnkHa3URkAKNiwcCDejQqone0BdfroUHMUYUdxE=; b=yoNbm39edQHyGNRySDsum9wriU kXByJh8wzjgCHdRRzH8MoA7pbze3/e4YbPi/d+AXKR/tpCzu4xiTjwSAJRaSJHCR2tVojSa/owZqf STfWLKVfnJQ9/heI9RmMtiGsEQsgAoxEXT5c4W4rNmCDjMexkDPqSbwsW+H8teeDfLLcUPSNZRrWJ kbZsokYxML5GKwNPiwMBKuxgAoRPZbKvOlSW6cRh2JHRPM4mgxZMw7H1IQbtmQQcpZPVs3GPY5dtn 90empyDfzaKmMXZAw2ZQ1JDUhyGR43M1z74q3yUbHdVSK1mstzPP6jhGh28TwQLIV6qMXxnls/ovV n7s24AvA==; Received: from static-50-53-32-32.bvtn.or.frontiernet.net ([50.53.32.32] helo=dragon.site) by merlin.infradead.org with esmtpsa (Exim 4.87 #1 (Red Hat Linux)) id 1eDP5N-0007Fo-9z; Sat, 11 Nov 2017 06:16:09 +0000 To: LKML , dri-devel From: Randy Dunlap Subject: [PATCH] drm: fix amdkfd use-after-free GP fault Message-ID: <0c2afa4f-3191-3ab0-3f25-c99ff0a15a14@infradead.org> Date: Fri, 10 Nov 2017 22:16:07 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 Content-Language: en-US X-Mailman-Approved-At: Mon, 13 Nov 2017 08:52:31 +0000 Cc: Andrew Morton X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Randy Dunlap Fix GP fault caused by dev_info() reference to a struct device* after the device has been freed (use after free). kfd_chardev_exit() frees the device so 'kfd_device' should not be used after calling kfd_chardev_exit(). To reproduce, just load the module and then unload it. Note that %RAX contains repeated 0x6b, which is use-after-free poisoning. [ 946.645809] calling kfd_module_init+0x0/0x1000 [amdkfd] @ 5785 [ 946.646025] CRAT table not found [ 946.646027] Finished initializing topology ret=0 [ 946.646050] kfd kfd: Initialized module [ 946.646058] initcall kfd_module_init+0x0/0x1000 [amdkfd] returned 0 after 233 usecs [ 947.650189] general protection fault: 0000 [#1] PREEMPT SMP [ 947.650192] Modules linked in: amdkfd(-) amd_iommu_v2 dw_hdmi cec rc_core mxm_wmi ttm dln2 gpio_max730x tps65218 lp3943 mcb crc4 fpga_mgr fpga_bridge fmc fuse ctr ccm af_packet nf_log_ipv6 xt_pkttype nf_log_ipv4 nf_log_common xt_LOG xt_limit ip6t_REJECT nf_reject_ipv6 xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_raw ipt_REJECT nf_reject_ipv4 iptable_raw xt_CT iptable_filter ip6table_mangle nf_conntrack_netbios_ns nf_conntrack_broadcast nf_conntrack_ipv4 nf_defrag_ipv4 ip_tables xt_conntrack nf_conntrack libcrc32c ip6table_filter ip6_tables x_tables coretemp hwmon intel_rapl x86_pkg_temp_thermal intel_powerclamp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc aesni_intel uvcvideo videobuf2_vmalloc aes_x86_64 videobuf2_memops hid_generic videobuf2_v4l2 [ 947.650224] crypto_simd snd_hda_codec_hdmi videobuf2_core usbmouse videodev snd_hda_codec_realtek glue_helper usbhid media hid snd_hda_codec_generic snd_hda_intel arc4 snd_hda_codec cryptd iwldvm sdhci_pci snd_hda_core sdhci mmc_core mac80211 snd_hwdep iTCO_wdt snd_pcm iTCO_vendor_support xhci_pci intel_cstate xhci_hcd i915 snd_seq snd_seq_device ehci_pci snd_timer toshiba_acpi ehci_hcd snd usbcore iwlwifi sparse_keymap e1000e cfg80211 input_leds ptp wmi sr_mod intel_uncore mei_me lpc_ich led_class cdrom usb_common pps_core mei joydev intel_rapl_perf mousedev evdev industrialio toshiba_bluetooth shpchp mac_hid rfkill soundcore serio_raw pcspkr toshiba_haps battery video thermal ac button sg autofs4 [last unloaded: radeon] [ 947.650259] CPU: 3 PID: 5791 Comm: rmmod Not tainted 4.14.0-rc8 #4 [ 947.650260] Hardware name: TOSHIBA PORTEGE R835/Portable PC, BIOS Version 4.10 01/08/2013 [ 947.650262] task: ffff97144a3f2840 task.stack: ffffa51e409c4000 [ 947.650266] RIP: 0010:__dev_printk+0x29/0x90 [ 947.650267] RSP: 0018:ffffa51e409c7e48 EFLAGS: 00010202 [ 947.650269] RAX: 6b6b6b6b6b6b6b6b RBX: ffffffff97a579c3 RCX: 0000000100140013 [ 947.650270] RDX: ffffa51e409c7e78 RSI: ffff97139e360558 RDI: ffffffff97a579c3 [ 947.650271] RBP: ffffa51e409c7e68 R08: 6b6b6b6b6b6b6b6b R09: ffffa51e409c7e78 [ 947.650272] R10: ffff9714465c44b8 R11: ffff9714465c55e8 R12: 00007fff874111f7 [ 947.650273] R13: 0000000000000800 R14: 00000000006231c0 R15: 0000000000623010 [ 947.650275] FS: 00007fe8a109d700(0000) GS:ffff97144fac0000(0000) knlGS:0000000000000000 [ 947.650276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 947.650277] CR2: 000000000062cc88 CR3: 000000013fd43005 CR4: 00000000000606e0 [ 947.650279] Call Trace: [ 947.650283] ? kobject_cleanup+0x75/0x170 [ 947.650284] _dev_info+0x57/0x60 [ 947.650288] ? kfree+0xf5/0x140 [ 947.650295] kfd_module_exit+0x37/0x39 [amdkfd] [ 947.650299] SyS_delete_module+0x14d/0x260 [ 947.650302] ? exit_to_usermode_loop+0x60/0x87 [ 947.650305] entry_SYSCALL_64_fastpath+0x1e/0xa9 [ 947.650307] RIP: 0033:0x7fe8a0beff97 [ 947.650308] RSP: 002b:00007fff8740ffc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0 [ 947.650310] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe8a0beff97 [ 947.650311] RDX: 00007fe8a0c56920 RSI: 0000000000000800 RDI: 0000000000623228 [ 947.650312] RBP: 00000000006231c0 R08: 00007fe8a0ea3f20 R09: 00007fff8740ef41 [ 947.650313] R10: 000000002ef31b7d R11: 0000000000000202 R12: 00007fff8740efc0 [ 947.650314] R13: 0000000000000000 R14: 00000000006231c0 R15: 0000000000623010 [ 947.650316] Code: 00 00 55 49 89 d1 48 89 e5 53 48 89 fb 48 83 ec 18 48 85 f6 74 5f 4c 8b 46 50 4d 85 c0 74 2b 48 8b 86 88 00 00 00 48 85 c0 74 25 <48> 8b 08 0f be 7b 01 48 c7 c2 96 0a aa 97 31 c0 83 ef 30 e8 7f [ 947.650339] RIP: __dev_printk+0x29/0x90 RSP: ffffa51e409c7e48 [ 947.650388] ---[ end trace c41965e147ae98ae ]--- Signed-off-by: Randy Dunlap Cc: Oded Gabbay Cc: dri-devel@lists.freedesktop.org --- drivers/gpu/drm/amd/amdkfd/kfd_module.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- lnx-414-rc8.orig/drivers/gpu/drm/amd/amdkfd/kfd_module.c +++ lnx-414-rc8/drivers/gpu/drm/amd/amdkfd/kfd_module.c @@ -24,6 +24,7 @@ #include #include #include +#include #include "kfd_priv.h" #define KFD_DRIVER_AUTHOR "AMD Inc. and others" @@ -138,7 +139,7 @@ static void __exit kfd_module_exit(void) kfd_topology_shutdown(); kfd_chardev_exit(); kfd_pasid_exit(); - dev_info(kfd_device, "Removed module\n"); + pr_info("amdkfd: Removed module\n"); } module_init(kfd_module_init);