From patchwork Wed Mar 19 14:01:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Krzysztof Karas X-Patchwork-Id: 14022629 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6508EC35FFA for ; Wed, 19 Mar 2025 14:01:53 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id DE0D810E505; Wed, 19 Mar 2025 14:01:52 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (2048-bit key; unprotected) header.d=intel.com header.i=@intel.com header.b="gcRvuUQ7"; dkim-atps=neutral Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.17]) by gabe.freedesktop.org (Postfix) with ESMTPS id 124B710E505 for ; Wed, 19 Mar 2025 14:01:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1742392912; x=1773928912; h=date:from:to:cc:subject:message-id:mime-version; bh=8No5bwZBJ4RezrYMhNsPUcN8N362+THTjpTJosO8q6I=; b=gcRvuUQ7iX0RfxJ8aFGSPGEy7d8FiuF/vn7NGGP4nD7+kqG4owdGcFR0 PSwuDirxyrI03TfwItQy/n5EUzx0vCLGdxd3K8C3OK2SFcewpZz4FAB2Z KoMa240nGVmiDMU43dJjWzuLqTGDeVcQgX1MAVelBFlW7yiZbk3DiNMgZ UbQaFTpzNJjh5jtPku9cX2aK7H2uK5ZypSBcVVuICGrlOfNksXncu8Dgh C0Pf+3eNEbNYL2xFngVmFb8X+FUbqPxl+JRQo0//a41yK2DF4NdP9VCM2 vDz1ihpeW5cmuVZSHiz16h0oCniZQNRqwKNRwhWaQGuLopXntjOv3WX0a w==; X-CSE-ConnectionGUID: k5VruM0zQsyNl4xsEM6PkA== X-CSE-MsgGUID: AVcoJCeZQ/m/uEetCdlP6g== X-IronPort-AV: E=McAfee;i="6700,10204,11378"; a="43598770" X-IronPort-AV: E=Sophos;i="6.14,259,1736841600"; d="scan'208";a="43598770" Received: from fmviesa007.fm.intel.com ([10.60.135.147]) by orvoesa109.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Mar 2025 07:01:50 -0700 X-CSE-ConnectionGUID: 023goGA9TTakl+aNJQrbJA== X-CSE-MsgGUID: rl7fGum0TKmgXasWXa9PCw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.14,259,1736841600"; d="scan'208";a="122657777" Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmviesa007.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 19 Mar 2025 07:01:50 -0700 Received: from ORSMSX901.amr.corp.intel.com (10.22.229.23) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.44; Wed, 19 Mar 2025 07:01:49 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by ORSMSX901.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14 via Frontend Transport; Wed, 19 Mar 2025 07:01:49 -0700 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (104.47.73.42) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.44; Wed, 19 Mar 2025 07:01:48 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=yhekAy2GQ9c6MC8q2fW4G/CsGrCs+gybHKfFuy1CrdGSvJsRNoAYpphM7lK4nVSG19TWlNj67xH7lkB8KJm46lMlOWNtZEpQ714FTdultcsgTpvwl+0nvOu5qd7rK3OITOmeOfzDtXu7c6w6qtqeA9NCPbtngG5735iOYqjMgAMmzDuJa/G6LZXwWEKQepP/lEYIculFD9OR2Afoug/OS5p4W++fCxvWaWKk/w1xVO9pT6L9EQGCDDt50/GkU2t85+o0qbajRXwkA6As+EbgcwKiIoe5v2X+OA1THAo2yBzSByEpkxOCewvAcc1J8U3G6gmSbT+uWfHoGlk4e+/0rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0RLL/5iC2wL1XqzGzKDRU1M4K17GtzXYruJxhtVgzE4=; b=cWzTC4Z3UTWagL8U9zfvg8sLo6FcisVwU0tiHCZuFKuyXVVHzC+dqUL3QJg0Nxc79iS7FkdlaEgN3da3lL1ojjIMAZCaxuER2IiKXxiGxUvA0Fb1nS25zcudf7BI7Fmns+0xh56P07MeSfUD0Li0wGyulLBq1yeszw5wmE98IBLqiB2qJP63KuCRNTLzMNUBgHRjWZjVgMuHbtvLSHQfsGSLEdNx5UBohLg+OT/vQrYETO9dECPlWIQBdrp+h440aJ+B2RKtbLlhGGjGKeCmCRGqgS+4b8w2nni/vNmpDQWgeuwXWzqFUYB6rRBSGyRwYigMeNAicXC59jE1XT7lqQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; Received: from CO1PR11MB5057.namprd11.prod.outlook.com (2603:10b6:303:6c::15) by BL1PR11MB5256.namprd11.prod.outlook.com (2603:10b6:208:30a::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8534.33; Wed, 19 Mar 2025 14:01:27 +0000 Received: from CO1PR11MB5057.namprd11.prod.outlook.com ([fe80::4610:6d6c:9af6:2548]) by CO1PR11MB5057.namprd11.prod.outlook.com ([fe80::4610:6d6c:9af6:2548%3]) with mapi id 15.20.8534.034; Wed, 19 Mar 2025 14:01:27 +0000 Date: Wed, 19 Mar 2025 14:01:17 +0000 From: Krzysztof Karas To: CC: Andi Shyti , Chris Wilson , Mikolaj Wasiak , Sebastian Brzezinka , Eugene Kobyak , Krzysztof Niemiec Subject: [RFC] drm/i915/perf: invalidate perf stream reference after free Message-ID: "Organization: Intel Technology Poland sp. z o.o. - ul. Slowackiego 173, 80-298 Gdansk - KRS 101882 - NIP 957-07-52-316" Content-Disposition: inline X-ClientProxiedBy: VI1PR06CA0101.eurprd06.prod.outlook.com (2603:10a6:803:8c::30) To CO1PR11MB5057.namprd11.prod.outlook.com (2603:10b6:303:6c::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PR11MB5057:EE_|BL1PR11MB5256:EE_ X-MS-Office365-Filtering-Correlation-Id: b52aa675-4706-455f-0073-08dd66ee8a9f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: =?utf-8?q?eyQSDABnN0Q9Mo8MOOhkpzV+Hu0qmIY?= =?utf-8?q?QhyLBGI6HBalCzBNDuAqKemVELUmS3V/DdW/IlCsWNAacCSql7J1k/E9EsDliNek1?= =?utf-8?q?CV2Z0l6AsknZSOZYwOclZpJ1cBLA9U8edZaIHnZ+4ZF9A2Szb0b+75jL84CWXi82c?= =?utf-8?q?1oCGeR36L+tDthM83TAWGolnhUE56q+uE0vhSvAdGtAlP/R2FQZwem8bhhFmyisnR?= =?utf-8?q?imEnvpfeCYVZOcMOqZ2Tkh4EL/ywLaQe+nVJaVs2PuTCzy8iZvRRkNqALluAujx3D?= =?utf-8?q?oTzSKXnPbaABrR9SETUpbnkHQSRF8vcsvmBKddYJHcdBTCbpyVz0TbZQrEglf8kht?= =?utf-8?q?2TH1hK6CmRKpd492FIHf8qjtOBS6dtCCTVg+WjxSnKwIRUkvgc+wm26Dz3Qf1XVLB?= =?utf-8?q?iIa35P5LU0GJ+x1lR0mJjzb6NomWsIR8CB17nT2nLDU+SPlBrxElCdcS5gF/fyGNx?= =?utf-8?q?rz6xCS8DkFVs/jcznZMfAErV1yaVyqnLcxgBGlcJ6VmIJl3dgVMFuqNaW2TCmWiQn?= =?utf-8?q?3unNyom4+sB1/r+QyiAG3w8Q6Hk/LqIRoR6IrBfLW7R5bhyzhI0YBELBIgnvmuf03?= =?utf-8?q?Tz/GUPueiMA8X4CnrtH94c1mDEF4xh259u5KR885nV/X1Sz/tz0lAYpiaRltVdTcz?= =?utf-8?q?I7BeWT9wmLhQXOtyKEuO7P2hf9UNQt19GnRgleqweMxGgC3Mzl0+uFECaezsBNnDJ?= =?utf-8?q?hjfaTz0sqTU0IoqgBZUOUal8NTqLN0kjHk3F/CJ9RpytxaegOngy4nS4N+0Y64+8g?= =?utf-8?q?heUjp/SGAbajdUlpXAbVVWu5AKxqzRMHwepRXvkQm5SZ3lpGOumO/lYkXbnZSx+w4?= =?utf-8?q?FQ4iAOq7e0DfygshU6AjZePE+HGGc4OmjDx6Dc9/dYyg/jUGWuWpoqXaU+1qEvps2?= =?utf-8?q?QEP23Pa7z4sex40E6TWjm4hbueT6B705OgXWaYQ4hp3QUEEdpAozeB+1/QxsH9FO9?= =?utf-8?q?wTl058mX/dK3VWEsOVhloZ21Er6Q+9TbLj0gUQEDtMAFVPo5LDU7zCSPJ3kMczvLz?= =?utf-8?q?tX4Uihmdhm9HF7v1jUszWTMsfTo6xbBCV0sxW3D/6gkGO7YNA5vdNcJUVcGzvDjmC?= =?utf-8?q?f5GkgKQNT3o89BlVwr4Hk7F2XP63ueMKT57upkp5Jvm0gtnwuiZonWeJNJu+FMVvB?= =?utf-8?q?haWCT3SyATeCFl3McDtfFnHjEhLS44lr7PfpCxNKteEaDC7fh6g4O8iP3UxsE86V+?= =?utf-8?q?RrzA3M0EiI1xCeQyLsYN/8Cev86PHxAfwMm9ckT/Ebdltue8rjnR0b739/l/8+Tef?= =?utf-8?q?0P8K7vbT1zJ3tI1eicdtW4C07mLXtoViRrQ=3D=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5057.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230040)(376014)(366016)(1800799024); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?Bn7RjD2KY2INrAQtW61Ev1b4h6kL?= =?utf-8?q?/FzMHFr83AJkh4e5fgPYB+xfKkqDBFYep9u2fbHtQVJiRIKrGqpMfrhShGSCLvFH7?= =?utf-8?q?prFH66vJBWKVeEqODDJy6DVsUrzlQ4ODca02yoxpviXxH3I+r56di5eKXCrI0W+8s?= =?utf-8?q?jx4qVGOh3K5ZHZmSbugZtv5hsEDzisLKSgAgtcI0vSLRrCdzhwoKEEjuEspfl7QaC?= =?utf-8?q?w5LJDuOFTDqjsm/7744bf93m38ftuwKE4bmvM6c4UXhzRe/Rs32WainJAkIcqNjEK?= =?utf-8?q?MkLTWxUXp8BwFda5Mkk7ZDz54HwZJYQCNJ+OjpJoBwUOw4eMydSHfOoyAyPvn/xOy?= =?utf-8?q?v9JN3wgxpP8mUI3XtdVHOErEr06HkqsUJX2Um050x6N2Fr6s1TC5OIKerOCsSZo35?= =?utf-8?q?wMFqgNWZnBHHAhHRP+31zcn9dr/GCjJ+IZW/MhzW6OhYeYRaCg6bcH4EVVCy2m9yP?= =?utf-8?q?hCVMMi26mZ6o1fzm4eYDfAyKHz85E9hvhtVSUPRvTdtLieqX1AglbjlP3Ido9JVru?= =?utf-8?q?05inOrD/q9blttJTzyoCwPVkUfEXLBdtIPeRbVWtdkuYrCckmqOroAhT1GXTGOryK?= =?utf-8?q?CckhwdKe6DwWvHTsVP3uaTVjUCdD1Ohy4AhyMU0sE+xE3bfc/gmahAGfmg+l5Tx0o?= =?utf-8?q?fhACKEYsj3/dxxbjifcWyjc+nkLHKoHAYOCIDBbiACFaRUaieQsHhBakPYf17l0o7?= =?utf-8?q?kUNhH2YFdJBzw7aQ8atKI3cqNtc/9nKFS6FT++D/ScSJwwotVq3LO+1XA8nkcLhaB?= =?utf-8?q?YzlEbbCYuDo3+apvMlBW1O7aCGYvcXOYp6O5Sc/rhlR33BXlYsSGCb50u/eMw8Fcd?= =?utf-8?q?aC+Fh9DZTFoB8OK6n5/5NTZ4xs5uRFyTbS/xJkqJQASbvTiL7WZ2FhX8Bx0TJ//qA?= =?utf-8?q?toMKSyZUJO8/YzZeQt/zMvS56XcSn9RneGmQQw0tiVAGfeoo6sSMZEpLrFtLMTuV+?= =?utf-8?q?TGZBRsu2jXh2KDZUvD8KbIu26pmRgYUHAaBlaepQAV7BtcAHEx3fwFJYFcTuwqVV1?= =?utf-8?q?vkih+t9rAtx+Nfo0854YNZRZkes2BjA0KSUVlxF/lun/TFZgWaVNrOMImqYck1NPn?= =?utf-8?q?QtrbMFFy6rqPAU9Y9XjH5EO8VA/YNumtpXouLmv1cSq68zbsKNuxL73SCbPMsMrmL?= =?utf-8?q?XgWVeS5YfWF/N82y1tqoLnvUMbudkTyEYllreQEoxvnWu2rXNPzJjHzmo1PP4421o?= =?utf-8?q?wpcdUobk3n23ZemXEVGSMWL5UokPfrEnsbA4kW1qSWRx2IZT/KlxhE3SxeWrE3bPC?= =?utf-8?q?Q69wcH9j9INkQ9Ds+PoeBTrNMLv3K4sAuKCauyiSYq1IyADJUTPErm7bSTeinahJF?= =?utf-8?q?w8n/SVDVHsiYhv2f6aF418pCNu4txknNNrAfXYzgHqzcQP4f+1bvpRiZ32TSvVj/m?= =?utf-8?q?Wyerj+tTUrkHcop8w7JH3sqmwJ1HHRl4ji9hDuEWZXMj47w2hmQmGEAMig/1LuVK1?= =?utf-8?q?2CwKvE9KFghPdJlOvHALCxDbMzWz/Ra8qaNSSkyn+LSuNyQWT/dDdNDe6psIeFF5w?= =?utf-8?q?DlXlpCsu6RTSolIZ4fl3zLQeE0GlMGccSw=3D=3D?= X-MS-Exchange-CrossTenant-Network-Message-Id: b52aa675-4706-455f-0073-08dd66ee8a9f X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5057.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Mar 2025 14:01:27.2194 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: RUT+SCiZ1OOLd9Xb1Qvdlc/spDdZQQi1XqvqdXnmevKKWAG6ebS2AhTxAZW1n8K5TzFrK7XvW5SVABh7u0yvOm2Hm3k2ndqkW7LjuoSs50k= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR11MB5256 X-OriginatorOrg: intel.com X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" Some references to a perf stream in i915_oa_init_reg_state() might remain active after its destruction in i915_perf_release(). This could cause a read after free condition as seen in issue #13756. Since i915_oa_init_reg_state() code already checks if stream exists, set its reference (file->private_data) to NULL explicitly. Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13756 Signed-off-by: Krzysztof Karas --- I was not able to reproduce this issue locally, but got a note from Chris Wilson offline that the problem might still exist, so here is my attempt to remedy that. I am also unsure if adding "Fixes" tag for commit eec688e1420d ("drm/i915: Add i915 perf infrastructure") here along with tag for stable would be appropriate. I think invalidating the pointer to perf stream explicitly would prevent issues with use-after-free in the future, but I'd like to see what people think first, hence RFC. drivers/gpu/drm/i915/i915_perf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c index bec164e884ae..ea1771da3f67 100644 --- a/drivers/gpu/drm/i915/i915_perf.c +++ b/drivers/gpu/drm/i915/i915_perf.c @@ -3743,6 +3743,9 @@ static int i915_perf_release(struct inode *inode, struct file *file) */ mutex_lock(>->perf.lock); i915_perf_destroy_locked(stream); + + /* Make sure that any remaining references to this stream are invalid. */ + file->private_data = NULL; mutex_unlock(>->perf.lock); /* Release the reference the perf stream kept on the driver. */